#!/usr/bin/env bash

# Generate MinIO TLS certificates using existing CA
# This script generates certificates for MinIO server

set -e

TLS_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
CA_DIR="$TLS_DIR/ca"
MINIO_DIR="$TLS_DIR/minio"

mkdir -p "$MINIO_DIR"

echo "Generating MinIO TLS certificates using existing CA..."
echo "CA Directory: $CA_DIR"
echo "MinIO Directory: $MINIO_DIR"
echo ""

# Check if CA exists
if [ ! -f "$CA_DIR/ca-cert.pem" ] || [ ! -f "$CA_DIR/ca-key.pem" ]; then
    echo "ERROR: CA certificates not found. Please run generate-certificates.sh first."
    exit 1
fi

# Generate MinIO server private key
echo "Step 1: Generating MinIO server private key..."
openssl genrsa -out "$MINIO_DIR/minio-key.pem" 4096

# Convert to traditional RSA format (required by MinIO)
echo "Step 1b: Converting private key to traditional RSA format..."
openssl rsa -in "$MINIO_DIR/minio-key.pem" -traditional -out "$MINIO_DIR/minio-key.pem"

# Create certificate signing request (CSR)
echo "Step 2: Creating MinIO certificate signing request..."
openssl req -new -key "$MINIO_DIR/minio-key.pem" -out "$MINIO_DIR/minio.csr" \
  -subj "/C=US/ST=California/L=SanFrancisco/O=BakeryIA/OU=Storage/CN=minio.bakery-ia.svc.cluster.local"

# Create SAN (Subject Alternative Names) configuration for MinIO
cat > "$MINIO_DIR/san.cnf" <<EOF
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no

[req_distinguished_name]
C = US
ST = California
L = SanFrancisco
O = BakeryIA
OU = Storage
CN = minio.bakery-ia.svc.cluster.local

[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names

[alt_names]
DNS.1 = minio.bakery-ia.svc.cluster.local
DNS.2 = minio.bakery-ia
DNS.3 = minio-console.bakery-ia.svc.cluster.local
DNS.4 = minio-console.bakery-ia
DNS.5 = minio
DNS.6 = minio-console
DNS.7 = localhost
IP.1 = 127.0.0.1
EOF

# Sign the certificate with CA (valid for 3 years)
echo "Step 3: Signing MinIO certificate with CA..."
openssl x509 -req -in "$MINIO_DIR/minio.csr" \
  -CA "$CA_DIR/ca-cert.pem" -CAkey "$CA_DIR/ca-key.pem" -CAcreateserial \
  -out "$MINIO_DIR/minio-cert.pem" -days 1095 \
  -extensions v3_req -extfile "$MINIO_DIR/san.cnf"

# Set proper permissions
chmod 600 "$MINIO_DIR/minio-key.pem"
chmod 644 "$MINIO_DIR/minio-cert.pem"

# Copy CA cert for MinIO
cp "$CA_DIR/ca-cert.pem" "$MINIO_DIR/ca-cert.pem"

echo ""
echo "Step 4: Verifying MinIO certificates..."

# Verify MinIO certificate
echo "MinIO certificate details:"
openssl x509 -in "$MINIO_DIR/minio-cert.pem" -noout -subject -issuer -dates
openssl verify -CAfile "$CA_DIR/ca-cert.pem" "$MINIO_DIR/minio-cert.pem"

echo ""
echo "==================="
echo "✓ MinIO certificates generated successfully!"
echo ""
echo "Generated files:"
echo "  MinIO:"
echo "    - $MINIO_DIR/minio-cert.pem (Server certificate)"
echo "    - $MINIO_DIR/minio-key.pem (Server private key - traditional RSA format)"
echo "    - $MINIO_DIR/ca-cert.pem (CA certificate)"
echo ""
echo "Important Notes:"
echo "  • Private key is in traditional RSA format (BEGIN RSA PRIVATE KEY)"
echo "  • This format is required by MinIO to avoid 'The private key contains additional data' error"
echo "  • Certificates follow the standardized Opaque secret structure"
echo ""
echo "Next steps:"
echo "  1. Update Kubernetes minio-tls secret with these certificates"
echo "  2. Apply the updated secret to your cluster"
echo "  3. Restart MinIO pods if necessary"
echo ""
echo "For more details, see: docs/MINIO_TLS_FIX_SUMMARY.md"