---
apiVersion: v1
kind: ConfigMap
metadata:
  name: pasarguard-scripts-ingress
  labels:
    app: pasarguard-node-ingress
data:
  init-uuid-ingress.sh: |
    #!/bin/bash
    set -e
    echo "Started"
    # NODE_NAME is already set via environment variable
    NAMESPACE=$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)

    # Get DNS name from node label xray-public-address
    DNS_NAME=$(kubectl get node "${NODE_NAME}" -o jsonpath='{.metadata.labels.xray-public-address}')

    if [ -z "${DNS_NAME}" ]; then
      echo "ERROR: Node ${NODE_NAME} does not have label 'xray-public-address'"
      exit 1
    fi

    echo "Node: ${NODE_NAME}"
    echo "DNS Name from label: ${DNS_NAME}"

    # Use DNS name for ConfigMap name to ensure uniqueness
    CONFIGMAP_NAME="node-uuid-ingress-${DNS_NAME//./-}"

    echo "Checking ConfigMap: ${CONFIGMAP_NAME}"

    # Check if ConfigMap exists and get UUID
    if kubectl get configmap "${CONFIGMAP_NAME}" -n "${NAMESPACE}" &>/dev/null; then
      echo "ConfigMap exists, reading UUID..."
      API_KEY=$(kubectl get configmap "${CONFIGMAP_NAME}" -n "${NAMESPACE}" -o jsonpath='{.data.API_KEY}')

      if [ -z "${API_KEY}" ]; then
        echo "UUID not found in ConfigMap, generating new one..."
        API_KEY=$(cat /proc/sys/kernel/random/uuid)
        kubectl patch configmap "${CONFIGMAP_NAME}" -n "${NAMESPACE}" --type merge -p "{\"data\":{\"API_KEY\":\"${API_KEY}\"}}"
      else
        echo "Using existing UUID from ConfigMap"
      fi
    else
      echo "ConfigMap does not exist, creating new one..."
      API_KEY=$(cat /proc/sys/kernel/random/uuid)
      kubectl create configmap "${CONFIGMAP_NAME}" -n "${NAMESPACE}" \
        --from-literal=API_KEY="${API_KEY}" \
        --from-literal=NODE_NAME="${NODE_NAME}"
    fi

    # Save UUID and node info to shared volume for the main container
    echo -n "${API_KEY}" > /shared/api-key
    echo -n "${NODE_NAME}" > /shared/node-name
    echo -n "${CONFIGMAP_NAME}" > /shared/configmap-name
    echo "UUID initialized: ${API_KEY}"
    echo "Node name: ${NODE_NAME}"
    echo "ConfigMap: ${CONFIGMAP_NAME}"

    # Create Certificate for this node using DNS name from label
    CERT_NAME="pasarguard-node-ingress-${DNS_NAME//./-}"

    echo "Creating Certificate: ${CERT_NAME} for ${DNS_NAME}"

    # Check if Certificate already exists
    if ! kubectl get certificate "${CERT_NAME}" -n "${NAMESPACE}" &>/dev/null; then
      echo "Certificate does not exist, creating..."
      cat <<EOF | kubectl apply -f -
    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
      name: ${CERT_NAME}
      namespace: ${NAMESPACE}
    spec:
      secretName: ${CERT_NAME}-tls
      issuerRef:
        name: letsencrypt
        kind: ClusterIssuer
      dnsNames:
        - ${DNS_NAME}
    EOF
    else
      echo "Certificate already exists"
    fi

    # Wait for certificate to be ready
    
    echo "Waiting for certificate to be ready..."
    for i in {1..600}; do
      if kubectl get secret "${CERT_NAME}-tls" -n "${NAMESPACE}" &>/dev/null; then
        echo "Certificate secret is ready!"
        break
      fi
      echo "Waiting for certificate... ($i/600)"
      sleep 1
    done

    if ! kubectl get secret "${CERT_NAME}-tls" -n "${NAMESPACE}" &>/dev/null; then
      echo "WARNING: Certificate secret not ready after 600 seconds"
    else
      # Extract certificate and key from secret to shared volume
      echo "Extracting certificate and key..."
      kubectl get secret "${CERT_NAME}-tls" -n "${NAMESPACE}" -o jsonpath='{.data.tls\.crt}' | base64 -d > /shared/tls.crt
      kubectl get secret "${CERT_NAME}-tls" -n "${NAMESPACE}" -o jsonpath='{.data.tls\.key}' | base64 -d > /shared/tls.key
      echo "Certificate and key extracted successfully."
      cat /shared/tls.crt
    fi

    # Create ClusterIP Service for this node (pod selector based)
    NODE_SHORT_NAME="${NODE_NAME%%.*}"
    SERVICE_NAME="${NODE_SHORT_NAME}-ingress"

    echo "Creating Service: ${SERVICE_NAME} for node ${NODE_NAME} (short: ${NODE_SHORT_NAME})"

    # Create Service with pod selector including node name
    cat <<EOF | kubectl apply -f -
    apiVersion: v1
    kind: Service
    metadata:
      name: ${SERVICE_NAME}
      namespace: ${NAMESPACE}
      labels:
        app: pasarguard-node-ingress
        node: ${NODE_NAME}
    spec:
      type: ClusterIP
      selector:
        app: pasarguard-node-ingress
        node-name: ${NODE_SHORT_NAME}
      ports:
        - name: proxy
          port: 443
          protocol: TCP
          targetPort: 443
        - name: api
          port: 62050
          protocol: TCP
          targetPort: 62050
    EOF

    echo "Service created: ${SERVICE_NAME}.${NAMESPACE}.svc.cluster.local"

    # Create IngressRouteTCP for this DNS name with TLS passthrough
    INGRESS_NAME="pasarguard-tcp-${DNS_NAME//./-}"

    echo "Creating IngressRouteTCP: ${INGRESS_NAME} for ${DNS_NAME}"

    cat <<EOF | kubectl apply -f -
    apiVersion: traefik.io/v1alpha1
    kind: IngressRouteTCP
    metadata:
      name: ${INGRESS_NAME}
      namespace: ${NAMESPACE}
      labels:
        app: pasarguard-node-ingress
        node: ${NODE_NAME}
    spec:
      entryPoints:
        - websecure
      routes:
        - match: HostSNI(\`${DNS_NAME}\`)
          services:
            - name: ${SERVICE_NAME}
              port: 443
      tls:
        passthrough: true
    EOF

    echo "IngressRouteTCP created: ${INGRESS_NAME}"
    echo "Traffic to ${DNS_NAME}:443 will be routed to ${SERVICE_NAME}:443"

  pasarguard-start.sh: |
    #!/bin/sh
    # Read API_KEY from shared volume created by init container
    if [ -f /shared/api-key ]; then
      export API_KEY=$(cat /shared/api-key)
      echo "Loaded API_KEY from shared volume"
    else
      echo "WARNING: API_KEY file not found, using default"
    fi

    cd /app
    exec ./main