{{- if .Values.dex.enabled -}}

---
apiVersion: v1
kind: Secret
type: Opaque
metadata:
  annotations:
  name: dex-config
  namespace: {{ .Release.Namespace }}
stringData:
  issuer: "https://auth.{{ .Values.global.domain }}"
  endpoint: {{ printf "http://%s.%s.svc.cluster.local:5556" .Values.dex.fullnameOverride .Release.Namespace }}
  config.yaml: |-
    issuer: "https://auth.{{ .Values.global.domain }}"
    storage:
      type: kubernetes
      config:
        inCluster: true
    enablePasswordDB: true
    staticPasswords:
    - email: "admin@epinio.io"
      # bcrypt hash of the string "password": $(echo password | htpasswd -BinC 10 admin | cut -d: -f2)
      hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
      username: "admin"
      userID: "08a8684b-db88-4b73-90a9-3cd1661f5466"
    - email: "epinio@epinio.io"
      hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
      userID: "08a8684b-db88-4b73-90a9-3cd1661f5467"

    staticClients:
    - id: epinio-api
      name: 'Epinio API'
      public: true
      # The 'Epinio API' lets the 'Epinio cli' issue ID tokens on its behalf.
      # https://dexidp.io/docs/custom-scopes-claims-clients/#cross-client-trust-and-authorized-party
      trustedPeers:
      - epinio-cli

    - id: epinio-cli
      name: 'Epinio cli'
      public: true
      

---
apiVersion: v1
kind: Secret
type: Opaque
metadata:
  labels:
    epinio.io/api-user-credentials: "true"
    epinio.io/role: "admin"
  name: {{ include "epinio-truncate" (print "user-" "admin@epinio.io") }}
  namespace: {{ .Release.Namespace }}
stringData:
  username: "admin@epinio.io"

---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: dex
  namespace: "{{ .Release.Namespace }}"
spec:
  dnsNames:
  - "auth.{{ .Values.global.domain }}"
  issuerRef:
    kind: ClusterIssuer
    name: {{ default .Values.global.tlsIssuer .Values.global.customTlsIssuer | quote }}
  secretName: dex-tls

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: dex
  namespace: {{ .Release.Namespace }}
  annotations:
    cert-manager.io/cluster-issuer: {{ default .Values.global.tlsIssuer .Values.global.customTlsIssuer | quote }}
    kubernetes.io/ingress.class: traefik
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.tls: "true"
spec:
  rules:
  - host: "auth.{{ .Values.global.domain }}"
    http:
      paths:
      - backend:
          service:
            name: dex
            port:
              number: 5556
        path: /
        pathType: Prefix
  tls:
  - hosts:
    - "auth.{{ .Values.global.domain }}"
    secretName: dex-tls

{{- end }}