apiVersion: batch/v1
kind: Job
metadata:
  name: {{ include "solidtime.fullname" . }}-keygen
  annotations:
    "helm.sh/hook": pre-install,pre-upgrade
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
spec:
  template:
    spec:
      serviceAccountName: {{ include "solidtime.fullname" . }}-keygen
      restartPolicy: OnFailure
      containers:
        - name: keygen
          image: bitnami/kubectl:latest
          command:
            - /bin/sh
            - -c
            - |
              SECRET_NAME="solidtime-app-secrets"
              
              # 1. Check if secret already exists
              if kubectl get secret $SECRET_NAME; then
                echo "Keys already exist. Skipping generation."
                exit 0
              fi

              echo "Generating keys in /tmp..."
              
              # 2. Generate Keys into /tmp (which is writable)
              openssl genrsa -out /tmp/private.key 4096
              openssl rsa -in /tmp/private.key -pubout -out /tmp/public.key
              
              # Generate App Key
              APP_KEY="base64:$(openssl rand -base64 32)"

              # 3. Create Secret reading from /tmp
              kubectl create secret generic $SECRET_NAME \
                --from-literal=APP_KEY="$APP_KEY" \
                --from-file=PASSPORT_PRIVATE_KEY=/tmp/private.key \
                --from-file=PASSPORT_PUBLIC_KEY=/tmp/public.key