#!/usr/bin/env bash
# Patch the live KeyCape config Secret with non-secret code-defined settings:
# the OpenBao CLI client and LLDAP OU lookup paths.
# This does not require decrypted bootstrap secrets and does not print existing
# Secret values.

set -euo pipefail

NAMESPACE="${KEYCAPE_NAMESPACE:-sso}"
SECRET="${KEYCAPE_CONFIG_SECRET:-keycape-config}"
KUBECTL="${KUBECTL:-kubectl}"
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"

"$KUBECTL" get secret "$SECRET" -n "$NAMESPACE" -o json \
  | python3 "$SCRIPT_DIR/openbao-client-config.py" patch \
  | "$KUBECTL" patch secret "$SECRET" -n "$NAMESPACE" --type merge --patch-file /dev/stdin

echo "Patched $NAMESPACE/$SECRET with the openbao-admin client and LLDAP OU lookup settings."