{{- if .Values.expose }}
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: {{ .Chart.Name }}
  namespace: {{ .Values.namespace }}
spec:
  routes:
    - kind: Rule
      match: {{ .Values.expose.match }}
{{- if .Values.expose.middlewares }}
      middlewares:
        {{ toYaml .Values.expose.middlewares }}
{{- end }}
      services:
        - name: {{ .Values.expose.service.name }}
          port: {{ .Values.expose.service.port }}
          namespace: {{ .Values.namespace }}

{{- $authentikMiddleware := false }}
{{- range .Values.expose.middlewares }}
  {{- if eq .name "authentik" }}
    {{- $authentikMiddleware = true }}
  {{- end }}
{{- end }}
{{- if $authentikMiddleware }}
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: authentik
  namespace: {{ .Values.namespace }}
spec:
  forwardAuth:
{{- $regexArray := mustRegexFindAll "Host[(]`[^`]+`[)]" .Values.expose.match -1 }}
{{- $firstHost := index $regexArray 0 }}
{{- $hostname := regexReplaceAll ".+`([^`]+)`.?" $firstHost "$1"}}
    address: https://{{ $hostname }}/outpost.goauthentik.io/auth/traefik
    authResponseHeaders:
      - X-authentik-username
      - X-authentik-groups
      - X-authentik-email
      - X-authentik-name
      - X-authentik-uid
      - X-authentik-jwt
      - X-authentik-meta-jwks
      - X-authentik-meta-outpost
      - X-authentik-meta-provider
      - X-authentik-meta-app
      - X-authentik-meta-version
    trustForwardHeader: true
{{- end }}
{{- end }}