#!/bin/bash
# Session 6.4 — SMTP secret setup for PieCed Portal
#
# 1. Store SMTP credentials in OpenBao
# 2. Apply the ExternalSecret
# 3. Patch the portal deployment to mount the secret
#
# Prerequisites: bao CLI authenticated, kubectl context set

set -e

# ─── Step 1: Store SMTP creds in OpenBao ───────────────────────────────────────
echo "==> Storing SMTP credentials in OpenBao..."
bao kv put pieced/portal/smtp \
  host="smtp.gmail.com" \
  port="587" \
  user="noreply@pieced.ch" \
  password="REPLACE_WITH_APP_PASSWORD" \
  from="PieCed <noreply@pieced.ch>" \
  admin_email="admin@pieced.ch"

echo "==> Verifying..."
bao kv get pieced/portal/smtp

# ─── Step 2: Apply ExternalSecret ──────────────────────────────────────────────
echo "==> Applying ExternalSecret..."
kubectl apply -f deploy/portal-smtp-externalsecret.yaml

echo "==> Waiting for ExternalSecret to sync..."
kubectl wait --for=condition=Ready externalsecret/portal-smtp -n pieced-system --timeout=60s

echo "==> Verifying K8s secret created..."
kubectl get secret portal-smtp -n pieced-system

# ─── Step 3: Patch portal deployment to mount SMTP secret ──────────────────────
echo "==> Patching portal deployment..."
# Add envFrom entry for portal-smtp secret
# If your deployment already uses a patch file, add this to the containers[0].envFrom array instead.
kubectl patch deployment pieced-portal -n pieced-system --type=json -p='[
  {
    "op": "add",
    "path": "/spec/template/spec/containers/0/envFrom/-",
    "value": {
      "secretRef": {
        "name": "portal-smtp"
      }
    }
  }
]'

echo "==> Restarting portal..."
kubectl rollout restart deployment pieced-portal -n pieced-system
kubectl rollout status deployment pieced-portal -n pieced-system

echo "==> Done! SMTP credentials are now available to the portal."