apiVersion: batch/v1
kind: Job
metadata:
  annotations:
    a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
    argocd.argoproj.io/sync-options: Replace=true
  name: argocd-deploy-key-init
  namespace: forgejo
spec:
  template:
    spec:
      containers:
        - command:
            - sh
            - -c
            - |
              set -e

              apk add --no-cache openssh-keygen > /dev/null 2>&1

              ARGOCD_NS="argocd"
              REPO_SECRET="forgejo-repo"
              REPO_URL="ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git"
              FORGEJO_URL="https://git.tr1ceracop.de"
              REPO_OWNER="gitea_admin"
              REPO_NAME="k8s-and-chill"

              # Wait for Forgejo to be ready
              echo "Waiting for Forgejo to be ready..."
              for i in $(seq 1 60); do
                if curl -sk "${FORGEJO_URL}/api/v1/version" >/dev/null 2>&1; then
                  echo "Forgejo HTTPS is ready"
                  break
                fi
                if [ "$i" -eq 60 ]; then
                  echo "Forgejo did not become ready in time"
                  exit 1
                fi
                sleep 5
              done

              # Check if ArgoCD repo secret already exists
              if kubectl get secret "${REPO_SECRET}" -n "${ARGOCD_NS}" >/dev/null 2>&1; then
                echo "Secret ${REPO_SECRET} already exists in ${ARGOCD_NS}, skipping"
                exit 0
              fi

              # Read admin credentials
              ADMIN_USER=$(kubectl get secret forgejo-admin-secret -n "${NAMESPACE}" -o jsonpath='{.data.username}' | base64 -d)
              ADMIN_PASS=$(kubectl get secret forgejo-admin-secret -n "${NAMESPACE}" -o jsonpath='{.data.password}' | base64 -d)

              # Generate ed25519 SSH keypair
              KEYDIR=$(mktemp -d)
              ssh-keygen -t ed25519 -f "${KEYDIR}/id_ed25519" -N "" -q
              PRIVKEY=$(cat "${KEYDIR}/id_ed25519")
              PUBKEY=$(cat "${KEYDIR}/id_ed25519.pub")
              rm -rf "${KEYDIR}"

              # Register deploy key via Forgejo API
              echo "Registering deploy key..."
              HTTP_CODE=$(curl -sk -o /tmp/response.json -w "%{http_code}" \
                -X POST "${FORGEJO_URL}/api/v1/repos/${REPO_OWNER}/${REPO_NAME}/keys" \
                -H "Content-Type: application/json" \
                -u "${ADMIN_USER}:${ADMIN_PASS}" \
                -d "{\"title\":\"argocd-deploy-key\",\"key\":\"${PUBKEY}\",\"read_only\":true}")

              if [ "${HTTP_CODE}" = "201" ]; then
                echo "Deploy key registered successfully"
              elif [ "${HTTP_CODE}" = "422" ]; then
                echo "Deploy key already exists in Forgejo (422), continuing"
              else
                echo "Failed to register deploy key: HTTP ${HTTP_CODE}"
                cat /tmp/response.json
                exit 1
              fi

              # Create ArgoCD repository secret with insecure flag (skip host key verification)
              cat <<EOSECRET | kubectl apply -f -
              apiVersion: v1
              kind: Secret
              metadata:
                name: ${REPO_SECRET}
                namespace: ${ARGOCD_NS}
                labels:
                  argocd.argoproj.io/secret-type: repository
              stringData:
                type: git
                url: "${REPO_URL}"
                insecure: "true"
                sshPrivateKey: |
              $(echo "${PRIVKEY}" | sed 's/^/            /')
              EOSECRET

              echo "Created ArgoCD repository secret ${REPO_SECRET} in ${ARGOCD_NS}"
          env:
            - name: NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
          image: alpine/k8s:1.32.3
          name: init
      restartPolicy: OnFailure
      serviceAccountName: argocd-deploy-key-init
  ttlSecondsAfterFinished: 300