---
kind: ConfigMap
apiVersion: v1
metadata:
  name: {{ include "autovault.fullname" . }}-scripts
  labels:
    {{- include "autovault.labels" . | nindent 4 }}
data:
  autovault.sh: |
    #!/bin/bash

    HOME=/vault/data
    while [[ "$(curl -L -s -o /dev/null -w ''%{http_code}'' {{ .Values.vaultUrl }})" != "200" ]]; do sleep 5; done

    export VAULT_ADDR={{ .Values.vaultUrl }}

    INITIALIZED=$(vault status -format=json | jq -r '.initialized')

    SEALED=$(vault status -format=json | jq -r '.sealed')

    if [[ "$INITIALIZED" == "false" ]] ; then
      vault operator init -key-threshold=1 -key-shares=1 -format=json > /vault/data/keys.json
    fi

    if [[ "$SEALED" == "true" ]] ; then
      KEY=$(cat /vault/data/keys.json | jq -r '.unseal_keys_b64[0]')
      vault operator unseal $KEY
    fi

    export VAULT_TOKEN=$(cat /vault/data/keys.json | jq -r '.root_token')

    KV_ENABLED=$(vault secrets list | grep -i kv)
    if [[ -z "$KV_ENABLED" ]] ; then
      vault secrets enable -version=2 kv
    fi

    USERPASS_ENABLED=$(vault auth list | grep -i userpass)
    if [[ -z "$USERPASS_ENABLED" ]] ; then
      vault auth enable userpass
    fi

    APPROLE_ENABLED=$(vault auth list | grep -i approle)
    if [[ -z "$APPROLE_ENABLED" ]] ; then
      vault auth enable approle
    fi

    echo
    echo "----------------------------------------------------------------"
    echo
    echo "Vault root token: ${VAULT_TOKEN}"
    echo
    echo "----------------------------------------------------------------"
    echo

    for APPROLE in {{ join " " .Values.autovaultGenSecretsApps }}; do
      APPROLE_CREATED=$(vault read auth/approle/role/"$APPROLE"/role-id)
      if [[ -z "$APPROLE_CREATED" ]] ; then
        vault write -f auth/approle/role/"$APPROLE"
      fi
      kubectl get secret vault-secret-"$APPROLE" || \
        { APPROLE_ROLE_ID=$(vault read auth/approle/role/"$APPROLE"/role-id | grep "role_id\s" | awk '{print $2}') ; \
        APPROLE_SECRET_ID=$(vault write -f auth/approle/role/"$APPROLE"/secret-id | grep "secret_id\s" | awk '{print $2}') ; \
        kubectl create secret generic vault-secret-"$APPROLE" --from-literal=rootToken="$VAULT_TOKEN" --from-literal=roleId="$APPROLE_ROLE_ID" --from-literal=secretId="$APPROLE_SECRET_ID" ;
        echo "$APPROLE    role-id = $APPROLE_ROLE_ID" ; }
    done

    vault auth list