apiVersion: batch/v1
kind: Job
metadata:
  name: {{ include "solidtime.fullname" . }}-keygen
  annotations:
    "helm.sh/hook": pre-install,pre-upgrade
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
spec:
  template:
    spec:
      serviceAccountName: {{ include "solidtime.fullname" . }}-keygen
      restartPolicy: OnFailure
      containers:
        - name: keygen
          image: bitnami/kubectl:latest
          command:
            - /bin/sh
            - -c
            - |
              SECRET_NAME="solidtime-app-secrets"
              
              # 1. Check if secret exists
              if kubectl get secret $SECRET_NAME; then
                echo "Keys already exist. Skipping generation."
                exit 0
              fi

              echo "Generating keys..."
              
              # Generate Passport Keys
              openssl genrsa -out private.key 4096
              openssl rsa -in private.key -pubout -out public.key
              
              # Generate App Key (base64 encoded random 32 chars)
              APP_KEY="base64:$(openssl rand -base64 32)"

              # 2. Create Secret with ALL keys
              # We use --from-file for RSA keys to preserve newlines correctly
              kubectl create secret generic $SECRET_NAME \
                --from-literal=APP_KEY="$APP_KEY" \
                --from-file=PASSPORT_PRIVATE_KEY=private.key \
                --from-file=PASSPORT_PUBLIC_KEY=public.key