#!/usr/bin/env bash
set -euo pipefail

#######################################################################
### 1) CONFIGURATION
#######################################################################

# Namespace and resource names
NAMESPACE="firezone"                 # Namespace where everything lives
CLUSTER_NAME="cluster-firezone"      # CloudNativePG Cluster CR name
SECRET_USER_NAME="firezone"          # Secret name for the normal DB user (used in bootstrap)
SECRET_SUPERUSER_NAME="izadmin"      # Secret name for the Postgres superuser
SECRET_FIREZONE="firezone-database"  # Secret name that Firezone will use

# CloudNativePG cluster settings
POSTGRES_IMAGE="ghcr.io/cloudnative-pg/postgresql:16.2"
STORAGE_CLASS="ceph-block"
STORAGE_SIZE="20Gi"

# Database credentials and names
# IMPORTANT: Firezone is trying to connect to a database named "firebase"
# so we set DB_NAME to "firebase" here.  If you prefer a different name,
# you must update Firezone’s configuration accordingly.
DB_NAME="firebase"        # The database to be created by initdb
DB_APP_USER="firezone"    # The owner (normal DB user) for the database
DB_SUPERUSER="postgres"   # Typical Postgres superuser name

# Additional PostgreSQL parameters
MAX_CONNECTIONS="200"
SHARED_BUFFERS="256MB"

# Generate random passwords (or set fixed ones if desired)
DB_APP_PASSWORD="$(openssl rand -hex 16)"
DB_SUPERUSER_PASSWORD="$(openssl rand -hex 16)"

#######################################################################
### 2) CREATE/UPDATE SECRETS FOR CLOUDNATIVE-PG
#######################################################################

echo "Creating/updating secrets for CloudNativePG..."

# Secret for the normal DB user (used during initdb bootstrap)
oc -n "$NAMESPACE" create secret generic "$SECRET_USER_NAME" \
  --type=kubernetes.io/basic-auth \
  --from-literal=username="$DB_APP_USER" \
  --from-literal=password="$DB_APP_PASSWORD" \
  --dry-run=client -o yaml | oc apply -f -

# Secret for the Postgres superuser
oc -n "$NAMESPACE" create secret generic "$SECRET_SUPERUSER_NAME" \
  --type=kubernetes.io/basic-auth \
  --from-literal=username="$DB_SUPERUSER" \
  --from-literal=password="$DB_SUPERUSER_PASSWORD" \
  --dry-run=client -o yaml | oc apply -f -

echo "Secrets for CloudNativePG created/updated."

#######################################################################
### 3) HANDLE THE CLOUDNATIVE-PG CLUSTER CR (FOR INITDB)
#######################################################################

# The bootstrap (initdb) phase only runs when the cluster is first created.
# To force a re‑initialization with the new settings, delete any existing cluster.

if oc get cluster "$CLUSTER_NAME" -n "$NAMESPACE" >/dev/null 2>&1; then
  echo "CloudNativePG Cluster '$CLUSTER_NAME' already exists."
  echo "Deleting the existing cluster to force re‑initialization (initdb)..."
  oc delete cluster "$CLUSTER_NAME" -n "$NAMESPACE"

  # Wait until the cluster CR is fully deleted.
  echo "Waiting for cluster '$CLUSTER_NAME' to be deleted..."
  while oc get cluster "$CLUSTER_NAME" -n "$NAMESPACE" >/dev/null 2>&1; do
    sleep 5
  done
  echo "Existing cluster deleted."
fi

echo "Creating CloudNativePG Cluster '$CLUSTER_NAME' with initdb bootstrap..."
cat <<EOF | oc apply -n "$NAMESPACE" -f -
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
  name: $CLUSTER_NAME
spec:
  description: "PostgreSQL cluster with replication"
  imageName: "$POSTGRES_IMAGE"
  instances: 3
  primaryUpdateStrategy: unsupervised
  postgresql:
    parameters:
      max_connections: "$MAX_CONNECTIONS"
      shared_buffers: "$SHARED_BUFFERS"
      pg_stat_statements.max: "10000"
      pg_stat_statements.track: "all"
      auto_explain.log_min_duration: "10s"
    pg_hba:
      - host all all 10.128.0.0/16 md5
  bootstrap:
    initdb:
      database: "$DB_NAME"
      owner: "$DB_APP_USER"
      secret:
        name: "$SECRET_USER_NAME"
  enableSuperuserAccess: true
  superuserSecret:
    name: "$SECRET_SUPERUSER_NAME"
  storage:
    storageClass: "$STORAGE_CLASS"
    size: "$STORAGE_SIZE"
  resources:
    requests:
      memory: "512Mi"
      cpu: "1"
  affinity:
    enablePodAntiAffinity: true
    topologyKey: failure-domain.beta.kubernetes.io/zone
EOF

echo "CloudNativePG Cluster '$CLUSTER_NAME' created (or re‑created)."
echo "Waiting for CloudNativePG cluster to initialize (this may take a while)..."
sleep 30

#######################################################################
### 4) UPDATE FIREZONE SECRETS WITH THE SAME DB CREDENTIALS
#######################################################################

echo "Updating Firezone secrets with matching DB credentials..."

# Firezone uses these credentials to connect to the database.
oc -n "$NAMESPACE" create secret generic "$SECRET_FIREZONE" \
  --from-literal=username="$DB_APP_USER" \
  --from-literal=password="$DB_APP_PASSWORD" \
  --dry-run=client -o yaml | oc apply -f -

echo "Firezone secrets updated with DB credentials."

#######################################################################
### 5) FINAL MESSAGE
#######################################################################

echo "Done!
 - Secrets '$SECRET_USER_NAME' and '$SECRET_SUPERUSER_NAME' created/updated for CloudNativePG.
 - CloudNativePG Cluster '$CLUSTER_NAME' was (re‑)created, triggering initdb (database: '$DB_NAME').
 - Firezone secret '$SECRET_FIREZONE' updated with DB credentials."