package main

import (
	"context"
	"flag"
	"os"
	"strings"

	"git.pengzhan.dev/k8s-ds-secret-injection/pkg/webhook"
	corev1 "k8s.io/api/core/v1"
	apierrors "k8s.io/apimachinery/pkg/api/errors"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	"k8s.io/apimachinery/pkg/runtime"
	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
	_ "k8s.io/client-go/plugin/pkg/client/auth"
	ctrl "sigs.k8s.io/controller-runtime"
	"sigs.k8s.io/controller-runtime/pkg/client"
	"sigs.k8s.io/controller-runtime/pkg/healthz"
	"sigs.k8s.io/controller-runtime/pkg/log/zap"
	webhookadmission "sigs.k8s.io/controller-runtime/pkg/webhook"
	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
	"sigs.k8s.io/controller-runtime/pkg/metrics/server"
)

var (
	scheme   = runtime.NewScheme()
	setupLog = ctrl.Log.WithName("setup")
)

func init() {
	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
	// +kubebuilder:scaffold:scheme
}

func main() {
	var metricsAddr string
	var enableLeaderElection bool
	var probeAddr string
	var targetNS string
	var targetDS string
	flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.")
	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
	flag.BoolVar(&enableLeaderElection, "leader-election", false,
		"Enable leader election for controller manager. "+
			"Enabling this will ensure there is only one active controller manager.")
	flag.StringVar(&targetNS, "target-namespace", "gps-system", "The namespace to monitor.")
	flag.StringVar(&targetDS, "target-daemonsets", "", "Comma-separated list of DaemonSet names to monitor.")
	opts := zap.Options{
		Development: true,
	}
	opts.BindFlags(flag.CommandLine)
	flag.Parse()

	ctrl.SetLogger(zap.New(zap.UseFlagOptions(&opts)))

	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
		Scheme: scheme,
		Metrics: server.Options{
			BindAddress: metricsAddr,
		},
		WebhookServer: webhookadmission.NewServer(webhookadmission.Options{
			Port: 9443,
		}),
		HealthProbeBindAddress: probeAddr,
		LeaderElection:         enableLeaderElection,
		LeaderElectionID:       "inject-ds-lock",
	})
	if err != nil {
		setupLog.Error(err, "unable to start manager")
		os.Exit(1)
	}

	dsList := strings.Split(targetDS, ",")
	for i := range dsList {
		dsList[i] = strings.TrimSpace(dsList[i])
	}

	// Register Webhook
	hookServer := mgr.GetWebhookServer()
	setupLog.Info("registering mutating webhook")
	
	decoder := admission.NewDecoder(scheme)

	mutator := &webhook.PodMutator{
		Client:       mgr.GetClient(),
		TargetNS:     targetNS,
		TargetDSList: dsList,
	}
	mutator.InjectDecoder(decoder)

	hookServer.Register("/mutate-pod", &admission.Webhook{
		Handler: mutator,
	})

	// Add a simple controller to cleanup secrets when pods are deleted
	if err := (&PodController{
		Client:   mgr.GetClient(),
		TargetNS: targetNS,
	}).SetupWithManager(mgr); err != nil {
		setupLog.Error(err, "unable to create controller", "controller", "Pod")
		os.Exit(1)
	}

	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {
		setupLog.Error(err, "unable to set up health check")
		os.Exit(1)
	}
	if err := mgr.AddReadyzCheck("readyz", healthz.Ping); err != nil {
		setupLog.Error(err, "unable to set up ready check")
		os.Exit(1)
	}

	setupLog.Info("starting manager")
	if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {
		setupLog.Error(err, "problem running manager")
		os.Exit(1)
	}
}

// PodController watches Pods and deletes associated secrets on deletion
type PodController struct {
	client.Client
	TargetNS string
}

func (r *PodController) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
	log := ctrl.Log.WithValues("pod", req.NamespacedName)

	if req.Namespace != r.TargetNS {
		return ctrl.Result{}, nil
	}

	pod := &corev1.Pod{}
	err := r.Get(ctx, req.NamespacedName, pod)
	if err != nil {
		if !apierrors.IsNotFound(err) {
			return ctrl.Result{}, err
		}
		// Pod is already gone. We try to delete the secret just in case.
		secret := &corev1.Secret{
			ObjectMeta: metav1.ObjectMeta{
				Name:      req.Name,
				Namespace: req.Namespace,
			},
		}
		if err := r.Delete(ctx, secret); err != nil && !apierrors.IsNotFound(err) {
			return ctrl.Result{}, err
		}
		return ctrl.Result{}, nil
	}

	// If pod is marked for deletion, cleanup secret and remove finalizer
	if !pod.DeletionTimestamp.IsZero() {
		log.Info("Pod deleting, cleaning up associated secret")
		secret := &corev1.Secret{
			ObjectMeta: metav1.ObjectMeta{
				Name:      pod.Name,
				Namespace: pod.Namespace,
			},
		}
		if err := r.Delete(ctx, secret); err != nil && !apierrors.IsNotFound(err) {
			return ctrl.Result{}, err
		}

		// Remove finalizer
		newFinalizers := []string{}
		changed := false
		for _, f := range pod.Finalizers {
			if f == "inject-ds-webhook.example.com/cleanup" {
				changed = true
				continue
			}
			newFinalizers = append(newFinalizers, f)
		}
		if changed {
			pod.Finalizers = newFinalizers
			if err := r.Update(ctx, pod); err != nil {
				return ctrl.Result{}, err
			}
		}
	}

	return ctrl.Result{}, nil
}

func (r *PodController) SetupWithManager(mgr ctrl.Manager) error {
	return ctrl.NewControllerManagedBy(mgr).
		For(&corev1.Pod{}).
		Complete(r)
}