apiVersion: batch/v1
kind: Job
metadata:
  name: vault-bootstrap
  namespace: dev-tools
  annotations:
    argocd.argoproj.io/hook: PostSync
    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
    argocd.argoproj.io/sync-wave: "1"
spec:
  template:
    spec:
      serviceAccountName: vault-auth
      restartPolicy: OnFailure
      containers:
      - name: bootstrap
        image: hashicorp/vault:1.15
        envFrom:
        - secretRef:
            name: vault-admin        # מספק VAULT_ADDR + VAULT_TOKEN (אדמין)
        volumeMounts:
        - name: bootstrap-config
          mountPath: /config         # מכיל mounts + roles
        - name: policies
          mountPath: /policies       # כל *.hcl יהפוך ל-policy
        command: ["/bin/sh","-c"]
        args:
        - |
          set -eu

          echo "== Ensure mounts =="
          while IFS= read -r line; do
            [ -z "$line" ] && continue
            PATH_NAME="${line%%:*}"
            TYPE="${line##*:}"
            if vault secrets list -format=json | grep -q "\"${PATH_NAME}/\""; then
              echo "Mount exists: ${PATH_NAME}/"
              continue
            fi
            case "$TYPE" in
              kv2) vault secrets enable -path="${PATH_NAME}" -version=2 kv ;;
              kv1) vault secrets enable -path="${PATH_NAME}" kv ;;
              *)   echo "Unknown type '$TYPE' for ${PATH_NAME}"; exit 1 ;;
            esac
          done < /config/mounts

          echo "== Write/Update policies =="
          for f in /policies/*.hcl; do
            [ -f "$f" ] || continue
            NAME="$(basename "$f" .hcl)"
            vault policy write "$NAME" "$f"
          done

          echo "== Enable & configure kubernetes auth =="
          if ! vault auth list -format=json | grep -q '"kubernetes/"'; then
            vault auth enable -path=kubernetes kubernetes
          fi
          TOKEN_REVIEWER_JWT=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
          KUBE_HOST="https://${KUBERNETES_PORT_443_TCP_ADDR}:443"
          CA_CERT="/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
          vault write auth/kubernetes/config \
            token_reviewer_jwt="$TOKEN_REVIEWER_JWT" \
            kubernetes_host="$KUBE_HOST" \
            kubernetes_ca_cert=@"$CA_CERT"

          echo "== Create/Update roles =="
          while IFS= read -r line; do
            [ -z "$line" ] && continue
            ROLENAME="${line%%:*}"; REST="${line#*:}"
            SA="${REST%%:*}";     REST="${REST#*:}"
            NS="${REST%%:*}";     REST="${REST#*:}"
            POLICIES="${REST%%:*}"; TTL="${REST#*:}"
            vault write "auth/kubernetes/role/${ROLENAME}" \
              bound_service_account_names="$SA" \
              bound_service_account_namespaces="$NS" \
              policies="$POLICIES" \
              ttl="$TTL"
          done < /config/roles
        securityContext:
          runAsNonRoot: true
          runAsUser: 100
      volumes:
      - name: bootstrap-config
        configMap:
          name: vault-bootstrap-config
      - name: policies
        configMap:
          name: vault-policies