#!/usr/bin/env bash
set -e

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
ROOT_DIR="$(cd "$SCRIPT_DIR/.." && pwd)"

# Colors
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color

usage() {
    echo "Usage: $0 [ENVIRONMENT] [SECRET_NAME]"
    echo ""
    echo "Update Kubernetes secrets from YAML files"
    echo ""
    echo "Arguments:"
    echo "  ENVIRONMENT   Target environment: dev or prod (default: dev)"
    echo "  SECRET_NAME   Specific secret to update (optional, updates all if not specified)"
    echo ""
    echo "Available secrets:"
    echo "  ai-secrets        - AI backend API keys"
    echo "  postgres-secret   - PostgreSQL password"
    echo "  minio-secret      - MinIO credentials"
    echo "  ingestor-secrets  - Exchange API keys"
    echo ""
    echo "Examples:"
    echo "  $0                          # Update all dev secrets"
    echo "  $0 dev                      # Update all dev secrets"
    echo "  $0 dev ai-secrets           # Update only ai-secrets in dev"
    echo "  $0 prod                     # Update all prod secrets"
    echo "  $0 prod minio-secret        # Update only minio-secret in prod"
    exit 1
}

# Parse arguments
ENV="${1:-dev}"
SECRET_NAME="${2:-}"

if [[ "$ENV" != "dev" && "$ENV" != "prod" ]]; then
    echo -e "${RED}Error: Environment must be 'dev' or 'prod'${NC}"
    usage
fi

SECRETS_DIR="$ROOT_DIR/deploy/k8s/$ENV/secrets"

if [ ! -d "$SECRETS_DIR" ]; then
    echo -e "${RED}Error: Secrets directory not found: $SECRETS_DIR${NC}"
    exit 1
fi

# Set kubectl command and warn for prod
if [[ "$ENV" == "prod" ]]; then
    KUBECTL="kubectl --context=prod"
    echo -e "${YELLOW}⚠️  WARNING: Updating PRODUCTION secrets!${NC}"
    echo -e "${YELLOW}kubectl context: prod${NC}"
    read -p "Are you sure you want to continue? (yes/no): " confirm
    if [[ "$confirm" != "yes" ]]; then
        echo "Aborted."
        exit 0
    fi
else
    KUBECTL="kubectl"
fi

apply_secret_dev() {
    local secret_file="$1"
    local secret_basename=$(basename "$secret_file" .yaml)

    if [ ! -f "$secret_file" ]; then
        echo -e "${RED}✗ Secret file not found: $secret_file${NC}"
        echo -e "${YELLOW}  Copy from ${secret_basename}.yaml.example and fill in values${NC}"
        return 1
    fi

    echo -e "${GREEN}→${NC} Applying $secret_basename..."
    $KUBECTL apply -f "$secret_file"
    echo -e "${GREEN}✓${NC} $secret_basename updated"
}

apply_secret_prod() {
    local tpl_file="$1"
    local secret_basename=$(basename "$tpl_file" .tpl.yaml)

    if [ ! -f "$tpl_file" ]; then
        echo -e "${RED}✗ Template file not found: $tpl_file${NC}"
        return 1
    fi

    echo -e "${GREEN}→${NC} Applying $secret_basename (via op inject)..."
    op inject -i "$tpl_file" | $KUBECTL apply -f -
    echo -e "${GREEN}✓${NC} $secret_basename updated"
}

SECRETS=(
    "ai-secrets"
    "postgres-secret"
    "minio-secret"
    "ingestor-secrets"
    "flink-secrets"
    "gateway-secrets"
    "sandbox-secrets"
)

# Update specific secret or all secrets
if [ -n "$SECRET_NAME" ]; then
    if [[ "$ENV" == "prod" ]]; then
        apply_secret_prod "$SECRETS_DIR/$SECRET_NAME.tpl.yaml"
    else
        apply_secret_dev "$SECRETS_DIR/$SECRET_NAME.yaml"
    fi
else
    echo -e "${GREEN}Updating all $ENV secrets...${NC}"
    echo ""

    FAILED=0
    for secret in "${SECRETS[@]}"; do
        if [[ "$ENV" == "prod" ]]; then
            if ! apply_secret_prod "$SECRETS_DIR/$secret.tpl.yaml"; then
                FAILED=$((FAILED + 1))
            fi
        else
            if ! apply_secret_dev "$SECRETS_DIR/$secret.yaml"; then
                FAILED=$((FAILED + 1))
            fi
        fi
    done

    echo ""
    if [ $FAILED -gt 0 ]; then
        if [[ "$ENV" == "prod" ]]; then
            echo -e "${YELLOW}⚠️  $FAILED secret(s) failed to apply${NC}"
            echo -e "${YELLOW}Ensure 1Password CLI is authenticated: op signin${NC}"
            echo -e "${YELLOW}Ensure 'AI Prod' vault items exist (see deploy/k8s/prod/secrets/*.tpl.yaml)${NC}"
        else
            echo -e "${YELLOW}⚠️  $FAILED secret(s) failed to apply${NC}"
            echo -e "${YELLOW}Create missing secret files by copying from .example templates:${NC}"
            echo -e "${YELLOW}  cd $SECRETS_DIR${NC}"
            echo -e "${YELLOW}  cp SECRET_NAME.yaml.example SECRET_NAME.yaml${NC}"
            echo -e "${YELLOW}  # Edit SECRET_NAME.yaml with actual values${NC}"
        fi
        exit 1
    else
        echo -e "${GREEN}✓ All secrets updated successfully${NC}"
    fi
fi
