locals {
  k8s_config = yamldecode(var.k8s_config_yaml)
  k8s_host = local.k8s_config.clusters[0].cluster.server
  k8s_auth = try(
    {
      token       = local.k8s_config.users[0].user.token
      using_token = true
    },
    {
      client_certificate = base64decode(local.k8s_config.users[0].user["client-certificate-data"])
      client_key = base64decode(local.k8s_config.users[0].user["client-key-data"])
      using_token = false
    }
  )
}

provider "kubernetes" {
  host               = local.k8s_host
  insecure           = true
  token              = local.k8s_auth.using_token ? local.k8s_auth.token : null
  client_certificate = local.k8s_auth.using_token ? null : local.k8s_auth.client_certificate
  client_key         = local.k8s_auth.using_token ? null : local.k8s_auth.client_key
}

provider "helm" {
  kubernetes {
    host               = local.k8s_host
    insecure           = true
    token              = local.k8s_auth.using_token ? local.k8s_auth.token : null
    client_certificate = local.k8s_auth.using_token ? null : local.k8s_auth.client_certificate
    client_key         = local.k8s_auth.using_token ? null : local.k8s_auth.client_key
  }
}

terraform {
  required_providers {
    zitadel = {
      source  = "zitadel/zitadel"
      version = "1.2.0"
    }
  }
}

data "kubernetes_secret" "zitadel_admin" {
  depends_on = [var.wait_on]
  metadata {
    name      = var.secret
    namespace = var.namespace
  }
}

provider "zitadel" {
  domain           = var.domain
  insecure         = "false"
  jwt_profile_json = data.kubernetes_secret.zitadel_admin.data["${var.secret}.json"]
}