#!/bin/bash

# Generate TLS certificates for the webhook
# This creates a self-signed CA and certificate for the webhook service

set -e

NAMESPACE="irsa-system"
SERVICE_NAME="irsa-webhook"
SECRET_NAME="irsa-webhook-certs"
WEBHOOK_CONFIG_NAME="irsa-webhook"

# Create temporary directory for certificate generation
CERT_DIR=$(mktemp -d)
trap "rm -rf ${CERT_DIR}" EXIT

echo "Generating certificates in ${CERT_DIR}..."

# Generate CA private key
openssl genrsa -out ${CERT_DIR}/ca.key 2048

# Generate CA certificate
openssl req -x509 -new -nodes -key ${CERT_DIR}/ca.key \
    -subj "/CN=IRSA Webhook CA" \
    -days 3650 \
    -out ${CERT_DIR}/ca.crt

# Generate webhook private key
openssl genrsa -out ${CERT_DIR}/tls.key 2048

# Create certificate signing request
cat > ${CERT_DIR}/csr.conf <<EOF
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[v3_req]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = ${SERVICE_NAME}
DNS.2 = ${SERVICE_NAME}.${NAMESPACE}
DNS.3 = ${SERVICE_NAME}.${NAMESPACE}.svc
DNS.4 = ${SERVICE_NAME}.${NAMESPACE}.svc.cluster.local
EOF

# Generate certificate signing request
openssl req -new -key ${CERT_DIR}/tls.key \
    -subj "/CN=${SERVICE_NAME}.${NAMESPACE}.svc" \
    -out ${CERT_DIR}/tls.csr \
    -config ${CERT_DIR}/csr.conf

# Sign the certificate with the CA
openssl x509 -req -in ${CERT_DIR}/tls.csr \
    -CA ${CERT_DIR}/ca.crt \
    -CAkey ${CERT_DIR}/ca.key \
    -CAcreateserial \
    -out ${CERT_DIR}/tls.crt \
    -days 3650 \
    -extensions v3_req \
    -extfile ${CERT_DIR}/csr.conf

echo "Certificates generated successfully."

# Create namespace if it doesn't exist
kubectl create namespace ${NAMESPACE} --dry-run=client -o yaml | kubectl apply -f - --validate=false

# Create or update secret with certificates
kubectl create secret tls ${SECRET_NAME} \
    --cert=${CERT_DIR}/tls.crt \
    --key=${CERT_DIR}/tls.key \
    --namespace=${NAMESPACE} \
    --dry-run=client -o yaml | kubectl apply -f - --validate=false

echo "Secret ${SECRET_NAME} created/updated in namespace ${NAMESPACE}"

# Get CA bundle for webhook configuration
CA_BUNDLE=$(cat ${CERT_DIR}/ca.crt | base64 | tr -d '\n')

# Save CA bundle to file for deployment
echo "${CA_BUNDLE}" > .ca-bundle.txt

# Update MutatingWebhookConfiguration with CA bundle
if kubectl get mutatingwebhookconfiguration ${WEBHOOK_CONFIG_NAME} &> /dev/null; then
    kubectl patch mutatingwebhookconfiguration ${WEBHOOK_CONFIG_NAME} \
        --type='json' \
        -p="[{'op': 'replace', 'path': '/webhooks/0/clientConfig/caBundle', 'value':'${CA_BUNDLE}'}]"
    echo "MutatingWebhookConfiguration ${WEBHOOK_CONFIG_NAME} updated with CA bundle"
else
    echo "MutatingWebhookConfiguration not found yet. CA bundle saved to .ca-bundle.txt"
fi

echo ""
echo "Setup complete! CA Bundle saved to .ca-bundle.txt"