#!/bin/bash

# deploy-django-secret.sh
# Script to generate a secure Django SECRET_KEY and deploy it to Kubernetes

set -euo pipefail

# Configuration
NAMESPACE="${NAMESPACE:-vorgabenui}"
SECRET_NAME="vorgabenui-secrets"
SECRET_KEY_NAME="vorgabenui_secret"
K8S_DIR="$(dirname "$0")/../k8s"
SECRET_YAML="$K8S_DIR/django-secret.yaml"

# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color

# Logging functions
log_info() {
    echo -e "${GREEN}[INFO]${NC} $1"
}

log_warn() {
    echo -e "${YELLOW}[WARN]${NC} $1"
}

log_error() {
    echo -e "${RED}[ERROR]${NC} $1"
}

# Function to generate a secure Django SECRET_KEY
generate_secret_key() {
    # Generate a 50-character secret key using Python (same as Django's default)
    python3 -c "
import secrets
import string

# Django-style secret key generation
chars = string.ascii_letters + string.digits + '!@#$%^&*(-_=+)'
print(''.join(secrets.choice(chars) for _ in range(50)))
"
}

# Function to check if kubectl is available
check_kubectl() {
    if ! command -v kubectl &> /dev/null; then
        log_error "kubectl is not installed or not in PATH"
        exit 1
    fi
}

# Function to check if Python3 is available
check_python() {
    if ! command -v python3 &> /dev/null; then
        log_error "python3 is not installed or not in PATH"
        exit 1
    fi
}

# Function to create the secret
create_secret() {
    local secret_key="$1"
    local encoded_key
    
    # Base64 encode the secret key
    encoded_key=$(echo -n "$secret_key" | base64 -w 0)
    
    log_info "Creating Kubernetes secret '$SECRET_NAME' in namespace '$NAMESPACE'..."
    
    # Create the secret directly with kubectl
    kubectl create secret generic "$SECRET_NAME" \
        --from-literal="$SECRET_KEY_NAME=$secret_key" \
        --namespace="$NAMESPACE" \
        --dry-run=client -o yaml | kubectl apply -f -
    
    if [ $? -eq 0 ]; then
        log_info "Successfully created/updated secret '$SECRET_NAME'"
    else
        log_error "Failed to create/update secret '$SECRET_NAME'"
        exit 1
    fi
}

# Function to verify the secret
verify_secret() {
    log_info "Verifying secret deployment..."
    
    if kubectl get secret "$SECRET_NAME" --namespace="$NAMESPACE" &> /dev/null; then
        log_info "Secret '$SECRET_NAME' exists in namespace '$NAMESPACE'"
        
        # Show secret (without revealing the actual key)
        kubectl describe secret "$SECRET_NAME" --namespace="$NAMESPACE"
        return 0
    else
        log_error "Secret '$SECRET_NAME' not found in namespace '$NAMESPACE'"
        return 1
    fi
}

# Function to show usage
show_usage() {
    echo "Usage: $0 [OPTIONS]"
    echo ""
    echo "Options:"
    echo "  -n, --namespace NAMESPACE    Kubernetes namespace (default: vorgabenui)"
    echo "  -s, --secret-name NAME       Secret name (default: django-secrets)"
    echo "  -k, --key-name NAME          Secret key name (default: django-secret-key)"
    echo "  -h, --help                   Show this help message"
    echo ""
    echo "Environment variables:"
    echo "  NAMESPACE                    Override default namespace"
    echo ""
    echo "Examples:"
    echo "  $0                           # Deploy to vorgabenui namespace"
    echo "  $0 -n production             # Deploy to production namespace"
    echo "  NAMESPACE=staging $0         # Deploy to staging namespace"
}

# Parse command line arguments
while [[ $# -gt 0 ]]; do
    case $1 in
        -n|--namespace)
            NAMESPACE="$2"
            shift 2
            ;;
        -s|--secret-name)
            SECRET_NAME="$2"
            shift 2
            ;;
        -k|--key-name)
            SECRET_KEY_NAME="$2"
            shift 2
            ;;
        -h|--help)
            show_usage
            exit 0
            ;;
        *)
            log_error "Unknown option: $1"
            show_usage
            exit 1
            ;;
    esac
done

# Main execution
main() {
    log_info "Django SECRET_KEY Deployment Script"
    log_info "==================================="
    log_info "Namespace: $NAMESPACE"
    log_info "Secret Name: $SECRET_NAME"
    log_info "Secret Key Name: $SECRET_KEY_NAME"
    echo ""
    
    # Perform checks
    check_kubectl
    check_python
    
    # Generate new secret key
    log_info "Generating new Django SECRET_KEY..."
    SECRET_KEY=$(generate_secret_key)
    
    if [ -z "$SECRET_KEY" ]; then
        log_error "Failed to generate secret key"
        exit 1
    fi
    
    log_info "Generated secret key (first 10 chars): ${SECRET_KEY:0:10}..."
    
    # Create namespace if it doesn't exist
    if ! kubectl get namespace "$NAMESPACE" &> /dev/null; then
        log_warn "Namespace '$NAMESPACE' does not exist, creating..."
        kubectl create namespace "$NAMESPACE"
    fi
    
    # Create the secret
    create_secret "$SECRET_KEY"
    
    # Verify deployment
    verify_secret
    
    echo ""
    log_info "Deployment completed successfully!"
    log_info "To use this secret in your Django deployment, add the following to your pod spec:"
    echo ""
    echo "    env:"
    echo "    - name: VORGABENUI_SECRET"
    echo "      valueFrom:"
    echo "        secretKeyRef:"
    echo "          name: $SECRET_NAME"
    echo "          key: $SECRET_KEY_NAME"
    echo ""
    log_warn "The old secret key in settings.py has been replaced with environment variable lookup."
    log_warn "Make sure your Django deployment uses the environment variable before deploying."
}

# Run main function
main