resource "helm_release" "dashboard" {
  name            = "kubernetes-dashboard"
  repository      = "https://kubernetes.github.io/dashboard"
  chart           = "kubernetes-dashboard"
  version         = "7.5.0"
  namespace       = kubernetes_namespace.tjo-cloud.metadata[0].name
  atomic          = true
  cleanup_on_fail = true

  set {
    name  = "kong.enabled"
    value = false
  }
}

resource "kubernetes_manifest" "dashoard-http-route" {
  manifest = {
    apiVersion = "gateway.networking.k8s.io/v1"
    kind       = "HTTPRoute"
    metadata = {
      name      = "dashboard"
      namespace = kubernetes_namespace.tjo-cloud.metadata[0].name
    }
    spec = {
      parentRefs = [
        {
          name = kubernetes_manifest.gateway.object.metadata.name
        }
      ]
      hostnames = [
        "dashboard.${var.cluster_domain}"
      ]
      rules = [
        {
          matches = [
            {
              path : {
                value : "/"
                type : "PathPrefix"
              }
            }
          ]
          backendRefs = [
            {
              name : "kubernetes-dashboard-web"
              port : 8000
            }
          ]
        },
        {
          matches = [
            {
              path : {
                value : "/api/v1/login"
                type : "PathPrefix"
              }
            },
            {
              path : {
                value : "/api/v1/csrftoken/login"
                type : "PathPrefix"
              }
            },
            {
              path : {
                value : "/api/v1/me"
                type : "PathPrefix"
              }
            },
          ]
          backendRefs = [
            {
              name : "kubernetes-dashboard-auth"
              port : 8000
            }
          ]
        },
        {
          matches = [
            {
              path : {
                value : "/api"
                type : "PathPrefix"
              }
            }
          ]
          backendRefs = [
            {
              name : "kubernetes-dashboard-api"
              port : 8000
            }
          ]
        },
      ]
    }
  }
}

resource "kubernetes_secret" "dashboard-oidc" {
  metadata {
    name      = "dashboard-oidc"
    namespace = kubernetes_namespace.tjo-cloud.metadata[0].name
  }
  data = {
    client-secret = "null"
  }
}

resource "kubernetes_manifest" "dashboard-oidc" {
  manifest = {
    apiVersion = "gateway.envoyproxy.io/v1alpha1"
    kind       = "SecurityPolicy"
    metadata = {
      name      = "dashboard-oidc"
      namespace = kubernetes_namespace.tjo-cloud.metadata[0].name
    }
    spec = {
      targetRef = {
        group : "gateway.networking.k8s.io"
        kind : "HTTPRoute"
        name : kubernetes_manifest.dashoard-http-route.object.metadata.name
      }
      oidc = {
        provider = {
          issuer : var.oidc_issuer_url
        }
        clientID : var.oidc_client_id
        clientSecret : {
          name : kubernetes_secret.dashboard-oidc.metadata[0].name
        }
        scopes : ["openid", "email", "profile"]
        forwardAccessToken : true

        redirectURL : "https://dashboard.${var.cluster_domain}/login"
      }
    }
  }
}