#! Copyright 2020-2022 the Pinniped contributors. All Rights Reserved.
#! SPDX-License-Identifier: Apache-2.0

#@ load("@ytt:data", "data")
#@ load("@ytt:sha256", "sha256")
#@ load("@ytt:yaml", "yaml")

#@ def dexConfig():
issuer: https://dex.tools.svc.cluster.local/dex
storage:
  type: sqlite3
  config:
    file: ":memory:"
web:
  https: 0.0.0.0:8443
  tlsCert: /var/certs/dex.pem
  tlsKey: /var/certs/dex-key.pem
expiry:
  idTokens: 20m #! this is the lifetime for the id token as well as the access token.
oauth2:
  skipApprovalScreen: true
  #! Allow the resource owner password grant, which Dex implements to also return ID tokens.
  passwordConnector: local
staticClients:
- id: pinniped-cli
  name: 'Pinniped CLI'
  public: true
  redirectURIs:
  - #@ "http://127.0.0.1:" + str(data.values.ports.cli) + "/callback"
  - #@ "http://[::1]:" + str(data.values.ports.cli) + "/callback"
- id: pinniped-supervisor
  name: 'Pinniped Supervisor'
  secret: pinniped-supervisor-secret
  redirectURIs: #@ data.values.supervisor_redirect_uris
enablePasswordDB: true
staticPasswords:
- username: "pinny"
  email: "pinny@example.com"
  hash: #@ data.values.pinny_bcrypt_passwd_hash
  userID: "061d23d1-fe1e-4777-9ae9-59cd12abeaaa"
#@ end

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: dex-config
  namespace: tools
  labels:
    app: dex
data:
  config.yaml: #@ yaml.encode(dexConfig())
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: dex
  namespace: tools
  labels:
    app: dex
spec:
  replicas: 1
  selector:
    matchLabels:
      app: dex
  template:
    metadata:
      labels:
        app: dex
      annotations:
        dexConfigHash: #@ sha256.sum(yaml.encode(dexConfig()))
    spec:
      containers:
      - name: dex
        image: #@ data.values.dex_image
        imagePullPolicy: IfNotPresent
        command:
        - /usr/local/bin/dex
        - serve
        - /etc/dex/cfg/config.yaml
        ports:
        - name: https
          containerPort: 8443
        volumeMounts:
        - name: dex-config
          mountPath: /etc/dex/cfg
        - name: certs
          mountPath: /var/certs
          readOnly: true
      volumes:
      - name: dex-config
        configMap:
          name: dex-config
      - name: certs
        secret:
          secretName: certs
---
apiVersion: v1
kind: Service
metadata:
  name: dex
  namespace: tools
  labels:
    app: dex
spec:
  type: ClusterIP
  selector:
    app: dex
  ports:
  - name: https
    port: 443
    targetPort: 8443