#!/usr/bin/env bash
set -euo pipefail

TARGET_ROOT="${1:-.}"
BLACKSHIELD_API_URL="${BLACKSHIELD_API_URL:-https://api.blackshield.chaplau.com}"
GITOPS_REPO_URL_DEFAULT="$(git -C "$TARGET_ROOT" config --get remote.origin.url 2>/dev/null || true)"
if [[ -z "$GITOPS_REPO_URL_DEFAULT" ]]; then
  GITOPS_REPO_URL_DEFAULT="https://github.com/your-org/your-gitops-repo.git"
fi
GITOPS_REVISION_DEFAULT="$(git -C "$TARGET_ROOT" rev-parse --abbrev-ref HEAD 2>/dev/null || true)"
if [[ -z "$GITOPS_REVISION_DEFAULT" || "$GITOPS_REVISION_DEFAULT" == "HEAD" ]]; then
  GITOPS_REVISION_DEFAULT="main"
fi
BLACKSHIELD_GITOPS_REPO_URL="${BLACKSHIELD_GITOPS_REPO_URL:-$GITOPS_REPO_URL_DEFAULT}"
BLACKSHIELD_GITOPS_REVISION="${BLACKSHIELD_GITOPS_REVISION:-$GITOPS_REVISION_DEFAULT}"
BLACKSHIELD_GITOPS_CHART_PATH="${BLACKSHIELD_GITOPS_CHART_PATH:-deploy/helm/blackshield-k8s-scanner}"

mkdir -p "$TARGET_ROOT/deploy/argocd"
cat > "$TARGET_ROOT/deploy/argocd/k8s-scanner-appset.yaml" <<EOF
# Argo CD ApplicationSet — deploy k8s-scanner to every registered cluster.
#
# Expected flow:
#   1. Commit deploy/helm/blackshield-k8s-scanner/ into your GitOps repo.
#   2. Apply this manifest from your management cluster.
#
# Apply once from your management cluster:
#   kubectl apply -f deploy/argocd/k8s-scanner-appset.yaml
#
# Argo CD will create one Application per cluster and keep them in sync.
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
  name: blackshield-k8s-scanner
  namespace: argocd
spec:
  generators:
    # Auto-discovers all clusters registered in Argo CD.
    # To target a subset, add a selector:
    #   selector:
    #     matchLabels:
    #       blackshield-scanner: "enabled"
    - clusters: {}
  template:
    metadata:
      name: "blackshield-k8s-scanner-{{name}}"
      annotations:
        argocd.argoproj.io/sync-wave: "1"
    spec:
      project: default
      source:
        repoURL: ${BLACKSHIELD_GITOPS_REPO_URL}
        targetRevision: "${BLACKSHIELD_GITOPS_REVISION}"
        path: ${BLACKSHIELD_GITOPS_CHART_PATH}
        helm:
          valuesObject:
            env:
              BLACKSHIELD_API_URL: "${BLACKSHIELD_API_URL}"
              LOG_LEVEL: INFO
            existingSecret:
              name: blackshield-k8s-scanner   # create this Secret in each cluster
              key: api-key
            mode: deployment
            scanIntervalSeconds: 21600
            networkPolicy:
              enabled: true
      destination:
        server: "{{server}}"
        namespace: blackshield
      syncPolicy:
        automated:
          prune: true
          selfHeal: true
        syncOptions:
          - CreateNamespace=true
          - ServerSideApply=true
EOF

cat > "$TARGET_ROOT/deploy/argocd/README.md" <<EOF
# Argo CD ApplicationSet for BlackShield k8s Scanner

This bundle writes a Git-based ApplicationSet that points Argo CD at the Helm chart source in your GitOps repository.

## Defaults used

- \`repoURL\`: ${BLACKSHIELD_GITOPS_REPO_URL}
- \`targetRevision\`: ${BLACKSHIELD_GITOPS_REVISION}
- \`path\`: ${BLACKSHIELD_GITOPS_CHART_PATH}
- \`BLACKSHIELD_API_URL\`: ${BLACKSHIELD_API_URL}

If you ran this bundle inside a Git checkout, it automatically used that repo's \`origin\` remote and current branch when possible.

## Before applying

1. Commit \`deploy/helm/blackshield-k8s-scanner/\` into the GitOps repo above.
2. Create the \`blackshield-k8s-scanner\` Secret in each target cluster.
3. Review \`k8s-scanner-appset.yaml\`, then apply it from your management cluster.
EOF

printf "Wrote source bundle files:
"
printf "  - %s\n" "$TARGET_ROOT/deploy/argocd/k8s-scanner-appset.yaml"
printf "  - %s\n" "$TARGET_ROOT/deploy/argocd/README.md"