{{- if .Values.api7.enabled }}
apiVersion: batch/v1
kind: Job
metadata:
  name: {{ include "api7ee.fullname" . }}-adc-sync
  labels:
    {{- include "api7ee.labels" . | nindent 4 }}
    app.kubernetes.io/component: adc-sync
  annotations:
    "helm.sh/hook": post-install,post-upgrade
    "helm.sh/hook-weight": "10"
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
spec:
  backoffLimit: 3
  activeDeadlineSeconds: 300
  template:
    metadata:
      labels:
        {{- include "api7ee.selectorLabels" . | nindent 8 }}
        app.kubernetes.io/component: adc-sync
    spec:
      restartPolicy: Never
      serviceAccountName: {{ include "api7ee.serviceAccountName" . }}
      {{- if .Values.api7.tls.certManager.enabled }}
      initContainers:
        - name: wait-for-certificate
          image: busybox:1.35
          command:
            - sh
            - -c
            - |
              echo "Waiting for TLS certificate to be ready..."
              while [ ! -f /etc/ssl/certs/tls.crt ] || [ ! -f /etc/ssl/certs/tls.key ]; do
                echo "Certificate not ready, waiting..."
                sleep 5
              done
              echo "Certificate is ready!"
          volumeMounts:
            - name: tls-certs
              mountPath: /etc/ssl/certs
              readOnly: true
      {{- end }}
      containers:
        - name: adc-sync
          image: debian:bookworm-slim
          imagePullPolicy: IfNotPresent
          command:
            - /bin/sh
            - -c
            - |
              set -e
              echo "Starting API7 ADC configuration sync..."

              # Install dependencies and ADC binary
              echo "Installing curl and dependencies..."
              if [ -f /etc/debian_version ]; then
                # Debian/Ubuntu
                apt-get update && apt-get install -y curl {{- if .Values.api7.autoPublish }} jq{{- end }}
              elif [ -f /etc/alpine-release ]; then
                # Alpine
                apk add --no-cache curl {{- if .Values.api7.autoPublish }} jq{{- end }}
              elif [ -f /etc/redhat-release ]; then
                # RHEL/CentOS
                yum install -y curl {{- if .Values.api7.autoPublish }} jq{{- end }}
              else
                echo "ERROR: Unsupported Linux distribution"
                exit 1
              fi

              # Download and install ADC binary
              echo "Downloading ADC binary..."
              curl -sL "https://run.api7.ai/adc/install" | sh

              # Verify ADC installation
              if ! command -v adc &> /dev/null; then
                echo "ERROR: ADC installation failed"
                exit 1
              fi
              echo "ADC installed successfully"

              # Wait for API7 Gateway to be ready
              echo "Waiting for API7 Gateway to be available..."
              MAX_RETRIES=30
              RETRY_COUNT=0
              {{- if eq .Values.api7.backend "api7ee" }}
              # For API7 EE, check the version endpoint
              HEALTH_ENDPOINT="${API7_ADMIN_URL}/version"
              {{- else }}
              # For Apache APISIX, check the admin routes endpoint
              HEALTH_ENDPOINT="${API7_ADMIN_URL}/apisix/admin/routes"
              {{- end }}

              while [ $RETRY_COUNT -lt $MAX_RETRIES ]; do
                HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" ${HEALTH_ENDPOINT} \
                  {{- if eq .Values.api7.backend "apisix" }}
                  -H "X-API-KEY: ${API7_ADMIN_KEY}" \
                  {{- end }}
                  --max-time 5 || echo "000")

                if [ "$HTTP_CODE" = "200" ] || [ "$HTTP_CODE" = "401" ]; then
                  echo "API7 Gateway is ready! (HTTP $HTTP_CODE)"
                  break
                fi
                echo "API7 Gateway not ready (HTTP $HTTP_CODE), retrying... ($RETRY_COUNT/$MAX_RETRIES)"
                RETRY_COUNT=$((RETRY_COUNT + 1))
                sleep 10
              done

              if [ $RETRY_COUNT -eq $MAX_RETRIES ]; then
                echo "ERROR: API7 Gateway not ready after $MAX_RETRIES attempts"
                exit 1
              fi

              {{- if .Values.api7.tls.certManager.enabled }}
              # Copy certificates to config directory
              cp /etc/ssl/certs/tls.crt /tmp/tls.crt
              cp /etc/ssl/certs/tls.key /tmp/tls.key

              # Update certificate paths in config
              sed -i 's|/etc/ssl/certs/tls.crt|/tmp/tls.crt|g' /config/adc-config.yaml
              sed -i 's|/etc/ssl/certs/tls.key|/tmp/tls.key|g' /config/adc-config.yaml
              {{- end }}

              adc validate -f /config/adc-config.yaml || {
                echo "ERROR: Configuration validation failed"
                cat /config/adc-config.yaml
                exit 1
              }

              # Sync configuration to API7
              echo "Syncing configuration to API7 Gateway..."
              adc sync -f /config/adc-config.yaml \
                --backend {{ .Values.api7.backend | default "api7ee" }} \
                --server ${API7_ADMIN_URL} \
                --token ${API7_ADMIN_KEY} \
                --gateway-group ${API7_GATEWAY_GROUP} \
                {{- if .Values.api7.adc.tlsSkipVerify }}
                --tls-skip-verify \
                {{- end }}
                --verbose || {
                  echo "ERROR: Failed to sync configuration"
                  exit 1
                }

              echo "✅ API7 configuration sync completed successfully!"

              {{- if .Values.api7.autoPublish }}
              # Auto-publish routes
              echo "Auto-publishing routes..."

              # Get list of services and routes
              SERVICES=$(curl -s ${API7_ADMIN_URL}/apisix/admin/services \
                -H "X-API-KEY: ${API7_ADMIN_KEY}" | jq -r '.list[].id' || echo "")

              for SERVICE_ID in $SERVICES; do
                echo "Publishing routes for service: $SERVICE_ID"

                # Get routes for this service
                ROUTES=$(curl -s ${API7_ADMIN_URL}/apisix/admin/services/${SERVICE_ID}/routes \
                  -H "X-API-KEY: ${API7_ADMIN_KEY}" | jq -r '.list[].id' || echo "")

                for ROUTE_ID in $ROUTES; do
                  echo "Publishing route: $ROUTE_ID"
                  curl -X POST ${API7_ADMIN_URL}/apisix/admin/services/${SERVICE_ID}/routes/${ROUTE_ID}/publish \
                    -H "X-API-KEY: ${API7_ADMIN_KEY}" \
                    -H "Content-Type: application/json" \
                    -d "{\"gateway_group_id\": \"${API7_GATEWAY_GROUP}\"}" || {
                      echo "Warning: Failed to publish route $ROUTE_ID"
                    }
                done
              done

              echo "✅ Routes published successfully!"
              {{- end }}

              # Display summary
              echo ""
              echo "=========================================="
              echo "API7 Configuration Summary:"
              echo "=========================================="
              echo "Gateway URL: ${API7_ADMIN_URL}"
              echo "Gateway Group: ${API7_GATEWAY_GROUP}"
              echo "Hosts configured:"
              {{- range .Values.api7.hosts }}
              echo "  - {{ . }}"
              {{- end }}
              {{- if .Values.api7.tls.enabled }}
              echo "TLS: Enabled"
              {{- end }}
              {{- if .Values.api7.serviceDiscovery.enabled }}
              echo "Service Discovery: Kubernetes"
              {{- end }}
              echo "=========================================="
              echo ""
              echo "Access your application at:"
              {{- range .Values.api7.hosts }}
              echo "  {{ if $.Values.api7.tls.enabled }}https{{ else }}http{{ end }}://{{ . }}"
              {{- end }}
          env:
            - name: ADC_VERBOSE
              value: "{{ .Values.api7.adc.verbose | default true }}"
            - name: API7_ADMIN_URL
              valueFrom:
                secretKeyRef:
                  name: {{ include "api7ee.fullname" . }}-api7-admin
                  key: admin-url
            - name: API7_ADMIN_KEY
              valueFrom:
                secretKeyRef:
                  name: {{ include "api7ee.fullname" . }}-api7-admin
                  key: admin-key
            - name: API7_GATEWAY_GROUP
              valueFrom:
                secretKeyRef:
                  name: {{ include "api7ee.fullname" . }}-api7-admin
                  key: gateway-group
          volumeMounts:
            - name: adc-config
              mountPath: /config
              readOnly: true
            {{- if .Values.api7.tls.certManager.enabled }}
            - name: tls-certs
              mountPath: /etc/ssl/certs
              readOnly: true
            {{- end }}
          resources:
            limits:
              cpu: 500m
              memory: 256Mi
            requests:
              cpu: 100m
              memory: 128Mi
      volumes:
        - name: adc-config
          configMap:
            name: {{ include "api7ee.fullname" . }}-adc-config
        {{- if .Values.api7.tls.certManager.enabled }}
        - name: tls-certs
          secret:
            secretName: {{ .Values.api7.tls.secretName | default (printf "%s-tls" (include "api7ee.fullname" .)) }}
        {{- end }}
{{- end }}