#!/bin/sh
set -e

# INPUT_FILE="$1"
# OUTPUT_FILE="$2"
# AUTO_DEPLOY="$3"

# ----------------------------------------------------------------
# Registry login
# ----------------------------------------------------------------
if [ -n "$INPUT_REGISTRY_USERNAME" ] && [ -n "$INPUT_REGISTRY_PASSWORD" ]; then
  echo "Logging in to $INPUT_REGISTRY..."
  echo "$INPUT_REGISTRY_PASSWORD" | docker login "$INPUT_REGISTRY" \
    -u "$INPUT_REGISTRY_USERNAME" --password-stdin
fi

# ----------------------------------------------------------------
# Build and push image
# ----------------------------------------------------------------
cleanup_old_tags() {
  IMAGE="$1"
  KEEP="$2"

  echo "Fetching tags for $IMAGE..."

  TAGS=$(curl -s -u "$INPUT_REGISTRY_USERNAME:$INPUT_REGISTRY_PASSWORD" \
    "https://$INPUT_REGISTRY/v2/$IMAGE/tags/list" \
    | tr ',' '\n' \
    | grep -o '"[a-f0-9]\{7\}"' \
    | tr -d '"')

  COUNT=$(echo "$TAGS" | grep -c .)
  DELETE_COUNT=$((COUNT - KEEP))

  if [ "$DELETE_COUNT" -le 0 ]; then
    echo "Only $COUNT hash tags found, no cleanup needed."
    return
  fi

  echo "Found $COUNT hash tags, deleting oldest $DELETE_COUNT..."

  echo "$TAGS" | head -n "$DELETE_COUNT" | while read -r TAG; do
    echo "Deleting tag: $TAG..."

    DIGEST=$(curl -s -I \
      -u "$INPUT_REGISTRY_USERNAME:$INPUT_REGISTRY_PASSWORD" \
      -H "Accept: application/vnd.docker.distribution.manifest.v2+json" \
      "https://$INPUT_REGISTRY/v2/$IMAGE/manifests/$TAG" \
      | grep -i "docker-content-digest" \
      | tr -d '\r' \
      | awk '{print $2}')

    if [ -n "$DIGEST" ]; then
      curl -s -X DELETE \
        -u "$INPUT_REGISTRY_USERNAME:$INPUT_REGISTRY_PASSWORD" \
        "https://$INPUT_REGISTRY/v2/$IMAGE/manifests/$DIGEST"
      echo "Deleted $TAG ($DIGEST)"
    else
      echo "Could not find digest for $TAG, skipping."
    fi
  done
}

if [ -n "$INPUT_IMAGE_NAME" ]; then
  FULL_IMAGE="$INPUT_REGISTRY/$INPUT_IMAGE_NAME"

  if [ -n "$INPUT_IMAGE_TAG" ]; then
    echo "Building image $FULL_IMAGE:$INPUT_IMAGE_TAG..."
    docker build -t "$FULL_IMAGE:$INPUT_IMAGE_TAG" -f "$INPUT_DOCKERFILE" .
    docker push "$FULL_IMAGE:$INPUT_IMAGE_TAG"
  else
    SHA=$(echo "$GITHUB_SHA" | cut -c1-7)
    echo "Building image $FULL_IMAGE:latest and $FULL_IMAGE:$SHA..."
    docker build \
      -t "$FULL_IMAGE:latest" \
      -t "$FULL_IMAGE:$SHA" \
      -f "$INPUT_DOCKERFILE" .
    docker push "$FULL_IMAGE:latest"
    docker push "$FULL_IMAGE:$SHA"

    cleanup_old_tags "$INPUT_IMAGE_NAME" "${INPUT_MAX_TAGS:-5}"
  fi
fi

# ----------------------------------------------------------------
# Generate Kubernetes YAML
# ----------------------------------------------------------------
echo "Generating Kubernetes YAML from .kforge.yml"
/usr/local/bin/kforge generate

# ----------------------------------------------------------------
# Deploy to Kubernetes
# ----------------------------------------------------------------
# Build kubeconfig from token-based credentials
echo "Configuring kubectl..."

# Try writing the cert and check if it worked
echo "$INPUT_KUBE_CERTIFICATE" | base64 -d > /tmp/kube-ca.crt 2>&1
echo "Cert file size: $(wc -c < /tmp/kube-ca.crt)"
echo "Cert file contents: $(cat /tmp/kube-ca.crt | head -1)"

kubectl config set-cluster default \
--server="$INPUT_KUBE_HOST" \
--certificate-authority=/tmp/kube-ca.crt

kubectl config set-credentials default \
--token="$INPUT_KUBE_TOKEN"

kubectl config set-context default \
--cluster=default \
--user=default

kubectl config use-context default


# Create/update regcred secret idempotently
echo "Creating regcred secret..."
kubectl create secret docker-registry regcred \
--docker-server="$INPUT_REGISTRY" \
--docker-username="$INPUT_REGISTRY_USERNAME" \
--docker-password="$INPUT_REGISTRY_PASSWORD" \
--validate=false \
--dry-run=client -o yaml | kubectl apply -f -

echo "Deploying to Kubernetes..."
kubectl apply --validate=false -f ./kforge-out/
echo "Deploy complete."
echo "Cleanup"
rm -f /tmp/kube-ca.crt