---
apiVersion: batch/v1
kind: Job
metadata:
  name: elasticsearch-security-setup
  namespace: elasticsearch-system
  annotations:
    # Run this job after Elasticsearch is ready
    "helm.sh/hook": post-install,post-upgrade
    "helm.sh/hook-weight": "10"
    "helm.sh/hook-delete-policy": before-hook-creation
spec:
  template:
    metadata:
      labels:
        app: elasticsearch-security-setup
    spec:
      restartPolicy: Never
      initContainers:
      # Wait for Elasticsearch to be ready
      - name: wait-for-elasticsearch
        image: curlimages/curl:8.10.1
        command:
        - /bin/sh
        - -c
        - |
          echo "Waiting for Elasticsearch to be ready..."
          until curl -u "elastic:${ELASTIC_PASSWORD}" "http://elasticsearch-es-http:9200/_cluster/health?wait_for_status=yellow&timeout=300s"; do
            echo "Elasticsearch not ready yet, sleeping..."
            sleep 10
          done
          echo "Elasticsearch is ready!"
        env:
        - name: ELASTIC_PASSWORD
          valueFrom:
            secretKeyRef:
              name: elasticsearch-es-elastic-user
              key: elastic
      containers:
      - name: setup-security
        image: curlimages/curl:8.10.1
        command:
        - /bin/sh
        - -c
        - |
          echo "Setting up Elasticsearch security for Mastodon..."
          
          # Create mastodon_full_access role
          echo "Creating mastodon_full_access role..."
          curl -X POST -u "elastic:${ELASTIC_PASSWORD}" \
            "http://elasticsearch-es-http:9200/_security/role/mastodon_full_access" \
            -H 'Content-Type: application/json' \
            -d '{
              "cluster": ["monitor"],
              "indices": [{
                "names": ["*"],
                "privileges": ["read", "monitor", "write", "manage"]
              }]
            }'
          
          echo "Role creation response: $?"
          
          # Create mastodon user
          echo "Creating mastodon user..."
          curl -X POST -u "elastic:${ELASTIC_PASSWORD}" \
            "http://elasticsearch-es-http:9200/_security/user/mastodon" \
            -H 'Content-Type: application/json' \
            -d '{
              "password": "'"${MASTODON_PASSWORD}"'",
              "roles": ["mastodon_full_access"]
            }'
          
          echo "User creation response: $?"
          echo "Security setup completed!"
        env:
        - name: ELASTIC_PASSWORD
          valueFrom:
            secretKeyRef:
              name: elasticsearch-es-elastic-user
              key: elastic
        - name: MASTODON_PASSWORD
          valueFrom:
            secretKeyRef:
              name: elasticsearch-credentials
              key: password
        securityContext: {}
      nodeSelector: {}
      tolerations: []