#!/usr/bin/env sh
set -eu

log() { echo "[vault-k8s-auth] $*"; }

status_json="$(vault status -format=json || true)"
if [ -z "${status_json}" ]; then
  log "vault status failed; check VAULT_ADDR and VAULT_TOKEN"
  exit 1
fi

if ! printf '%s' "${status_json}" | grep -q '"initialized":[[:space:]]*true'; then
  log "vault not initialized; skipping"
  exit 0
fi

if printf '%s' "${status_json}" | grep -q '"sealed":[[:space:]]*true'; then
  log "vault sealed; skipping"
  exit 0
fi

k8s_host="https://${KUBERNETES_SERVICE_HOST}:443"
k8s_ca="$(cat /var/run/secrets/kubernetes.io/serviceaccount/ca.crt)"
k8s_token="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
role_ttl="${VAULT_K8S_ROLE_TTL:-1h}"

if ! vault auth list -format=json | grep -q '"kubernetes/"'; then
  log "enabling kubernetes auth"
  vault auth enable kubernetes
fi

log "configuring kubernetes auth"
vault write auth/kubernetes/config \
  token_reviewer_jwt="${k8s_token}" \
  kubernetes_host="${k8s_host}" \
  kubernetes_ca_cert="${k8s_ca}"

for namespace in outline planka bstein-dev-home gitea vaultwarden sso; do
  policy_name="${namespace}"
  service_account=""
  shared_paths=""

  case "${namespace}" in
    outline)
      service_account="outline-vault"
      ;;
    planka)
      service_account="planka-vault"
      ;;
    bstein-dev-home)
      service_account="bstein-dev-home"
      shared_paths="shared/chat-ai-keys-runtime shared/portal-e2e-client"
      ;;
    gitea)
      service_account="gitea-vault"
      ;;
    vaultwarden)
      service_account="vaultwarden-vault"
      ;;
    sso)
      service_account="sso-vault,mas-secrets-ensure"
      shared_paths="shared/keycloak-admin shared/portal-e2e-client"
      ;;
    *)
      log "unknown namespace ${namespace}"
      exit 1
      ;;
  esac

  policy_body="$(cat <<EOF
path "kv/data/atlas/${namespace}/*" {
  capabilities = ["read"]
}
path "kv/metadata/atlas/${namespace}/*" {
  capabilities = ["list"]
}
EOF
)"

  for shared in ${shared_paths}; do
    policy_body="${policy_body}
path \"kv/data/atlas/${shared}\" {
  capabilities = [\"read\"]
}
path \"kv/metadata/atlas/${shared}\" {
  capabilities = [\"list\"]
}
"
  done

  log "writing policy ${policy_name}"
  printf '%s\n' "${policy_body}" | vault policy write "${policy_name}" -

  log "writing role ${namespace}"
  vault write "auth/kubernetes/role/${namespace}" \
    bound_service_account_names="${service_account}" \
    bound_service_account_namespaces="${namespace}" \
    policies="${policy_name}" \
    ttl="${role_ttl}"
done