#!/usr/bin/env bash
set -euo pipefail

if ! command -v kubeseal &>/dev/null; then
  echo "Error: kubeseal is not installed"
  echo "Install: brew install kubeseal"
  exit 1
fi

if [[ $# -lt 3 ]]; then
  echo "Usage: $0 <secret-name> <namespace> <key=value> [key=value...]"
  echo ""
  echo "Example:"
  echo "  $0 api-secrets apps database-url=postgres://... valkey-url=redis://..."
  exit 1
fi

SECRET_NAME="$1"
NAMESPACE="$2"
shift 2

LITERAL_ARGS=()
for pair in "$@"; do
  LITERAL_ARGS+=("--from-literal=$pair")
done

echo "Sealing secret '$SECRET_NAME' in namespace '$NAMESPACE'..."

kubectl create secret generic "$SECRET_NAME" \
  --namespace "$NAMESPACE" \
  --dry-run=client \
  -o yaml \
  "${LITERAL_ARGS[@]}" \
  | kubeseal \
    --format yaml \
    --controller-namespace kube-system \
    --controller-name sealed-secrets \
  > "${SECRET_NAME}-sealed.yaml"

echo "Sealed secret written to ${SECRET_NAME}-sealed.yaml"
echo "Move this file to the appropriate k8s directory and commit it."