#!/usr/bin/env bash

# Script: gen-cnpg-and-firezone.sh
# Purpose: 
#  1) Generate random credentials for a CloudNativePG cluster (app user + superuser)
#  2) Create the Postgres Cluster CR in the same namespace
#  3) Update the Firezone secrets with the same DB credentials
#  4) Keep everything consistent for Firezone + CloudNativePG on OpenShift

set -euo pipefail

#######################################################################
### 1) CONFIGURATION
#######################################################################

# Change these to your desired values
NAMESPACE="firezone"      # The namespace where everything will live
CLUSTER_NAME="cluster-firezone"            # The name for the CloudNativePG Cluster CR
SECRET_USER_NAME="firezone"    # The name of the Secret for the normal DB user
SECRET_SUPERUSER_NAME="izadmin"  # The name of the Secret for the Postgres superuser
SECRET_FIREZONE="firezone-database"     # The name of the Secret that Firezone will use

# CloudNativePG cluster settings
POSTGRES_IMAGE="ghcr.io/cloudnative-pg/postgresql:16.2"
STORAGE_CLASS="ceph-block"
STORAGE_SIZE="20Gi"

# Firezone expects certain DB credentials
# We'll store them in global.database.username/password in the 'firezone-secrets' secret
DB_NAME="firezone"
DB_APP_USER="firezone"   # The owner of the DB
DB_SUPERUSER="postgres"             # Typical Postgres superuser name

# Additional Postgres parameters
MAX_CONNECTIONS="200"
SHARED_BUFFERS="256MB"

# For demo, we generate random passwords. 
# If you want fixed passwords, set them manually below.
DB_APP_PASSWORD="$(openssl rand -hex 16)"
DB_SUPERUSER_PASSWORD="$(openssl rand -hex 16)"

#######################################################################
### 2) CREATE/UPDATE SECRETS FOR CLOUDNATIVE-PG
#######################################################################

echo "Creating/updating secrets for CloudNativePG..."

# 2.1 cluster-app-user (normal DB user)
oc -n "$NAMESPACE" create secret generic "$SECRET_USER_NAME" \
  --type=kubernetes.io/basic-auth \
  --from-literal=username="$DB_APP_USER" \
  --from-literal=password="$DB_APP_PASSWORD" \
  --dry-run=client -o yaml | oc apply -f -

# 2.2 cluster-superuser
oc -n "$NAMESPACE" create secret generic "$SECRET_SUPERUSER_NAME" \
  --type=kubernetes.io/basic-auth \
  --from-literal=username="$DB_SUPERUSER" \
  --from-literal=password="$DB_SUPERUSER_PASSWORD" \
  --dry-run=client -o yaml | oc apply -f -

echo "Secrets for CloudNativePG created/updated."

#######################################################################
### 3) CREATE/UPDATE THE CLOUDNATIVE-PG CLUSTER CR
#######################################################################

echo "Creating/updating CloudNativePG Cluster '${CLUSTER_NAME}'..."

cat <<EOF | oc apply -n "$NAMESPACE" -f -
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
  name: $CLUSTER_NAME
spec:
  description: "PostgreSQL cluster with replication"
  imageName: "$POSTGRES_IMAGE"
  instances: 3
  primaryUpdateStrategy: unsupervised
  postgresql:
    parameters:
      max_connections: "$MAX_CONNECTIONS"
      shared_buffers: "$SHARED_BUFFERS"
      pg_stat_statements.max: "10000"
      pg_stat_statements.track: "all"
      auto_explain.log_min_duration: "10s"
    pg_hba:
      - host all all 10.128.0.0/16 md5
  bootstrap:
    initdb:
      database: "$DB_NAME"
      owner: "$DB_APP_USER"
      secret:
        name: "$SECRET_USER_NAME"
  enableSuperuserAccess: true
  superuserSecret:
    name: "$SECRET_SUPERUSER_NAME"
  storage:
    storageClass: "$STORAGE_CLASS"
    size: "$STORAGE_SIZE"
  resources:
    requests:
      memory: "512Mi"
      cpu: "1"
  affinity:
    enablePodAntiAffinity: true
    topologyKey: failure-domain.beta.kubernetes.io/zone
EOF

echo "CloudNativePG Cluster '${CLUSTER_NAME}' is created/updated."

#######################################################################
### 4) CREATE/UPDATE THE FIREZONE SECRETS WITH THE SAME DB CREDENTIALS
#######################################################################

echo "Updating Firezone secrets with matching DB credentials..."

# We'll store them in the 'firezone-secrets' Secret under keys "username" and "password".
# If you also want random keys/secrets for SECRET_KEY_BASE, etc., 
# you can combine this with your existing Firezone secret generation approach.

oc -n "$NAMESPACE" create secret generic "$SECRET_FIREZONE" \
  --from-literal=username="$DB_APP_USER" \
  --from-literal=password="$DB_APP_PASSWORD" \
  --dry-run=client -o yaml | oc apply -f -

echo "Firezone secrets updated with DB credentials."

echo "Done! 
 - Secrets '$SECRET_USER_NAME' and '$SECRET_SUPERUSER_NAME' created for CloudNativePG. 
 - Cluster '$CLUSTER_NAME' created/updated. 
 - Firezone secrets '$SECRET_FIREZONE' updated with DB credentials (username/password).
"