#!/bin/bash
set -e

# Config
VAULT_ADDR="https://10.100.30.11:8200"
VAULT_CA="./vault-ca.crt"

# Check dependencies
if ! command -v vault &> /dev/null; then
    echo "❌ 'vault' CLI nicht gefunden."
    exit 1
fi

if [ ! -f "$VAULT_CA" ]; then
    echo "⚠️  $VAULT_CA nicht gefunden. Versuche Download..."
    scp -i ~/.ssh/id_ed25519_ansible_prod ansible@10.100.30.11:/opt/vault/certs/ca.crt "$VAULT_CA"
fi

echo "🔐 Setup K3s Secrets in Vault"
echo "-----------------------------"

# Auth
if [ -z "$VAULT_TOKEN" ]; then
    read -sp "Bitte Vault Root Token eingeben: " VAULT_TOKEN
    echo ""
    export VAULT_TOKEN
fi
export VAULT_ADDR
export VAULT_CACERT="$VAULT_CA"

# 1. Generate K3s Token
K3S_TOKEN=$(openssl rand -base64 32)
echo "✅ K3s Token generiert."

# 2. Set Kube-VIP Version
KUBEVIP_VERSION="v0.8.0"

# 3. Write to Vault
echo "Schreibe nach secret/infrastructure/k3s..."

vault kv put secret/infrastructure/k3s \
    token="$K3S_TOKEN" \
    kubevip_version="$KUBEVIP_VERSION" \
    kubevip_address="10.100.40.5"

echo ""
echo "✅ Secrets erfolgreich angelegt!"
echo "   K3s Token: (im Vault gespeichert)"
echo "   Kube-VIP IP: 10.100.40.5"