{{- if .Values.global.dex.enabled -}}

{{- $dexSecret := (lookup "v1" "Secret" .Release.Namespace "dex-config").data | default dict -}}
{{- $prevUiClientSecret := (get $dexSecret "uiClientSecret") -}}
{{- $uiClientSecret := empty $prevUiClientSecret | ternary (randAlphaNum 32) (b64dec $prevUiClientSecret) -}}

---
apiVersion: v1
kind: Secret
type: Opaque
metadata:
  annotations:
  name: dex-config
  namespace: {{ .Release.Namespace }}
stringData:
  issuer: "https://auth.{{ .Values.global.domain }}"
  endpoint: {{ printf "http://%s.%s.svc.cluster.local:5556" .Values.dex.fullnameOverride .Release.Namespace }}
  uiClientSecret: {{ $uiClientSecret }}
  config.yaml: |-
    issuer: "https://auth.{{ .Values.global.domain }}"
    storage:
      type: kubernetes
      config:
        inCluster: true
    enablePasswordDB: true
    staticPasswords:
    - email: "admin@epinio.io"
      # bcrypt hash of the string "password": $(echo password | htpasswd -BinC 10 admin | cut -d: -f2)
      hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
      username: "admin"
      userID: "08a8684b-db88-4b73-90a9-3cd1661f5466"
    - email: "epinio@epinio.io"
      hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
      userID: "08a8684b-db88-4b73-90a9-3cd1661f5467"

    staticClients:
    - id: epinio-api
      name: 'Epinio API'
      public: true
      # The 'Epinio API' lets the 'Epinio cli' issue ID tokens on its behalf.
      # https://dexidp.io/docs/custom-scopes-claims-clients/#cross-client-trust-and-authorized-party
      trustedPeers:
      - epinio-cli
      - epinio-ui

    - id: epinio-cli
      name: 'Epinio cli'
      public: true

    - id: epinio-ui
      name: 'Epinio UI'
      secret: {{ $uiClientSecret | quote }}
      # Shouldn't be public, https://dexidp.io/docs/custom-scopes-claims-clients/#public-clients
      redirectURIs:
      - {{ .Values.dex.ui.redirectURI | default (printf "https://epinio.%s/auth/verify/" .Values.global.domain) | quote }}

---
apiVersion: v1
kind: Secret
type: Opaque
metadata:
  labels:
    epinio.io/api-user-credentials: "true"
    epinio.io/role: "admin"
  name: {{ include "epinio-truncate" (print "user-" "admin@epinio.io") }}
  namespace: {{ .Release.Namespace }}
stringData:
  username: "admin@epinio.io"

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: dex
  namespace: {{ .Release.Namespace }}
  annotations:
    cert-manager.io/cluster-issuer: {{ default .Values.global.tlsIssuer .Values.global.customTlsIssuer | quote }}
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.tls: "true"
    {{- range $key, $value := .Values.ingress.annotations }}
    {{ $key | quote }}: {{ $value | quote }}
    {{- end }}
spec:
  {{- if .Values.ingress.ingressClassName }}
  ingressClassName: "{{ .Values.ingress.ingressClassName }}"
  {{- end }}
  rules:
  - host: "auth.{{ .Values.global.domain }}"
    http:
      paths:
      - backend:
          service:
            name: dex
            port:
              number: 5556
        path: /
        pathType: Prefix
  tls:
  - hosts:
    - "auth.{{ .Values.global.domain }}"
    secretName: dex-tls

{{- end }}