#!/bin/bash
set -euo pipefail

REPO="kebrahimpour/avisenna-landing-page"
SECRET_NAME="KUBECONFIG_BASE64"
SERVER="https://85.214.94.62:6443"

echo "📦 Generating kubeconfig for GitHub Actions..."

# Get secret associated with service account
SECRET_NAME_REF=$(kubectl -n web get sa deploy-bot -o jsonpath="{.secrets[0].name}")
TOKEN=$(kubectl -n web get secret "$SECRET_NAME_REF" -o jsonpath="{.data.token}" | base64 -d)
CA_CERT=$(kubectl -n web get secret "$SECRET_NAME_REF" -o jsonpath="{.data['ca\\.crt']}" | base64 -d)

mkdir -p .kube

# Generate kubeconfig
cat <<EOF > .kube/github-kubeconfig.yaml
apiVersion: v1
kind: Config
clusters:
- name: github-deploy
  cluster:
    certificate-authority-data: $(echo "$CA_CERT" | base64 -w 0)
    server: $SERVER
contexts:
- name: github-deploy-context
  context:
    cluster: github-deploy
    namespace: web
    user: deploy-bot
current-context: github-deploy-context
users:
- name: deploy-bot
  user:
    token: $TOKEN
EOF

# Encode and push secret to GitHub
ENCODED=$(base64 -w 0 .kube/github-kubeconfig.yaml)

echo "🔐 Updating GitHub secret $SECRET_NAME..."
gh secret set $SECRET_NAME --repo "$REPO" --body "$ENCODED"

echo "✅ KUBECONFIG_BASE64 updated and ready."