#!/usr/bin/env bash
set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
# shellcheck source=_config.sh
source "${SCRIPT_DIR}/_config.sh"

REPO_DIR="$(cd "${DEPLOY_DIR}/.." && pwd)"
NAMESPACE="honeydue"
MANIFESTS="${DEPLOY_DIR}/manifests"

log() { printf '[deploy] %s\n' "$*"; }
warn() { printf '[deploy][warn] %s\n' "$*" >&2; }
die() { printf '[deploy][error] %s\n' "$*" >&2; exit 1; }

# --- Parse arguments ---

SKIP_BUILD=false
DEPLOY_TAG=""

while (( $# > 0 )); do
  case "$1" in
    --skip-build) SKIP_BUILD=true; shift ;;
    --tag)
      [[ -n "${2:-}" ]] || die "--tag requires a value"
      DEPLOY_TAG="$2"; shift 2 ;;
    -h|--help)
      cat <<'EOF'
Usage: ./scripts/03-deploy.sh [OPTIONS]

Options:
  --skip-build       Skip Docker build/push, use existing images
  --tag <tag>        Image tag (default: git short SHA)
  -h, --help         Show this help
EOF
      exit 0 ;;
    *) die "Unknown argument: $1" ;;
  esac
done

# --- Prerequisites ---

command -v kubectl >/dev/null 2>&1 || die "Missing: kubectl"
command -v docker >/dev/null 2>&1 || die "Missing: docker"

if [[ -z "${DEPLOY_TAG}" ]]; then
  DEPLOY_TAG="$(git -C "${REPO_DIR}" rev-parse --short HEAD 2>/dev/null || echo "latest")"
fi

# --- Read config ---

REGISTRY_SERVER="$(cfg_require registry.server "Container registry server")"
REGISTRY_NS="$(cfg_require registry.namespace "Registry namespace")"
REGISTRY_USER="$(cfg_require registry.username "Registry username")"
REGISTRY_TOKEN="$(cfg_require registry.token "Registry token")"
TLS_MODE="$(cfg tls.mode 2>/dev/null || echo "letsencrypt")"
API_DOMAIN="$(cfg_require domains.api "API domain")"
ADMIN_DOMAIN="$(cfg_require domains.admin "Admin domain")"

REGISTRY_PREFIX="${REGISTRY_SERVER%/}/${REGISTRY_NS#/}"
API_IMAGE="${REGISTRY_PREFIX}/honeydue-api:${DEPLOY_TAG}"
WORKER_IMAGE="${REGISTRY_PREFIX}/honeydue-worker:${DEPLOY_TAG}"
ADMIN_IMAGE="${REGISTRY_PREFIX}/honeydue-admin:${DEPLOY_TAG}"

# --- Build and push ---

if [[ "${SKIP_BUILD}" == "false" ]]; then
  log "Logging in to ${REGISTRY_SERVER}..."
  printf '%s' "${REGISTRY_TOKEN}" | docker login "${REGISTRY_SERVER}" -u "${REGISTRY_USER}" --password-stdin >/dev/null

  log "Building API image: ${API_IMAGE}"
  docker build --target api -t "${API_IMAGE}" "${REPO_DIR}"

  log "Building Worker image: ${WORKER_IMAGE}"
  docker build --target worker -t "${WORKER_IMAGE}" "${REPO_DIR}"

  log "Building Admin image: ${ADMIN_IMAGE}"
  docker build --target admin -t "${ADMIN_IMAGE}" "${REPO_DIR}"

  log "Pushing images..."
  docker push "${API_IMAGE}"
  docker push "${WORKER_IMAGE}"
  docker push "${ADMIN_IMAGE}"

  # Also tag and push :latest
  docker tag "${API_IMAGE}" "${REGISTRY_PREFIX}/honeydue-api:latest"
  docker tag "${WORKER_IMAGE}" "${REGISTRY_PREFIX}/honeydue-worker:latest"
  docker tag "${ADMIN_IMAGE}" "${REGISTRY_PREFIX}/honeydue-admin:latest"
  docker push "${REGISTRY_PREFIX}/honeydue-api:latest"
  docker push "${REGISTRY_PREFIX}/honeydue-worker:latest"
  docker push "${REGISTRY_PREFIX}/honeydue-admin:latest"
else
  warn "Skipping build. Using images for tag: ${DEPLOY_TAG}"
fi

# --- Generate and apply ConfigMap from config.yaml ---

log "Generating env from config.yaml..."
ENV_FILE="$(mktemp)"
trap 'rm -f "${ENV_FILE}"' EXIT
generate_env > "${ENV_FILE}"

log "Creating ConfigMap..."
kubectl create configmap honeydue-config \
  --namespace="${NAMESPACE}" \
  --from-env-file="${ENV_FILE}" \
  --dry-run=client -o yaml | kubectl apply -f -

# --- Configure TLS ---

if [[ "${TLS_MODE}" == "letsencrypt" ]]; then
  LE_EMAIL="$(cfg_require tls.letsencrypt_email "Let's Encrypt email")"

  log "Configuring Traefik with Let's Encrypt (${LE_EMAIL})..."
  sed "s|LETSENCRYPT_EMAIL_PLACEHOLDER|${LE_EMAIL}|" \
    "${MANIFESTS}/traefik/helmchartconfig.yaml" | kubectl apply -f -

  TLS_SECRET="letsencrypt-cert"
  TLS_ANNOTATION="traefik.ingress.kubernetes.io/router.tls.certresolver: letsencrypt"
elif [[ "${TLS_MODE}" == "cloudflare" ]]; then
  log "Using Cloudflare origin cert for TLS..."
  TLS_SECRET="cloudflare-origin-cert"
  TLS_ANNOTATION=""
else
  die "Unknown tls.mode: ${TLS_MODE} (expected: letsencrypt or cloudflare)"
fi

# --- Apply manifests ---

log "Applying manifests..."

kubectl apply -f "${MANIFESTS}/namespace.yaml"
kubectl apply -f "${MANIFESTS}/rbac.yaml"
kubectl apply -f "${MANIFESTS}/postgres/"
kubectl apply -f "${MANIFESTS}/redis/"
kubectl apply -f "${MANIFESTS}/minio/deployment.yaml"
kubectl apply -f "${MANIFESTS}/minio/pvc.yaml"
kubectl apply -f "${MANIFESTS}/minio/service.yaml"
kubectl apply -f "${MANIFESTS}/ingress/middleware.yaml"

# Apply ingress with domain and TLS substitution
sed -e "s|API_DOMAIN_PLACEHOLDER|${API_DOMAIN}|g" \
    -e "s|ADMIN_DOMAIN_PLACEHOLDER|${ADMIN_DOMAIN}|g" \
    -e "s|TLS_SECRET_PLACEHOLDER|${TLS_SECRET}|g" \
    -e "s|# TLS_ANNOTATIONS_PLACEHOLDER|${TLS_ANNOTATION}|g" \
    "${MANIFESTS}/ingress/ingress.yaml" | kubectl apply -f -

# Apply app deployments with image substitution
sed "s|image: IMAGE_PLACEHOLDER|image: ${API_IMAGE}|" "${MANIFESTS}/api/deployment.yaml" | kubectl apply -f -
kubectl apply -f "${MANIFESTS}/api/service.yaml"

sed "s|image: IMAGE_PLACEHOLDER|image: ${WORKER_IMAGE}|" "${MANIFESTS}/worker/deployment.yaml" | kubectl apply -f -

sed "s|image: IMAGE_PLACEHOLDER|image: ${ADMIN_IMAGE}|" "${MANIFESTS}/admin/deployment.yaml" | kubectl apply -f -
kubectl apply -f "${MANIFESTS}/admin/service.yaml"

# Apply network policies
kubectl apply -f "${MANIFESTS}/network-policies.yaml"

# --- Wait for infrastructure rollouts ---

log "Waiting for infrastructure rollouts..."
kubectl rollout status deployment/postgres -n "${NAMESPACE}" --timeout=120s
kubectl rollout status deployment/redis -n "${NAMESPACE}" --timeout=120s
kubectl rollout status deployment/minio -n "${NAMESPACE}" --timeout=120s

# --- Create MinIO bucket ---

log "Creating MinIO bucket..."
# Delete previous job run if it exists (jobs are immutable)
kubectl delete job minio-create-bucket -n "${NAMESPACE}" 2>/dev/null || true
kubectl apply -f "${MANIFESTS}/minio/create-bucket-job.yaml"
kubectl wait --for=condition=complete job/minio-create-bucket -n "${NAMESPACE}" --timeout=120s

# --- Wait for app rollouts ---

log "Waiting for app rollouts..."
kubectl rollout status deployment/api -n "${NAMESPACE}" --timeout=300s
kubectl rollout status deployment/worker -n "${NAMESPACE}" --timeout=300s
kubectl rollout status deployment/admin -n "${NAMESPACE}" --timeout=300s

# --- Done ---

log ""
log "Deploy completed successfully."
log "Tag: ${DEPLOY_TAG}"
log "TLS: ${TLS_MODE}"
log "Images:"
log "  API:    ${API_IMAGE}"
log "  Worker: ${WORKER_IMAGE}"
log "  Admin:  ${ADMIN_IMAGE}"
log ""
log "Run ./scripts/04-verify.sh to check cluster health."