SHELL := /usr/bin/env bash
.DEFAULT_GOAL := help

KUBECONFIG ?= $(firstword $(wildcard $(HOME)/.kube/config) $(HOME)/.kube/config-hosteurope)
KUBECTL_BIN ?= $(firstword $(shell command -v kubectl 2>/dev/null) $(wildcard $(HOME)/.local/bin/kubectl) kubectl)
KUBECTL     := $(KUBECTL_BIN) --kubeconfig=$(KUBECONFIG)
HELM        := helm --kubeconfig=$(KUBECONFIG)
NAMESPACE   := platform

PG_CHART_VERSION  ?= 16.2.2
VALKEY_CHART_VERSION ?= 2.x
OPENBAO_CHART_VERSION ?= 0.28.2
OPENBAO_NAMESPACE ?= openbao
OPENBAO_RELEASE ?= openbao
OPENBAO_VALUES ?= helm/openbao-values.yaml
OPENBAO_MIDDLEWARE ?= helm/openbao-middleware.yaml
OPENBAO_UI_OVERLAY_DIR ?= helm/openbao-ui-overlay
OPENBAO_UI_OVERLAY_K8S ?= helm/openbao-ui-overlay-k8s.yaml
OPENBAO_VERIFY_AUTH_ARGS ?=
OPENBAO_RESTORE_EVIDENCE ?= /tmp/netkingdom-openbao-restore-drill/evidence.json
OPENBAO_EMERGENCY_EVIDENCE ?= /tmp/netkingdom-openbao-emergency-drill/evidence.json
EXTERNAL_SECRETS_NAMESPACE ?= external-secrets
ARGOCD_NAMESPACE ?= argocd
ARGOCD_BOOTSTRAP_DIR ?= argocd/bootstrap
ARGOCD_REPOSITORY_SECRET ?=
CREDENTIAL_GRANTS ?= credential-grants/catalog.yaml
CREDENTIAL_CHANGE ?= CCR-2026-0001
STATE_HUB_URL ?= http://127.0.0.1:8000
OPENBAO_TOKEN_GRANT_ARGS ?=
OPENBAO_WORKLOAD_KV_ARGS ?=
CREDENTIAL_HELPER_GLOBAL_ARGS ?=
CREDENTIAL_HELPER_ARGS ?=
CREDENTIAL_HELPER_PURPOSE ?= flex-auth-openbao-smoke

##@ CloudNative PG (cnpg) — primary database operator

db-deploy: ## Apply Gitea cnpg Cluster (creates gitea-db in databases namespace)
	$(KUBECTL) apply -f helm/gitea-db-cluster.yaml

db-status: ## Show cnpg cluster health
	$(KUBECTL) cnpg status gitea-db -n databases 2>/dev/null || \
	  $(KUBECTL) get cluster gitea-db -n databases -o wide

db-shell: ## Open psql shell on gitea-db primary
	$(KUBECTL) cnpg psql gitea-db -n databases -- -U gitea gitea

db-logs: ## Tail gitea-db primary logs
	$(KUBECTL) logs -n databases -l cnpg.io/cluster=gitea-db -f --tail=50

##@ Shared apps-pg (S5 application databases)

apps-pg-deploy: ## Apply shared apps-pg cnpg Cluster + NetworkPolicies
	$(KUBECTL) apply -f helm/apps-pg-cluster.yaml
	$(KUBECTL) apply -f helm/apps-pg-networkpolicies.yaml

apps-pg-status: ## Show apps-pg cnpg cluster health
	$(KUBECTL) cnpg status apps-pg -n databases 2>/dev/null || \
	  $(KUBECTL) get cluster apps-pg -n databases -o wide

apps-pg-shell: ## Open psql shell on apps-pg primary as apps_admin / apps_meta
	$(KUBECTL) cnpg psql apps-pg -n databases -- -U apps_admin apps_meta 2>/dev/null || \
	  $(KUBECTL) exec -it -n databases apps-pg-1 -- psql -U apps_admin apps_meta

apps-pg-logs: ## Tail apps-pg primary logs
	$(KUBECTL) logs -n databases -l cnpg.io/cluster=apps-pg -f --tail=50

net-kingdom-pg-inter-hub-networkpolicy-deploy: ## Allow inter-hub to reach net-kingdom-pg
	$(KUBECTL) apply -f helm/net-kingdom-pg-inter-hub-networkpolicy.yaml

##@ PostgreSQL HA (legacy — superseded by cnpg above)

pg-deploy: ## Deploy / upgrade standalone PostgreSQL HA to platform namespace
	$(KUBECTL) create namespace $(NAMESPACE) --dry-run=client -o yaml | $(KUBECTL) apply -f -
	$(HELM) repo add bitnami https://charts.bitnami.com/bitnami --force-update
	$(HELM) upgrade --install postgresql-ha bitnami/postgresql-ha \
		--version $(PG_CHART_VERSION) \
		--namespace $(NAMESPACE) \
		-f <(sops -d helm/postgresql-ha-values.sops.yaml) \
		--wait --timeout 5m

pg-status: ## Check PostgreSQL HA pod status
	$(KUBECTL) get pods -n $(NAMESPACE) -l app.kubernetes.io/name=postgresql-ha

pg-pgpool-check: ## Verify pgpool-password secret key is present (see RAIL-BS-WP-0003)
	@SECRET=$$($(KUBECTL) get secret -n $(NAMESPACE) postgresql-ha-postgresql \
	  -o jsonpath='{.data.pgpool-password}' 2>/dev/null); \
	if [ -z "$$SECRET" ]; then \
	  echo "ERROR: pgpool-password key missing from secret — pgpool will CrashLoop on restart"; \
	  exit 1; \
	else \
	  echo "OK: pgpool-password key present"; \
	fi

##@ Valkey (cache)

valkey-deploy: ## Deploy / upgrade Valkey (Redis-compatible) to platform namespace
	$(KUBECTL) create namespace $(NAMESPACE) --dry-run=client -o yaml | $(KUBECTL) apply -f -
	$(HELM) upgrade --install valkey bitnami/valkey \
		--namespace $(NAMESPACE) \
		-f <(sops -d helm/valkey-values.sops.yaml) \
		--wait --timeout 3m

valkey-status: ## Check Valkey pod status
	$(KUBECTL) get pods -n $(NAMESPACE) -l app.kubernetes.io/name=valkey

##@ OpenBao (secrets)

openbao-repo: ## Add / update the official OpenBao Helm repository
	$(HELM) repo add openbao https://openbao.github.io/openbao-helm --force-update
	$(HELM) repo update openbao

openbao-dry-run: openbao-repo ## Render the OpenBao Helm release without applying it
	$(HELM) upgrade --install $(OPENBAO_RELEASE) openbao/openbao \
		--version $(OPENBAO_CHART_VERSION) \
		--namespace $(OPENBAO_NAMESPACE) \
		--create-namespace \
		-f $(OPENBAO_VALUES) \
		--dry-run

openbao-overlay-apply: ## Apply KeyCape login overlay gateway and assets
	OPENBAO_UI_OVERLAY_DIR=$(OPENBAO_UI_OVERLAY_DIR) \
	  OPENBAO_UI_OVERLAY_K8S=$(OPENBAO_UI_OVERLAY_K8S) \
	  KUBECTL='$(KUBECTL)' OPENBAO_NAMESPACE=$(OPENBAO_NAMESPACE) \
	  scripts/openbao-ui-overlay-apply.sh

openbao-verify-login-overlay: ## Verify public KeyCape login overlay is active
	OPENBAO_UI_OVERLAY_DIR=$(OPENBAO_UI_OVERLAY_DIR) \
	  scripts/openbao-verify-login-overlay.sh $(OPENBAO_VERIFY_LOGIN_OVERLAY_ARGS)

openbao-deploy: openbao-repo ## Deploy / upgrade OpenBao to the openbao namespace
	$(KUBECTL) create namespace $(OPENBAO_NAMESPACE) --dry-run=client -o yaml | $(KUBECTL) apply -f -
	$(KUBECTL) apply -f $(OPENBAO_MIDDLEWARE)
	$(HELM) upgrade --install $(OPENBAO_RELEASE) openbao/openbao \
		--version $(OPENBAO_CHART_VERSION) \
		--namespace $(OPENBAO_NAMESPACE) \
		-f $(OPENBAO_VALUES) \
		--wait --timeout 5m
	$(MAKE) openbao-overlay-apply

openbao-status: ## Show OpenBao pods, services, PVCs, and seal/init status
	$(KUBECTL) get pods,svc,pvc -n $(OPENBAO_NAMESPACE) \
		-l app.kubernetes.io/instance=$(OPENBAO_RELEASE) -o wide
	-$(KUBECTL) exec -n $(OPENBAO_NAMESPACE) $(OPENBAO_RELEASE)-0 -- bao status

openbao-verify: ## Run non-secret OpenBao deployment checks
	KUBECTL='$(KUBECTL)' OPENBAO_NAMESPACE=$(OPENBAO_NAMESPACE) \
	  OPENBAO_RELEASE=$(OPENBAO_RELEASE) scripts/openbao-verify.sh basic

openbao-verify-post-unseal: ## Run post-unseal OpenBao filesystem checks
	KUBECTL='$(KUBECTL)' OPENBAO_NAMESPACE=$(OPENBAO_NAMESPACE) \
	  OPENBAO_RELEASE=$(OPENBAO_RELEASE) scripts/openbao-verify.sh post-unseal

openbao-configure-initial: ## Apply first post-unseal audit, auth, mounts, and policies
	KUBECTL='$(KUBECTL)' OPENBAO_NAMESPACE=$(OPENBAO_NAMESPACE) \
	  OPENBAO_RELEASE=$(OPENBAO_RELEASE) scripts/openbao-apply-initial-config.sh

openbao-configure-ssh: ## Enable SSH secrets engine, roles, and warden-sign policy
	KUBECTL='$(KUBECTL)' OPENBAO_NAMESPACE=$(OPENBAO_NAMESPACE) \
	  OPENBAO_RELEASE=$(OPENBAO_RELEASE) scripts/openbao-apply-ssh-engine.sh

openbao-verify-ssh: ## Verify SSH engine mount, roles, and warden-sign policy
	KUBECTL='$(KUBECTL)' OPENBAO_NAMESPACE=$(OPENBAO_NAMESPACE) \
	  OPENBAO_RELEASE=$(OPENBAO_RELEASE) scripts/openbao-verify-ssh-engine.sh

openbao-verify-authenticated: ## Run authenticated non-mutating OpenBao audit/auth/mount checks
	KUBECTL='$(KUBECTL)' OPENBAO_NAMESPACE=$(OPENBAO_NAMESPACE) \
	  OPENBAO_RELEASE=$(OPENBAO_RELEASE) scripts/openbao-verify-authenticated.sh $(OPENBAO_VERIFY_AUTH_ARGS)

openbao-configure-external-secrets-issue-core: ## Configure OpenBao policy/role for issue-core ESO pilot
	KUBECTL='$(KUBECTL)' OPENBAO_NAMESPACE=$(OPENBAO_NAMESPACE) \
	  OPENBAO_RELEASE=$(OPENBAO_RELEASE) ESO_NAMESPACE=$(EXTERNAL_SECRETS_NAMESPACE) \
	  scripts/openbao-apply-external-secrets-issue-core.sh

openbao-workload-kv-lanes-dry-run: ## Dry-run OpenBao workload KV read-lane policy apply
	scripts/openbao-apply-workload-kv-lanes.sh --dry-run $(OPENBAO_WORKLOAD_KV_ARGS)

openbao-configure-workload-kv-lanes: ## Configure OpenBao workload KV read-lane policies
	KUBECTL='$(KUBECTL)' OPENBAO_NAMESPACE=$(OPENBAO_NAMESPACE) \
	  OPENBAO_RELEASE=$(OPENBAO_RELEASE) \
	  scripts/openbao-apply-workload-kv-lanes.sh $(OPENBAO_WORKLOAD_KV_ARGS)

openbao-validate-restore-evidence: ## Validate non-secret OpenBao restore-drill evidence JSON
	OPENBAO_RESTORE_EVIDENCE='$(OPENBAO_RESTORE_EVIDENCE)' \
	  scripts/openbao-validate-restore-evidence.sh

openbao-validate-emergency-evidence: ## Validate non-secret OpenBao emergency seal/unseal drill evidence JSON
	OPENBAO_EMERGENCY_EVIDENCE='$(OPENBAO_EMERGENCY_EVIDENCE)' \
	  scripts/openbao-validate-emergency-drill-evidence.sh

##@ Credential broker

credential-grants-validate: ## Validate non-secret credential grant catalog
	scripts/credential-grants-validate.py $(CREDENTIAL_GRANTS)

credential-change-validate: ## Validate non-secret credential change requests
	scripts/credential-change.py validate

credential-change-render: ## Render a credential change request review summary
	scripts/credential-change.py render $(CREDENTIAL_CHANGE)

credential-change-plan: ## Render a credential change request apply plan for review
	scripts/credential-change.py plan $(CREDENTIAL_CHANGE)

credential-change-status: ## Render credential change request readiness status
	scripts/credential-change.py status $(CREDENTIAL_CHANGE)

credential-change-status-json: ## Render credential change request readiness status as JSON
	scripts/credential-change.py status --json $(CREDENTIAL_CHANGE)

credential-change-sync-decision: ## Sync resolved State Hub decision back into a CCR
	scripts/credential-change.py sync-decision $(CREDENTIAL_CHANGE) --state-hub-url $(STATE_HUB_URL)

credential-change-apply-plan: ## Render approved-only operator apply plan
	scripts/credential-change.py apply-plan $(CREDENTIAL_CHANGE)

credential-change-operator-commands: ## Render approved-only non-secret OpenBao operator commands
	scripts/credential-change.py operator-commands $(CREDENTIAL_CHANGE)

openbao-token-grants-dry-run: ## Dry-run OpenBao token roles and issuer policies for credential grants
	scripts/openbao-apply-token-grants.py --dry-run $(OPENBAO_TOKEN_GRANT_ARGS)

openbao-configure-token-grants: ## Apply OpenBao token roles and issuer policies for credential grants
	KUBECTL='$(KUBECTL)' OPENBAO_NAMESPACE=$(OPENBAO_NAMESPACE) \
	  OPENBAO_RELEASE=$(OPENBAO_RELEASE) \
	  scripts/openbao-apply-token-grants.py $(OPENBAO_TOKEN_GRANT_ARGS)

openbao-verify-token-grants-dry-run: ## Dry-run OpenBao token grant verification
	scripts/openbao-verify-token-grants.py --dry-run $(OPENBAO_TOKEN_GRANT_ARGS)

openbao-verify-token-grants: ## Verify OpenBao token roles and issuer policies for credential grants
	KUBECTL='$(KUBECTL)' OPENBAO_NAMESPACE=$(OPENBAO_NAMESPACE) \
	  OPENBAO_RELEASE=$(OPENBAO_RELEASE) \
	  scripts/openbao-verify-token-grants.py $(OPENBAO_TOKEN_GRANT_ARGS)

openbao-verify-token-grants-smoke: ## Mint/revoke a child token and prove bounded warden-sign capabilities
	KUBECTL='$(KUBECTL)' OPENBAO_NAMESPACE=$(OPENBAO_NAMESPACE) \
	  OPENBAO_RELEASE=$(OPENBAO_RELEASE) \
	  scripts/openbao-verify-token-grants.py --issue-smoke-token $(OPENBAO_TOKEN_GRANT_ARGS)

credential-helper-dry-run: ## Dry-run credential request, exec, status, and revoke helper flows
	scripts/credential.py $(CREDENTIAL_HELPER_GLOBAL_ARGS) request --dry-run \
	  --grant ops-warden/warden-sign --purpose $(CREDENTIAL_HELPER_PURPOSE) \
	  $(CREDENTIAL_HELPER_ARGS)
	scripts/credential.py $(CREDENTIAL_HELPER_GLOBAL_ARGS) request --dry-run \
	  --grant ops-warden/warden-sign --purpose $(CREDENTIAL_HELPER_PURPOSE) \
	  --delivery kubernetes-auth $(CREDENTIAL_HELPER_ARGS)
	scripts/credential.py $(CREDENTIAL_HELPER_GLOBAL_ARGS) exec --dry-run \
	  --grant ops-warden/warden-sign --purpose $(CREDENTIAL_HELPER_PURPOSE) \
	  $(CREDENTIAL_HELPER_ARGS) -- SMOKE_VAULT=1 /bin/true
	scripts/credential.py $(CREDENTIAL_HELPER_GLOBAL_ARGS) status --dry-run example-accessor
	scripts/credential.py $(CREDENTIAL_HELPER_GLOBAL_ARGS) revoke --dry-run example-accessor

credential-tests: ## Run offline credential broker unit tests
	python3 -m unittest discover -s tests -p 'test_credential*.py'

credential-change-tests: ## Run credential change request unit tests
	python3 -m unittest discover -s tests -p 'test_credential_change.py'

credential-exec-ops-warden-smoke: ## Run ops-warden smoke with an exec-injected warden-sign token
	KUBECTL='$(KUBECTL)' OPENBAO_NAMESPACE=$(OPENBAO_NAMESPACE) \
	  OPENBAO_RELEASE=$(OPENBAO_RELEASE) \
	  scripts/credential.py $(CREDENTIAL_HELPER_GLOBAL_ARGS) exec \
	  --grant ops-warden/warden-sign --purpose ops-warden-production-sign-smoke \
	  $(CREDENTIAL_HELPER_ARGS) -- \
	  SMOKE_VAULT=1 /home/worsch/ops-warden/scripts/policy_gate_production_smoke.sh

##@ ArgoCD GitOps bootstrap

argocd-bootstrap-dry-run: ## Server-side dry-run ArgoCD AppProjects and root Application
	$(KUBECTL) apply --dry-run=server -k $(ARGOCD_BOOTSTRAP_DIR)

argocd-bootstrap-deploy: ## Apply ArgoCD AppProjects and root Application
	$(KUBECTL) apply -k $(ARGOCD_BOOTSTRAP_DIR)

argocd-repo-apply: ## Apply a SOPS-encrypted ArgoCD repository Secret (set ARGOCD_REPOSITORY_SECRET)
	@test -n "$(ARGOCD_REPOSITORY_SECRET)" || \
	  (echo "ERROR: set ARGOCD_REPOSITORY_SECRET=argocd/repositories/<repo>.repository.sops.yaml"; exit 1)
	sops -d $(ARGOCD_REPOSITORY_SECRET) | $(KUBECTL) apply -f -

argocd-status: ## Show Railiance ArgoCD projects, root app, and registered repos
	$(KUBECTL) get appprojects.argoproj.io -n $(ARGOCD_NAMESPACE) \
	  railiance-bootstrap railiance-tenants railiance-platform-addons
	$(KUBECTL) get applications.argoproj.io -n $(ARGOCD_NAMESPACE) \
	  railiance-apps-root external-secrets openbao-secretstore issue-core
	$(KUBECTL) get secrets -n $(ARGOCD_NAMESPACE) \
	  -l argocd.argoproj.io/secret-type=repository

##@ Backup

backup: ## Backup platform services (PostgreSQL logical dump) — age-encrypted to Nextcloud
	sudo tools/cmd/railiance-backup

##@ Help

help: ## Show this help
	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} \
	  /^[a-zA-Z_-]+:.*?##/ { printf "  \033[36m%-22s\033[0m %s\n", $$1, $$2 } \
	  /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) }' $(MAKEFILE_LIST)

.PHONY: db-deploy db-status db-shell db-logs apps-pg-deploy apps-pg-status apps-pg-shell apps-pg-logs net-kingdom-pg-inter-hub-networkpolicy-deploy pg-deploy pg-status pg-pgpool-check valkey-deploy valkey-status openbao-repo openbao-dry-run openbao-overlay-apply openbao-verify-login-overlay openbao-deploy openbao-status openbao-verify openbao-verify-post-unseal openbao-configure-initial openbao-configure-ssh openbao-verify-ssh openbao-verify-authenticated openbao-configure-external-secrets-issue-core openbao-validate-restore-evidence openbao-validate-emergency-evidence credential-grants-validate openbao-token-grants-dry-run openbao-configure-token-grants openbao-verify-token-grants-dry-run openbao-verify-token-grants openbao-verify-token-grants-smoke credential-helper-dry-run credential-tests credential-exec-ops-warden-smoke argocd-bootstrap-dry-run argocd-bootstrap-deploy argocd-repo-apply argocd-status backup help
