# Tekton Update GitOps Task for Bakery-IA CI/CD
# This task updates GitOps manifests with new image tags

apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
  name: update-gitops
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ .Values.labels.app.name }}
    app.kubernetes.io/component: gitops
spec:
  workspaces:
    - name: source
      description: Workspace containing the source code
    - name: git-credentials
      description: Git credentials for pushing changes
  params:
    - name: services
      type: string
      description: Comma-separated list of services to update
    - name: registry
      type: string
      description: Container registry URL
    - name: git-revision
      type: string
      description: Git revision to tag images with
    - name: git-branch
      type: string
      description: Git branch to push changes to
    - name: dry-run
      type: string
      description: Dry run mode - don't push changes
      default: "false"
  steps:
    - name: update-manifests
      image: alpine/git:2.43.0
      securityContext:
        runAsNonRoot: true
        runAsUser: 65532
        allowPrivilegeEscalation: false
        capabilities:
          drop:
            - ALL
        seccompProfile:
          type: RuntimeDefault
      workingDir: $(workspaces.source.path)
      env:
        - name: HOME
          value: /tekton/home
        - name: GIT_USERNAME
          valueFrom:
            secretKeyRef:
              name: gitea-git-credentials
              key: username
        - name: GIT_PASSWORD
          valueFrom:
            secretKeyRef:
              name: gitea-git-credentials
              key: password
      script: |
        #!/bin/sh
        set -e

        echo "============================================"
        echo "Updating GitOps Manifests"
        echo "Services: $(params.services)"
        echo "Registry: $(params.registry)"
        echo "Revision: $(params.git-revision)"
        echo "Branch: $(params.git-branch)"
        echo "Dry run: $(params.dry-run)"
        echo "============================================"

        # Configure git
        git config --global user.email "ci@bakery-ia.local"
        git config --global user.name "bakery-ia-ci"
        # Mark directories as safe to avoid ownership issues
        git config --global --add safe.directory /tmp/gitops
        git config --global --add safe.directory "$(workspaces.source.path)"

        # Clone the main repository (not a separate gitops repo)
        # Use external HTTPS URL via ingress for reliable TLS connectivity
        REPO_URL="https://${GIT_USERNAME}:${GIT_PASSWORD}@gitea.bakewise.ai/bakery-admin/bakery-ia.git"
        git clone "$REPO_URL" /tmp/gitops

        cd /tmp/gitops

        # Switch to target branch
        git checkout "$(params.git-branch)" || git checkout -b "$(params.git-branch)"

        # Update image tags in Kubernetes manifests
        for service in $(echo "$(params.services)" | tr ',' '\n'); do
          service=$(echo "$service" | xargs)  # Trim whitespace
          if [ -n "$service" ] && [ "$service" != "none" ] && [ "$service" != "infrastructure" ] && [ "$service" != "shared" ]; then
            echo "Updating manifest for service: $service"

            # Format service name for directory (convert from kebab-case to snake_case if needed)
            # Handle special cases like demo-session -> demo_session, alert-processor -> alert_processor, etc.
            formatted_service=$(echo "$service" | sed 's/-/_/g')

            # For gateway and frontend, they have different directory structures
            if [ "$service" = "gateway" ]; then
              MANIFEST_PATH="infrastructure/platform/gateway/gateway-service.yaml"
              IMAGE_NAME="gateway"  # gateway image name is just "gateway"
            elif [ "$service" = "frontend" ]; then
              MANIFEST_PATH="infrastructure/services/microservices/frontend/frontend-service.yaml"
              IMAGE_NAME="dashboard"  # frontend service uses "dashboard" as image name
            elif [ "$service" = "alert-processor" ]; then
              MANIFEST_PATH="infrastructure/services/microservices/alert-processor/alert-processor.yaml"
              IMAGE_NAME="alert-processor"
            else
              # For microservices, convert service name to directory format
              # Service names come in as "auth-service", "tenant-service", etc.
              # Directory names are "auth", "tenant", etc. (without -service suffix)
              # But some services like "demo-session-service" have dir "demo-session"

              # Remove -service suffix if present for directory name
              if echo "$service" | grep -q '\-service$'; then
                service_dir=$(echo "$service" | sed 's/-service$//')
              else
                service_dir="$service"
              fi

              # Check for different possible manifest file names
              if [ -f "infrastructure/services/microservices/$service_dir/deployment.yaml" ]; then
                MANIFEST_PATH="infrastructure/services/microservices/$service_dir/deployment.yaml"
              elif [ -f "infrastructure/services/microservices/$service_dir/${service_dir}-service.yaml" ]; then
                MANIFEST_PATH="infrastructure/services/microservices/$service_dir/${service_dir}-service.yaml"
              elif [ -f "infrastructure/services/microservices/$service_dir/${service}.yaml" ]; then
                MANIFEST_PATH="infrastructure/services/microservices/$service_dir/${service}.yaml"
              else
                # Default to the standard naming pattern
                MANIFEST_PATH="infrastructure/services/microservices/$service_dir/${service_dir}-service.yaml"
              fi

              # Image name is the service name as-is (e.g., auth-service, tenant-service)
              IMAGE_NAME="$service"
            fi

            # Update the image tag in the deployment YAML
            if [ -f "$MANIFEST_PATH" ]; then
              # Update image reference from registry.bakewise.ai/bakery-admin/image_name:tag to registry/image_name:git_revision
              # Use a broad pattern to match any existing tag (including sha256 hashes)
              sed -i "s|image: registry.bakewise.ai/bakery-admin/${IMAGE_NAME}:.*|image: $(params.registry)/${IMAGE_NAME}:$(params.git-revision)|g" "$MANIFEST_PATH"

              echo "Updated image in: $MANIFEST_PATH -> $(params.registry)/${IMAGE_NAME}:$(params.git-revision)"
            else
              echo "Warning: Manifest file not found: $MANIFEST_PATH"
              echo "  Tried: $MANIFEST_PATH"
              echo "  Service: $service, service_dir: $service_dir, IMAGE_NAME: $IMAGE_NAME"
            fi

            # Also update migration job if it exists
            MIGRATION_JOB_PATH="infrastructure/services/microservices/$service_dir/migrations/${service_dir}-migration-job.yaml"
            if [ -f "$MIGRATION_JOB_PATH" ]; then
              # Update migration job image reference
              sed -i "s|image: registry.bakewise.ai/bakery-admin/${IMAGE_NAME}:.*|image: $(params.registry)/${IMAGE_NAME}:$(params.git-revision)|g" "$MIGRATION_JOB_PATH"
              # Update job name to include short commit hash (makes it unique and avoids immutable field issues)
              # Use first 7 characters to stay under 63 character limit
              SHORT_HASH=$(echo "$(params.git-revision)" | cut -c 1-7)
              sed -i "s|name: ${service_dir}-migration|name: ${service_dir}-migration-${SHORT_HASH}|g" "$MIGRATION_JOB_PATH"
              # Also update labels to match the short hash
              sed -i "s|app.kubernetes.io/name: ${service_dir}-migration-.*|app.kubernetes.io/name: ${service_dir}-migration-${SHORT_HASH}|g" "$MIGRATION_JOB_PATH"
              echo "Updated migration job: $MIGRATION_JOB_PATH -> $(params.registry)/${IMAGE_NAME}:$(params.git-revision)"
              echo "Updated job name and labels to include short commit hash for immutability"
            else
              # Try alternative migration job naming patterns
              if [ -f "infrastructure/services/microservices/$service_dir/migrations/${service}-migration-job.yaml" ]; then
                MIGRATION_JOB_PATH="infrastructure/services/microservices/$service_dir/migrations/${service}-migration-job.yaml"
                sed -i "s|image: registry.bakewise.ai/bakery-admin/${IMAGE_NAME}:.*|image: $(params.registry)/${IMAGE_NAME}:$(params.git-revision)|g" "$MIGRATION_JOB_PATH"
                # Update job name to include short commit hash (makes it unique and avoids immutable field issues)
                # Use first 7 characters to stay under 63 character limit
                SHORT_HASH=$(echo "$(params.git-revision)" | cut -c 1-7)
                sed -i "s|name: ${service}-migration|name: ${service}-migration-${SHORT_HASH}|g" "$MIGRATION_JOB_PATH"
                # Also update labels to match the short hash
                sed -i "s|app.kubernetes.io/name: ${service}-migration-.*|app.kubernetes.io/name: ${service}-migration-${SHORT_HASH}|g" "$MIGRATION_JOB_PATH"
                echo "Updated migration job: $MIGRATION_JOB_PATH -> $(params.registry)/${IMAGE_NAME}:$(params.git-revision)"
                echo "Updated job name and labels to include short commit hash for immutability"
              else
                echo "Info: No migration job found for $service"
              fi
            fi
          fi
        done

        # Commit and push changes (unless dry-run)
        if [ "$(params.dry-run)" != "true" ]; then
          git add .
          git status
          if ! git diff --cached --quiet; then
            git commit -m "Update images for services: $(params.services) [skip ci]"
            git push origin "$(params.git-branch)"
            echo "GitOps manifests updated successfully"
          else
            echo "No changes to commit"
          fi
        else
          echo "Dry run mode - changes not pushed"
          git status
          git diff
        fi
      resources:
        limits:
          cpu: 500m
          memory: 512Mi
        requests:
          cpu: 100m
          memory: 128Mi