#!/bin/bash
# =============================================================================
# Phase 7: Deploy Optional Services - Fixed Version
# =============================================================================
# This script deploys the optional services for production:
# 1. Unbound DNS (with dynamic IP resolution)
# 2. CoreDNS configuration for DNSSEC
# 3. Mailu Email Server
# 4. SigNoz Monitoring
#
# Fixed issues:
# - Removed static ClusterIP that caused CIDR range conflicts
# - Implemented dynamic IP resolution for Unbound DNS
# - Updated CoreDNS patching to use dynamic IP
# - Updated Mailu configuration to use dynamic DNS server
# =============================================================================

set -e

# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m' # No Color

NAMESPACE="bakery-ia"
DOMAIN="bakewise.ai"

print_step() {
    echo -e "\n${BLUE}==>${NC} ${GREEN}$1${NC}"
}

print_error() {
    echo -e "${RED}ERROR:${NC} $1"
}

print_success() {
    echo -e "${GREEN}✓${NC} $1"
}

# =============================================================================
# Step 7.1: Deploy Unbound DNS (with dynamic IP)
# =============================================================================
print_step "Step 7.1: Deploying Unbound DNS resolver (dynamic IP)..."

if kubectl get deployment unbound -n "$NAMESPACE" &>/dev/null; then
    print_success "Unbound already deployed"
else
    helm upgrade --install unbound infrastructure/platform/networking/dns/unbound-helm \
        -n "$NAMESPACE" \
        -f infrastructure/platform/networking/dns/unbound-helm/values.yaml \
        -f infrastructure/platform/networking/dns/unbound-helm/prod/values.yaml \
        --timeout 5m \
        --wait
    
    print_success "Unbound deployed"
fi

# Wait for Unbound service to get assigned IP
print_step "Waiting for Unbound service to get assigned IP..."
for i in {1..30}; do
    UNBOUND_IP=$(kubectl get svc unbound-dns -n "$NAMESPACE" -o jsonpath='{.spec.clusterIP}' 2>/dev/null || echo "")
    if [ -n "$UNBOUND_IP" ] && [ "$UNBOUND_IP" != "<none>" ]; then
        echo "Unbound DNS service IP: $UNBOUND_IP"
        break
    fi
    if [ $i -eq 30 ]; then
        print_error "Failed to get Unbound service IP"
        exit 1
    fi
    sleep 2
    echo "Waiting for Unbound service IP... (attempt $i/30)"
done

# =============================================================================
# Step 7.2: Configure CoreDNS for DNSSEC (dynamic IP)
# =============================================================================
print_step "Step 7.2: Configuring CoreDNS for DNSSEC validation..."

# Check current CoreDNS forward configuration
CURRENT_FORWARD=$(kubectl get configmap coredns -n kube-system -o jsonpath='{.data.Corefile}' | grep -o 'forward \. [0-9.]*' | awk '{print $3}' || echo "")

if [ "$CURRENT_FORWARD" != "$UNBOUND_IP" ]; then
    echo "Updating CoreDNS to forward to Unbound ($UNBOUND_IP)..."

    # Create a temporary file with the CoreDNS configuration
    TEMP_COREFILE=$(mktemp)
    cat > "$TEMP_COREFILE" <<EOF
.:53 {
    errors
    health {
       lameduck 5s
    }
    ready
    kubernetes cluster.local in-addr.arpa ip6.arpa {
       pods insecure
       fallthrough in-addr.arpa ip6.arpa
       ttl 30
    }
    prometheus :9153
    forward . $UNBOUND_IP {
       max_concurrent 1000
    }
    cache 30 {
       disable success cluster.local
       disable denial cluster.local
    }
    loop
    reload
    loadbalance
}
EOF

    # Apply the configuration
    kubectl patch configmap coredns -n kube-system --type merge -p "{
      \"data\": {
        \"Corefile\": \"$(cat "$TEMP_COREFILE" | sed 's/\\/\\\\/g' | sed ':a;N;$!ba;s/\n/\\\\n/g')\"
      }
    }"

    rm -f "$TEMP_COREFILE"

    # Restart CoreDNS
    kubectl rollout restart deployment coredns -n kube-system
    kubectl rollout status deployment coredns -n kube-system --timeout=60s

    print_success "CoreDNS configured to forward to Unbound"
else
    print_success "CoreDNS already configured for Unbound"
fi

# =============================================================================
# Step 7.3: Deploy Mailu Email Server (dynamic DNS)
# =============================================================================
print_step "Step 7.3: Deploying Mailu Email Server..."

# Add Mailu Helm repository
helm repo add mailu https://mailu.github.io/helm-charts 2>/dev/null || true
helm repo update mailu

# Create temporary values file with dynamic DNS server
TEMP_VALUES=$(mktemp)
cat infrastructure/platform/mail/mailu-helm/values.yaml | sed "s/# custom_dns_servers: \"\"  # Will be set dynamically by deployment script/custom_dns_servers: \"$UNBOUND_IP\"/" > "$TEMP_VALUES"

# Deploy Mailu with dynamic DNS configuration
helm upgrade --install mailu mailu/mailu \
    -n "$NAMESPACE" \
    -f "$TEMP_VALUES" \
    -f infrastructure/platform/mail/mailu-helm/prod/values.yaml \
    --timeout 10m

rm -f "$TEMP_VALUES"

print_success "Mailu Helm release deployed"

# Wait for Mailu pods to be ready
echo "Waiting for Mailu pods to be ready (this may take 5-10 minutes)..."
kubectl wait --for=condition=ready pod -l app.kubernetes.io/component=admin -n "$NAMESPACE" --timeout=300s || {
    print_error "Admin pod failed to start. Checking logs..."
    kubectl logs -n "$NAMESPACE" -l app.kubernetes.io/component=admin --tail=50
    exit 1
}

print_success "Mailu deployment completed"

# =============================================================================
# Step 7.4: Deploy SigNoz Monitoring
# =============================================================================
print_step "Step 7.4: Deploying SigNoz Monitoring..."

# Add SigNoz Helm repository
helm repo add signoz https://charts.signoz.io 2>/dev/null || true
helm repo update

# Install SigNoz
helm install signoz signoz/signoz \
  -n "$NAMESPACE" \
  -f infrastructure/monitoring/signoz/signoz-values-prod.yaml \
  --set global.storageClass="microk8s-hostpath" \
  --set clickhouse.persistence.enabled=true \
  --set clickhouse.persistence.size=50Gi \
  --timeout 15m

# Wait for SigNoz to be ready
kubectl wait --for=condition=available --timeout=600s deployment/signoz-frontend -n "$NAMESPACE"

print_success "SigNoz deployment completed"

# =============================================================================
# Summary
# =============================================================================
echo ""
echo "=============================================="
echo -e "${GREEN}Phase 7 Deployment Complete!${NC}"
echo "=============================================="
echo ""
echo "Deployed Services:"
echo "  ✓ Unbound DNS (IP: $UNBOUND_IP)"
echo "  ✓ CoreDNS (configured for DNSSEC)"
echo "  ✓ Mailu Email Server"
echo "  ✓ SigNoz Monitoring"
echo ""
echo "Next Steps:"
echo "  1. Configure DNS records for mail.$DOMAIN"
echo "  2. Set up Mailgun relay credentials"
echo "  3. Configure Ingress for monitoring.$DOMAIN"
echo "  4. Verify all services are accessible"
echo ""