#!/usr/bin/env bash
# Deploy Gravitee APIM OSS on a single-node k3s cluster
# - Domain:   *.gravitee.sttlab.pc
# - Ingress:  nginx
# - TLS:      cert-manager with namespace-scoped self-signed CA Issuer
# - Secrets:  pre-created (run create-secrets.sh first)

set -euo pipefail

NAMESPACE="gravitee-apim"
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"

echo "==> Checking prerequisites"
command -v kubectl >/dev/null || { echo "kubectl not found"; exit 1; }
command -v helm >/dev/null || { echo "helm not found"; exit 1; }

echo "==> Verifying cluster reachable"
kubectl cluster-info

echo "==> Verifying cert-manager is installed"
kubectl get crd certificates.cert-manager.io >/dev/null 2>&1 || {
  echo "ERROR: cert-manager CRDs not found. Install cert-manager first."
  exit 1
}

echo "==> Verifying nginx ingress controller is installed"
kubectl get ingressclass nginx >/dev/null 2>&1 || {
  echo "WARNING: 'nginx' IngressClass not found. Ensure nginx-ingress is installed."
}

echo "==> Step 1/5 : Create namespace"
kubectl create namespace "${NAMESPACE}" --dry-run=client -o yaml | kubectl apply -f -

echo "==> Step 2/5 : Create credential secrets (idempotent)"
"${SCRIPT_DIR}/create-secrets.sh"

echo "==> Step 3/5 : Apply cert-manager Issuer + Certificates"
kubectl apply -f "${SCRIPT_DIR}/manifests/cert-manager.yaml"

echo "==> Waiting for CA Issuer to be Ready"
kubectl -n "${NAMESPACE}" wait --for=condition=Ready issuer/gravitee-ca-issuer --timeout=120s

echo "==> Waiting for all Certificates to be Ready"
for cert in gravitee-ca console-tls portal-tls api-tls gateway-tls \
            mongodb-tls elasticsearch-tls gateway-internal-tls api-internal-tls; do
  echo "    - waiting for ${cert}"
  kubectl -n "${NAMESPACE}" wait --for=condition=Ready "certificate/${cert}" --timeout=180s
done

echo "==> Step 4/5 : Add Helm repos"
helm repo add bitnami https://charts.bitnami.com/bitnami
helm repo add elastic https://helm.elastic.co
helm repo add graviteeio https://helm.gravitee.io
helm repo update

echo "==> Installing MongoDB"
helm upgrade --install mongodb bitnami/mongodb \
  --namespace "${NAMESPACE}" \
  --values "${SCRIPT_DIR}/values-mongodb.yaml" \
  --wait --timeout 10m

echo "==> Installing Elasticsearch"
helm upgrade --install elasticsearch elastic/elasticsearch \
  --namespace "${NAMESPACE}" \
  --values "${SCRIPT_DIR}/values-elasticsearch.yaml" \
  --wait --timeout 10m

echo "==> Step 5/5 : Installing Gravitee APIM"
helm upgrade --install graviteeio-apim graviteeio/apim \
  --namespace "${NAMESPACE}" \
  --values "${SCRIPT_DIR}/values-apim.yaml" \
  --wait --timeout 15m

echo ""
echo "==> Deployment complete"
echo ""
kubectl get pods -n "${NAMESPACE}"
echo ""
echo "Add to /etc/hosts (replace <NODE_IP>):"
echo "  <NODE_IP> gateway.gravitee.sttlab.pc console.gravitee.sttlab.pc portal.gravitee.sttlab.pc api.gravitee.sttlab.pc"
echo ""
echo "URLs (HTTPS, self-signed CA - trust gravitee-ca-tls/ca.crt in your browser):"
echo "  - Console : https://console.gravitee.sttlab.pc"
echo "  - Portal  : https://portal.gravitee.sttlab.pc"
echo "  - API     : https://api.gravitee.sttlab.pc/management"
echo "  - Gateway : https://gateway.gravitee.sttlab.pc"
echo ""
echo "To export the CA cert for your trust store:"
echo "  kubectl -n ${NAMESPACE} get secret gravitee-ca-tls -o jsonpath='{.data.ca\\.crt}' | base64 -d > gravitee-ca.crt"