#!/bin/bash
# Generate CI/CD Secrets for Bakery-IA
#
# This script creates Kubernetes secrets required for the CI/CD pipeline.
# Run this script once during initial setup.
#
# Usage:
#   ./generate-secrets.sh [options]
#
# Options:
#   --registry-url    Container registry URL (default: gitea.bakery-ia.local:5000)
#   --gitea-user      Gitea username (will prompt if not provided)
#   --gitea-password  Gitea password (will prompt if not provided)
#   --dry-run         Print commands without executing

set -e

# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color

# Default values
REGISTRY_URL="${REGISTRY_URL:-gitea.bakery-ia.local:5000}"
DRY_RUN=false
KUBECTL="kubectl"

# Check if running in microk8s
if command -v microk8s &> /dev/null; then
    KUBECTL="microk8s kubectl"
fi

# Parse arguments
while [[ $# -gt 0 ]]; do
    case $1 in
        --registry-url)
            REGISTRY_URL="$2"
            shift 2
            ;;
        --gitea-user)
            GITEA_USERNAME="$2"
            shift 2
            ;;
        --gitea-password)
            GITEA_PASSWORD="$2"
            shift 2
            ;;
        --dry-run)
            DRY_RUN=true
            shift
            ;;
        *)
            echo -e "${RED}Unknown option: $1${NC}"
            exit 1
            ;;
    esac
done

echo "=========================================="
echo "  Bakery-IA CI/CD Secrets Generator"
echo "=========================================="
echo ""

# Prompt for credentials if not provided
if [ -z "$GITEA_USERNAME" ]; then
    read -p "Enter Gitea username: " GITEA_USERNAME
fi

if [ -z "$GITEA_PASSWORD" ]; then
    read -s -p "Enter Gitea password: " GITEA_PASSWORD
    echo ""
fi

# Generate webhook secret
WEBHOOK_SECRET=$(openssl rand -hex 32)

echo ""
echo -e "${YELLOW}Configuration:${NC}"
echo "  Registry URL: $REGISTRY_URL"
echo "  Gitea User: $GITEA_USERNAME"
echo "  Webhook Secret: ${WEBHOOK_SECRET:0:8}..."
echo ""

# Function to create secret
create_secret() {
    local cmd="$1"
    if [ "$DRY_RUN" = true ]; then
        echo -e "${YELLOW}[DRY-RUN]${NC} $cmd"
    else
        eval "$cmd"
    fi
}

# Ensure namespaces exist
echo -e "${GREEN}Creating namespaces if they don't exist...${NC}"
create_secret "$KUBECTL create namespace tekton-pipelines --dry-run=client -o yaml | $KUBECTL apply -f -"
create_secret "$KUBECTL create namespace flux-system --dry-run=client -o yaml | $KUBECTL apply -f -"

echo ""
echo -e "${GREEN}Creating secrets...${NC}"

# 1. Webhook Secret
echo "  Creating gitea-webhook-secret..."
create_secret "$KUBECTL create secret generic gitea-webhook-secret \
    --namespace tekton-pipelines \
    --from-literal=secretToken='$WEBHOOK_SECRET' \
    --dry-run=client -o yaml | $KUBECTL apply -f -"

# 2. Registry Credentials (docker-registry type)
echo "  Creating gitea-registry-credentials..."
create_secret "$KUBECTL create secret docker-registry gitea-registry-credentials \
    --namespace tekton-pipelines \
    --docker-server='$REGISTRY_URL' \
    --docker-username='$GITEA_USERNAME' \
    --docker-password='$GITEA_PASSWORD' \
    --dry-run=client -o yaml | $KUBECTL apply -f -"

# 3. Git Credentials for Tekton
echo "  Creating gitea-git-credentials..."
create_secret "$KUBECTL create secret generic gitea-git-credentials \
    --namespace tekton-pipelines \
    --from-literal=username='$GITEA_USERNAME' \
    --from-literal=password='$GITEA_PASSWORD' \
    --dry-run=client -o yaml | $KUBECTL apply -f -"

# 4. Flux Git Credentials
echo "  Creating gitea-credentials for Flux..."
create_secret "$KUBECTL create secret generic gitea-credentials \
    --namespace flux-system \
    --from-literal=username='$GITEA_USERNAME' \
    --from-literal=password='$GITEA_PASSWORD' \
    --dry-run=client -o yaml | $KUBECTL apply -f -"

# Label all secrets
echo ""
echo -e "${GREEN}Adding labels to secrets...${NC}"
for ns in tekton-pipelines flux-system; do
    for secret in gitea-webhook-secret gitea-registry-credentials gitea-git-credentials gitea-credentials; do
        if $KUBECTL get secret "$secret" -n "$ns" &> /dev/null; then
            create_secret "$KUBECTL label secret $secret -n $ns app.kubernetes.io/name=bakery-ia-cicd --overwrite 2>/dev/null || true"
        fi
    done
done

echo ""
echo "=========================================="
echo -e "${GREEN}Secrets created successfully!${NC}"
echo "=========================================="
echo ""
echo -e "${YELLOW}IMPORTANT:${NC} Save this webhook secret for Gitea webhook configuration:"
echo ""
echo "  Webhook Secret: $WEBHOOK_SECRET"
echo ""
echo "Configure this in Gitea:"
echo "  1. Go to Repository Settings > Webhooks"
echo "  2. Add webhook with URL: http://el-bakery-ia-listener.tekton-pipelines.svc.cluster.local:8080"
echo "  3. Set Secret to the webhook secret above"
echo "  4. Select events: Push"
echo ""

# Save webhook secret to a file for reference (gitignored)
if [ "$DRY_RUN" = false ]; then
    echo "$WEBHOOK_SECRET" > "$(dirname "$0")/.webhook-secret"
    chmod 600 "$(dirname "$0")/.webhook-secret"
    echo "Webhook secret saved to .webhook-secret (gitignored)"
fi