#!/usr/bin/env bash
set -euo pipefail

# K8Studio Google GKE SSO lab
#
# This script helps configure and verify an existing GKE cluster for K8Studio
# access through Google Cloud login and gke-gcloud-auth-plugin exec auth.
#
# It does not create or delete a GKE cluster.
#
# Requirements:
# - Google Cloud CLI
# - gke-gcloud-auth-plugin
# - kubectl
# - An existing GKE cluster
# - Google Cloud IAM permission to get cluster credentials
#
# Usage:
#   ./k8studio-gke-sso-lab.sh login
#   ./k8studio-gke-sso-lab.sh install-plugin
#   ./k8studio-gke-sso-lab.sh list-clusters
#   ./k8studio-gke-sso-lab.sh kubeconfig
#   ./k8studio-gke-sso-lab.sh verify
#   ./k8studio-gke-sso-lab.sh logout

PROJECT_ID="${PROJECT_ID:-}"
CLUSTER_NAME="${CLUSTER_NAME:-}"
LOCATION="${LOCATION:-}"
LOCATION_FLAG="${LOCATION_FLAG:---region}"
ACCOUNT_EMAIL="${ACCOUNT_EMAIL:-}"
KUBECONFIG_PATH="${KUBECONFIG_PATH:-${HOME}/.kube/k8studio-gke-sso.yaml}"

usage() {
  cat <<USAGE
K8Studio Google GKE SSO lab

Commands:
  login             Run Google Cloud browser login
  install-plugin    Install gke-gcloud-auth-plugin
  list-clusters     List GKE clusters in PROJECT_ID
  kubeconfig        Generate a GKE exec-auth kubeconfig
  verify            Verify kubectl can reach the cluster
  logout            Revoke the configured Google account

Required environment for kubeconfig/verify:
  PROJECT_ID        Google Cloud project ID
  CLUSTER_NAME      GKE cluster name
  LOCATION          GKE region or zone, for example us-central1 or us-central1-a

Optional environment:
  LOCATION_FLAG     --region or --zone. Default: ${LOCATION_FLAG}
  ACCOUNT_EMAIL     Account to revoke during logout
  KUBECONFIG_PATH   ${KUBECONFIG_PATH}

Example:
  export PROJECT_ID=my-gke-project
  export CLUSTER_NAME=production-gke
  export LOCATION=us-central1
  export LOCATION_FLAG=--region

  ./k8studio-gke-sso-lab.sh login
  ./k8studio-gke-sso-lab.sh install-plugin
  ./k8studio-gke-sso-lab.sh kubeconfig
  ./k8studio-gke-sso-lab.sh verify
USAGE
}

require_command() {
  if ! command -v "$1" >/dev/null 2>&1; then
    echo "Missing required command: $1" >&2
    exit 1
  fi
}

require_env() {
  local name="$1"
  if [[ -z "${!name:-}" ]]; then
    echo "Missing required environment variable: ${name}" >&2
    exit 1
  fi
}

login() {
  require_command gcloud
  gcloud auth login
  gcloud auth list
}

install_plugin() {
  require_command gcloud
  gcloud components install gke-gcloud-auth-plugin
  gke-gcloud-auth-plugin --version
}

list_clusters() {
  require_command gcloud
  require_env PROJECT_ID
  gcloud config set project "${PROJECT_ID}"
  gcloud container clusters list --project "${PROJECT_ID}"
}

write_kubeconfig() {
  require_command gcloud
  require_env PROJECT_ID
  require_env CLUSTER_NAME
  require_env LOCATION

  mkdir -p "$(dirname "${KUBECONFIG_PATH}")"
  gcloud config set project "${PROJECT_ID}"

  KUBECONFIG="${KUBECONFIG_PATH}" gcloud container clusters get-credentials "${CLUSTER_NAME}" \
    "${LOCATION_FLAG}" "${LOCATION}" \
    --project "${PROJECT_ID}"

  echo "Wrote kubeconfig:"
  echo "${KUBECONFIG_PATH}"
}

verify() {
  require_command kubectl
  require_env KUBECONFIG_PATH

  KUBECONFIG="${KUBECONFIG_PATH}" kubectl get nodes
  KUBECONFIG="${KUBECONFIG_PATH}" kubectl auth can-i list pods --all-namespaces
}

logout() {
  require_command gcloud

  if [[ -n "${ACCOUNT_EMAIL}" ]]; then
    gcloud auth revoke "${ACCOUNT_EMAIL}"
  else
    gcloud auth revoke
  fi
}

case "${1:-}" in
  login)
    login
    ;;
  install-plugin)
    install_plugin
    ;;
  list-clusters)
    list_clusters
    ;;
  kubeconfig)
    write_kubeconfig
    ;;
  verify)
    verify
    ;;
  logout)
    logout
    ;;
  -h|--help|help|"")
    usage
    ;;
  *)
    echo "Unknown command: $1" >&2
    usage
    exit 1
    ;;
esac