#!/usr/bin/env bash
# Patch sensitive env-var values into the app's ConfigMap at deploy time.
#
# Per project policy, ALL env vars live in ONE ConfigMap — never a Secret
# object, never split across resources. Non-sensitive defaults come from
# k8s/configmap.yaml (applied via 'kubectl apply -f k8s/'). This script
# strategic-merge-patches the same ConfigMap (limechat-mbr-generator-config) with sensitive
# values read from operator env vars.
#
# Anyone with 'kubectl get configmap' rights can view every value — that's
# the deliberate trade-off documented in the project policy.
set -euo pipefail

NAMESPACE="limekit-prod"
CONFIGMAP="limechat-mbr-generator-config"

# 1. Ensure namespace exists (idempotent).
kubectl create namespace "$NAMESPACE" --dry-run=client -o yaml | kubectl apply -f -

# 2. Ensure the ConfigMap exists — normally created by
#    'kubectl apply -f k8s/configmap.yaml' before this script runs.
#    If missing, create an empty one so the patch has a target.
if ! kubectl -n "$NAMESPACE" get configmap "$CONFIGMAP" >/dev/null 2>&1; then
  echo "ConfigMap $CONFIGMAP not found in $NAMESPACE — creating empty stub."
  kubectl -n "$NAMESPACE" create configmap "$CONFIGMAP"
fi

# 3. Assert every required env var is set BEFORE calling kubectl,
#    so we never half-provision.
[ -n "${METABASE_KEY:-}" ] || { echo "FAIL: env var METABASE_KEY is not set" >&2; exit 2; }
[ -n "${LC_API_TOKEN:-}" ] || { echo "FAIL: env var LC_API_TOKEN is not set" >&2; exit 2; }
[ -n "${GROQ_KEY:-}" ] || { echo "FAIL: env var GROQ_KEY is not set" >&2; exit 2; }

# 4. Strategic-merge-patch the ConfigMap with sensitive keys.
#    Python builds the JSON patch body so values are correctly escaped.
#    Unrelated keys in the ConfigMap (the non-sensitive defaults from
#    k8s/configmap.yaml) are untouched by the merge.
python3 -c "import json,os,sys; print(json.dumps({'data':{k:os.environ[k] for k in sys.argv[1:] if k in os.environ}}))" METABASE_KEY LC_API_TOKEN GROQ_KEY ANTHROPIC_KEY GEMINI_KEY SMTP_EMAIL SMTP_PASSWORD \
  | kubectl -n "$NAMESPACE" patch configmap "$CONFIGMAP" --type=merge --patch-file=/dev/stdin

echo "ConfigMap $CONFIGMAP patched with sensitive keys in namespace $NAMESPACE."
