locals {
  app_slug   = "${var.instance}${var.component == "" ? "" : "-"}${var.component}"
  mongo_labels = merge(var.labels, {
    "app.kubernetes.io/component" = "mongo"
  })
  db_name        = var.db_name == "" ? var.component == "" ? var.instance : var.component : var.db_name
  username       = var.username == "" ? var.component == "" ? var.instance : var.component : var.username
  mongo_password = data.kubernetes_secret_v1.mongo_secret.data["password"]
}
resource "kubectl_manifest" "mongo_secret" {
  ignore_fields = ["metadata.annotations"]
  yaml_body     = <<-EOF
    apiVersion: "secretgenerator.mittwald.de/v1alpha1"
    kind: "StringSecret"
    metadata:
      name: "${local.app_slug}-mongo"
      namespace: "${var.namespace}"
      labels: ${jsonencode(local.mongo_labels)}
    spec:
      forceRegenerate: false
      fields:
      - fieldName: "password"
        length: "16"
  EOF
}
data "kubernetes_secret_v1" "mongo_secret" {
  depends_on = [kubectl_manifest.mongo_secret]
  metadata {
    name      = "${local.app_slug}-mongo"
    namespace = var.namespace
  }
}
resource "kubectl_manifest" "mongo" {
  yaml_body = <<-EOF
    apiVersion: mongodbcommunity.mongodb.com/v1
    kind: MongoDBCommunity
    metadata:
      name: "${local.app_slug}-mongo"
      namespace: "${var.namespace}"
      labels: ${jsonencode(local.mongo_labels)}
    spec:
      members: 1
      type: ${var.mongo_type}
      version: "${var.mongo_version}"
      statefulSet:
        spec:
          template:
            metadata:
              annotations:
                "k8up.io/backupcommand": "sh -c 'mongodump --username=$MONGODB_USER --password=$MONGODB_PASSWORD mongodb://localhost/$MONGODB_NAME --archive'"
                "k8up.io/file-extension": ".archive"
            spec:
              containers:
              - name: mongod
                imagePullPolicy: "${var.pull_policy}"
                resources: ${jsonencode(var.resources)}
                env:
                - name: MONGODB_NAME
                  value: ${local.db_name}
                - name: MONGODB_USER
                  value: ${local.username}
                - name: MONGODB_PASSWORD
                  valueFrom:
                    secretKeyRef:
                      name: "${local.app_slug}-mongo"
                      key: password
      security:
        authentication:
          modes: ["SCRAM"]
      additionalMongodConfig:
        storage.wiredTiger.engineConfig.cacheSizeGB: 1
      users:
      - name: ${local.username}
        db: ${local.db_name}
        passwordSecretRef:
          name: "${local.app_slug}-mongo"
        roles:
        - db: ${local.db_name}
          name: readWrite
        scramCredentialsSecretName: "${local.app_slug}-mongo-scram"
  EOF
}
resource "kubectl_manifest" "mongo_sa" {
  yaml_body = <<-EOF
    apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: "${local.app_slug}-mongodb-database"
      namespace: "${var.namespace}"
      labels: ${jsonencode(local.mongo_labels)}
  EOF
}
resource "kubectl_manifest" "mongo_role" {
  yaml_body = <<-EOF
    apiVersion: rbac.authorization.k8s.io/v1
    kind: Role
    metadata:
      name: "${local.app_slug}-mongodb-database"
      namespace: "${var.namespace}"
      labels: ${jsonencode(local.mongo_labels)}
    rules:
    - apiGroups: [""]
      resources: ["secrets"]
      verbs: ["get"]
    - apiGroups: [""]
      resources: ["pods"]
      verbs: ["patch", "delete", "get"]
  EOF
}
resource "kubectl_manifest" "mongo_rb" {
  yaml_body = <<-EOF
    apiVersion: rbac.authorization.k8s.io/v1
    kind: RoleBinding
    metadata:
      name: "${local.app_slug}-mongodb-database"
      namespace: "${var.namespace}"
      labels: ${jsonencode(local.mongo_labels)}
    subjects:
    - kind: ServiceAccount
      name: ${local.app_slug}-mongodb-database
    roleRef:
      kind: Role
      name: ${local.app_slug}-mongodb-database
      apiGroup: rbac.authorization.k8s.io
  EOF
}