#!/usr/bin/env bash
set -euo pipefail

usage() {
  cat <<'USAGE'
Build or patch an application env Secret with a URL-encoded PostgreSQL DATABASE_URL.

Required environment:
  APP_NAMESPACE   Consumer namespace, for example vergabe-teilnahme
  APP_ENV_SECRET  Env Secret to create or patch, for example vergabe-teilnahme-env
  APP_DB_SECRET   Secret containing the raw cnpg role password
  APP_DB_USER     Database user
  APP_DB_HOST     Database host
  APP_DB_NAME     Database name

Optional environment:
  APP_DB_PASSWORD_KEY  Secret key containing the raw password (default: password)
  APP_DB_PORT          Database port (default: 5432)
  APP_DB_SCHEME        URL scheme (default: postgresql)
USAGE
}

if [[ "${1:-}" == "-h" || "${1:-}" == "--help" ]]; then
  usage
  exit 0
fi

: "${APP_NAMESPACE:?Set APP_NAMESPACE}"
: "${APP_ENV_SECRET:?Set APP_ENV_SECRET}"
: "${APP_DB_SECRET:?Set APP_DB_SECRET}"
: "${APP_DB_USER:?Set APP_DB_USER}"
: "${APP_DB_HOST:?Set APP_DB_HOST}"
: "${APP_DB_NAME:?Set APP_DB_NAME}"

APP_DB_PASSWORD_KEY="${APP_DB_PASSWORD_KEY:-password}"
APP_DB_PORT="${APP_DB_PORT:-5432}"
APP_DB_SCHEME="${APP_DB_SCHEME:-postgresql}"

for cmd in kubectl base64 python3; do
  if ! command -v "$cmd" >/dev/null 2>&1; then
    echo "ERROR: missing required command: $cmd" >&2
    exit 1
  fi
done

raw_password="$(
  kubectl get secret "$APP_DB_SECRET" \
    -n "$APP_NAMESPACE" \
    -o "jsonpath={.data.${APP_DB_PASSWORD_KEY}}" | base64 -d
)"

if [[ -z "$raw_password" ]]; then
  echo "ERROR: secret $APP_NAMESPACE/$APP_DB_SECRET did not contain key $APP_DB_PASSWORD_KEY" >&2
  exit 1
fi

encoded_password="$(
  RAW_PASSWORD="$raw_password" python3 -c 'import os, urllib.parse; print(urllib.parse.quote(os.environ["RAW_PASSWORD"], safe=""))'
)"
database_url="${APP_DB_SCHEME}://${APP_DB_USER}:${encoded_password}@${APP_DB_HOST}:${APP_DB_PORT}/${APP_DB_NAME}"

if kubectl get secret "$APP_ENV_SECRET" -n "$APP_NAMESPACE" >/dev/null 2>&1; then
  patch="$(
    DATABASE_URL="$database_url" python3 -c 'import json, os; print(json.dumps({"stringData": {"DATABASE_URL": os.environ["DATABASE_URL"]}}))'
  )"
  kubectl patch secret "$APP_ENV_SECRET" -n "$APP_NAMESPACE" --type=merge -p "$patch"
else
  kubectl create secret generic "$APP_ENV_SECRET" \
    -n "$APP_NAMESPACE" \
    --from-literal=DATABASE_URL="$database_url"
  echo "WARN: created $APP_NAMESPACE/$APP_ENV_SECRET with DATABASE_URL only; add other required env keys separately" >&2
fi

echo "Updated DATABASE_URL in secret $APP_NAMESPACE/$APP_ENV_SECRET"