#!/bin/bash

set -euo pipefail

CLUSTER_NAME="kind-kind-demo"
NAMESPACE="dev"
OUTPUT_DIR="./rbac-users"

mkdir -p "$OUTPUT_DIR"

echo "[+] Kivonjuk a CA tanúsítványt és kulcsot kubeconfigból..."

CA_CERT_PATH="${OUTPUT_DIR}/ca.crt"
CA_KEY_PATH="${OUTPUT_DIR}/ca.key"

docker cp kind-demo-control-plane:/etc/kubernetes/pki/ca.crt $OUTPUT_DIR/ca.crt
docker cp kind-demo-control-plane:/etc/kubernetes/pki/ca.key $OUTPUT_DIR/ca.key

# Felhasználók listája
USERS=("readonly" "dev-admin")

for USER in "${USERS[@]}"; do
  echo -e "\n[+] Tanúsítvány generálása: $USER"

  openssl genrsa -out "${OUTPUT_DIR}/${USER}.key" 2048
  openssl req -new -key "${OUTPUT_DIR}/${USER}.key" \
    -out "${OUTPUT_DIR}/${USER}.csr" \
    -subj "/CN=${USER}/O=devs"

  openssl x509 -req \
    -in "${OUTPUT_DIR}/${USER}.csr" \
    -CA "$CA_CERT_PATH" \
    -CAkey "$CA_KEY_PATH" \
    -CAcreateserial \
    -out "${OUTPUT_DIR}/${USER}.crt" \
    -days 365 \
    -sha256
done

echo -e "\n[+] RBAC létrehozása"

# Readonly user: cluster-wide view
cat <<EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: readonly-user
subjects:
- kind: User
  name: readonly
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: view
  apiGroup: rbac.authorization.k8s.io
EOF

# Namespace létrehozás, ha még nem létezik
kubectl create namespace "$NAMESPACE" --dry-run=client -o yaml | kubectl apply -f -

# dev-admin user: admin jogosultság a dev namespace-ben
cat <<EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: dev-admin-binding
  namespace: $NAMESPACE
subjects:
- kind: User
  name: dev-admin
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: admin
  apiGroup: rbac.authorization.k8s.io
EOF

cat <<EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: dev-admin-readonly-global
subjects:
- kind: User
  name: dev-admin
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: view
  apiGroup: rbac.authorization.k8s.io
EOF


echo -e "\n[+] Kubeconfig fájlok generálása..."

SERVER=$(kubectl config view --raw -o jsonpath="{.clusters[?(@.name==\"$CLUSTER_NAME\")].cluster.server}")

for USER in "${USERS[@]}"; do
  KUBECONFIG_USER="${OUTPUT_DIR}/kubeconfig-${USER}"

  kubectl config --kubeconfig="${KUBECONFIG_USER}" set-cluster "$CLUSTER_NAME" \
    --server="$SERVER" \
    --certificate-authority="${CA_CERT_PATH}" \
    --embed-certs=true

  kubectl config --kubeconfig="${KUBECONFIG_USER}" set-credentials "$USER" \
    --client-certificate="${OUTPUT_DIR}/${USER}.crt" \
    --client-key="${OUTPUT_DIR}/${USER}.key" \
    --embed-certs=true

  kubectl config --kubeconfig="${KUBECONFIG_USER}" set-context "$USER-context" \
    --cluster="$CLUSTER_NAME" \
    --user="$USER"

  kubectl config --kubeconfig="${KUBECONFIG_USER}" use-context "$USER-context"

  echo -e "\n  [✔] Létrejött: ${KUBECONFIG_USER}"
done

echo -e "\nUserek mergelése:"
echo
kubectl config set-credentials readonly \
  --client-certificate=$OUTPUT_DIR/readonly.crt \
  --client-key=$OUTPUT_DIR/readonly.key \
  --embed-certs=true

kubectl config set-context readonly-context \
  --cluster=kind-kind-demo \
  --user=readonly

kubectl config set-credentials dev-admin \
  --client-certificate=$OUTPUT_DIR/dev-admin.crt \
  --client-key=$OUTPUT_DIR/dev-admin.key \
  --embed-certs=true

kubectl config set-context dev-admin-context \
  --cluster=kind-kind-demo \
  --user=dev-admin

echo "[✅ KÉSZ]"