#!/bin/bash
set -e

if [ -z "$VAULT_ADDR" ]; then
    echo "Setze VAULT_ADDR!"
    exit 1
fi

echo "--- Vault Kubernetes Auth Setup (Token Reviewer Method) ---"

# 1. Auth aktivieren
vault auth enable kubernetes || true

# 2. CA Cert holen
echo "Hole CA Cert..."
ssh -i ~/.ssh/id_ed25519_ansible_prod ansible@10.100.40.10 "sudo cat /var/lib/rancher/k3s/server/tls/server-ca.crt" > k3s-ca.crt

# 3. ServiceAccount für TokenReview erstellen (falls nicht existiert)
echo "Erstelle ServiceAccount für Vault..."
ssh -i ~/.ssh/id_ed25519_ansible_prod ansible@10.100.40.10 "sudo kubectl create sa vault-auth -n kube-system --dry-run=client -o yaml | sudo kubectl apply -f -"
ssh -i ~/.ssh/id_ed25519_ansible_prod ansible@10.100.40.10 "sudo kubectl create clusterrolebinding vault-auth-binding --clusterrole=system:auth-delegator --serviceaccount=kube-system:vault-auth --dry-run=client -o yaml | sudo kubectl apply -f -"

# 4. Long-Lived Token Secret erstellen
echo "Erstelle Token Secret..."
ssh -i ~/.ssh/id_ed25519_ansible_prod ansible@10.100.40.10 "cat <<EOF | sudo kubectl apply -f -
apiVersion: v1
kind: Secret
metadata:
  name: vault-auth-token
  namespace: kube-system
  annotations:
    kubernetes.io/service-account.name: vault-auth
type: kubernetes.io/service-account-token
EOF"

# 5. Token auslesen
echo "Lese Token aus..."
REVIEWER_TOKEN=$(ssh -i ~/.ssh/id_ed25519_ansible_prod ansible@10.100.40.10 "sudo kubectl get secret vault-auth-token -n kube-system -o jsonpath='{.data.token}' | base64 -d")

if [ -z "$REVIEWER_TOKEN" ]; then
    echo "Fehler: Konnte Token nicht lesen!"
    exit 1
fi

# 6. Config schreiben (MIT token_reviewer_jwt)
echo "Schreibe Vault Config..."
vault write auth/kubernetes/config \
    kubernetes_host="https://10.100.40.5:6443" \
    kubernetes_ca_cert=@k3s-ca.crt \
    token_reviewer_jwt="$REVIEWER_TOKEN" \
    disable_iss_validation=true \
    disable_local_ca_jwt=false

rm k3s-ca.crt

# 7. Policy & Rolle (bleibt gleich)
vault policy write k3s-secrets-reader - <<EOF
path "secret/data/*" {
  capabilities = ["read"]
}
EOF

vault write auth/kubernetes/role/external-secrets-role \
    bound_service_account_names=external-secrets \
    bound_service_account_namespaces=external-secrets \
    policies=k3s-secrets-reader \
    ttl=24h

echo "Fertig! Bitte ESO Pod neustarten."