#!/usr/bin/env bash
# seed-vault-from-cluster.sh — Read existing K8s Secrets and write to Vault KV
#
# Prerequisites:
#   - vault CLI authenticated (VAULT_ADDR + VAULT_TOKEN set)
#   - kubectl access to the cluster
#   - KV v2 engine at kv/
#
# Usage: ./scripts/seed-vault-from-cluster.sh
#
# This reads plaintext values from existing K8s Secrets and writes them
# to Vault KV v2 at kv/{namespace}/{secret-name}.

set -euo pipefail

echo "=== Seeding Vault KV from existing K8s Secrets ==="
echo ""

# Helper: read a K8s secret and write all keys to Vault KV
seed_secret() {
  local ns="$1"
  local secret_name="$2"
  local vault_path="kv/${ns}/${secret_name}"

  echo "--- ${ns}/${secret_name} → ${vault_path} ---"

  # Get all keys from the secret
  local keys
  keys=$(kubectl get secret "${secret_name}" -n "${ns}" -o json 2>/dev/null | \
    jq -r '.data // {} | keys[]' 2>/dev/null) || {
    echo "  SKIP: secret not found in cluster"
    echo ""
    return
  }

  if [ -z "${keys}" ]; then
    echo "  SKIP: no data keys"
    echo ""
    return
  fi

  # Build vault kv put arguments
  local args=()
  for key in ${keys}; do
    local value
    value=$(kubectl get secret "${secret_name}" -n "${ns}" -o jsonpath="{.data.${key}}" | base64 -d)
    args+=("${key}=${value}")
  done

  vault kv put "${vault_path}" "${args[@]}"
  echo "  OK: $(echo "${keys}" | wc -w | tr -d ' ') keys written"
  echo ""
}

# --- Homepage ---
seed_secret homepage homepage-widget-credentials

# --- Renovate ---
seed_secret renovate renovate-env

# --- Gitea ---
seed_secret gitea gitea-credentials
seed_secret gitea gitea-backup-s3
seed_secret gitea gitea-smtp-secret
seed_secret gitea gitea-runner-token

# --- Keycloak ---
seed_secret keycloak keycloak-credentials
seed_secret keycloak microsoft-idp-credentials

# --- ArgoCD ---
seed_secret argocd forte-helm-repo
seed_secret argocd forte10x-repo-creds
seed_secret argocd mcp10x-repo-creds
seed_secret argocd argocd-notifications-secret

# --- Application secrets ---
seed_secret mcp10x app-credentials
seed_secret ts-mcp ts-mcp-secrets
seed_secret argocd-mcp auth-oidc
seed_secret argocd-mcp argocd-mcp-credentials
seed_secret dot-ai dot-ai-secrets
seed_secret music-man musicman-credentials

echo "=== Done. Verify with: vault kv list kv/{namespace} ==="