---
kind: pipeline
type: docker
name: prod-promotion

steps:
  - name: promote-tag-and-mirror
    image: google/cloud-sdk:latest
    entrypoint:
      - bash
      - -lc
      - |
        set -euo pipefail
        if [ "${PROMOTE:-}" != "prod" ]; then echo "⏭  Skipping (PROMOTE=$PROMOTE)"; exit 0; fi

        IMG_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev)"
        SRC="us-central1-docker.pkg.dev/aptivaai-dev/aptiva-repo"
        DST="us-central1-docker.pkg.dev/aptivaai-prod/aptiva-repo"
        [ -n "$IMG_TAG" ] || { echo "❌ IMG_TAG empty"; exit 2; }

        apt-get update -qq && apt-get install -y -qq skopeo

        TOKEN="$(gcloud auth print-access-token)"

        # Check which images already exist in PROD (so we don't try to push them)
        MISSING=""
        for s in server1 server2 server3 nginx; do
          REF="docker://$DST/$s:$IMG_TAG"
          if ! skopeo inspect --creds "oauth2accesstoken:$TOKEN" "$REF" >/dev/null 2>&1; then
            MISSING="$MISSING $s"
          fi
        done

        if [ -z "$MISSING" ]; then
          echo "✅ All images present in PROD for :$IMG_TAG — skipping mirror"
        else
          echo "🔁 Mirroring to PROD:$MISSING"
          for s in $MISSING; do
            SRC_REF="docker://$SRC/$s:$IMG_TAG"
            DST_REF="docker://$DST/$s:$IMG_TAG"
            echo "copy  $SRC_REF → $DST_REF"
            skopeo copy --insecure-policy \
              --src-creds  "oauth2accesstoken:$TOKEN" \
              --dest-creds "oauth2accesstoken:$TOKEN" \
              "$SRC_REF" "$DST_REF"
          done
        fi

        printf '%s' "$IMG_TAG" | gcloud secrets versions add IMG_TAG --data-file=- --project=aptivaai-prod >/dev/null
        echo "🏷 promoted IMG_TAG=$IMG_TAG"

  - name: verify-sync
    depends_on: [promote-tag-and-mirror]
    image: google/cloud-sdk:latest
    entrypoint:
      - bash
      - -lc
      - |
        set -euo pipefail
        if [ "${PROMOTE:-}" != "prod" ]; then echo "⏭  Skipping (PROMOTE=$PROMOTE)"; exit 0; fi
        
        IMG_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev)"
        PROD_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-prod)"
        [ "$IMG_TAG" = "$PROD_TAG" ] || { echo "❌ Tag mismatch: dev=$IMG_TAG prod=$PROD_TAG"; exit 1; }
        echo "✅ Tag parity confirmed: $IMG_TAG"

        DST="us-central1-docker.pkg.dev/aptivaai-prod/aptiva-repo"
        apt-get update -qq && apt-get install -y -qq skopeo
        TOKEN="$(gcloud auth print-access-token)"
        for s in server1 server2 server3 nginx; do
          REF="docker://$DST/$s:$IMG_TAG"
          echo "🔎 verify $REF"
          skopeo inspect --creds "oauth2accesstoken:$TOKEN" "$REF" >/dev/null
        done
        echo "✅ Prod AR has all images at :$IMG_TAG"

  - name: security-scan
    depends_on: [verify-sync]
    image: google/cloud-sdk:latest
    entrypoint:
      - bash
      - -lc
      - |
        set -euo pipefail
        if [ "${PROMOTE:-}" != "prod" ]; then echo "⏭  Skipping (PROMOTE=$PROMOTE)"; exit 0; fi
        
        IMG_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev)"
        REG="us-central1-docker.pkg.dev/aptivaai-prod/aptiva-repo"

        apt-get update -qq
        apt-get install -y -qq gnupg apt-transport-https curl ca-certificates
        curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | bash
        export PATH="$PATH:$(pwd)/bin"

        TOKEN="$(gcloud auth print-access-token)"
        for s in server1 server2 server3 nginx; do
          REF="$REG/$s:$IMG_TAG"
          echo "🛡  scan  $REF"
          trivy image --username oauth2accesstoken --password "$TOKEN" \
            --scanners vuln --ignore-unfixed --ignorefile .trivyignore \
            --exit-code 1 --severity CRITICAL "$REF"
        done

  - name: prod-deploy
    depends_on: [security-scan]
    image: google/cloud-sdk:latest
    entrypoint:
      - bash
      - -c
      - |
        set -euo pipefail
        [[ "${PROMOTE:-}" == "prod" ]] || { echo "⏭ Skipping (PROMOTE=$PROMOTE)"; exit 0; }

        mkdir -p ~/.ssh

        gcloud secrets versions access latest \
          --secret=PROD_SSH_KEY --project=aptivaai-dev \
          | base64 -d > ~/.ssh/id_ed25519
        chmod 600 ~/.ssh/id_ed25519

        PROD_SSH_TARGET="$(gcloud secrets versions access latest --secret=PROD_SSH_TARGET --project=aptivaai-dev)"
        IMG_TAG="$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev)"

        echo "🔑 SSH prerequisites installed"
        echo "🚀 Deploying tag $IMG_TAG to prod server $PROD_SSH_TARGET"

        cat <<EOSSH | ssh -T \
          -o ProxyCommand="gcloud compute start-iap-tunnel aptiva-prod-vm 22 \
            --project=aptivaai-prod --zone=us-central1-a \
            --listen-on-stdin --verbosity=error" \
          -o StrictHostKeyChecking=accept-new \
          -i ~/.ssh/id_ed25519 \
          "$PROD_SSH_TARGET" bash -s -- "$IMG_TAG"

        set -euo pipefail
        IMG_TAG="\${1:?IMG_TAG arg missing}"
        export IMG_TAG

        PROJECT=aptivaai-prod
        ENV=prod
        export PROJECT ENV

            # Pull runtime secrets (unchanged list)
            JWT_SECRET="$(gcloud secrets versions access latest --secret=JWT_SECRET_$ENV --project="$PROJECT")"; export JWT_SECRET
            OPENAI_API_KEY="$(gcloud secrets versions access latest --secret=OPENAI_API_KEY_$ENV --project="$PROJECT")"; export OPENAI_API_KEY
            ONET_USERNAME="$(gcloud secrets versions access latest --secret=ONET_USERNAME_$ENV --project="$PROJECT")"; export ONET_USERNAME
            ONET_PASSWORD="$(gcloud secrets versions access latest --secret=ONET_PASSWORD_$ENV --project="$PROJECT")"; export ONET_PASSWORD
            STRIPE_SECRET_KEY="$(gcloud secrets versions access latest --secret=STRIPE_SECRET_KEY_$ENV --project="$PROJECT")"; export STRIPE_SECRET_KEY
            STRIPE_PUBLISHABLE_KEY="$(gcloud secrets versions access latest --secret=STRIPE_PUBLISHABLE_KEY_$ENV --project="$PROJECT")"; export STRIPE_PUBLISHABLE_KEY
            STRIPE_WH_SECRET="$(gcloud secrets versions access latest --secret=STRIPE_WH_SECRET_$ENV --project="$PROJECT")"; export STRIPE_WH_SECRET
            STRIPE_PRICE_PREMIUM_MONTH="$(gcloud secrets versions access latest --secret=STRIPE_PRICE_PREMIUM_MONTH_$ENV --project="$PROJECT")"; export STRIPE_PRICE_PREMIUM_MONTH
            STRIPE_PRICE_PREMIUM_YEAR="$(gcloud secrets versions access latest --secret=STRIPE_PRICE_PREMIUM_YEAR_$ENV --project="$PROJECT")"; export STRIPE_PRICE_PREMIUM_YEAR
            STRIPE_PRICE_PRO_MONTH="$(gcloud secrets versions access latest --secret=STRIPE_PRICE_PRO_MONTH_$ENV --project="$PROJECT")"; export STRIPE_PRICE_PRO_MONTH
            STRIPE_PRICE_PRO_YEAR="$(gcloud secrets versions access latest --secret=STRIPE_PRICE_PRO_YEAR_$ENV --project="$PROJECT")"; export STRIPE_PRICE_PRO_YEAR
            DB_NAME="$(gcloud secrets versions access latest --secret=DB_NAME_$ENV --project="$PROJECT")"; export DB_NAME
            DB_HOST="$(gcloud secrets versions access latest --secret=DB_HOST_$ENV --project="$PROJECT")"; export DB_HOST
            DB_PORT="$(gcloud secrets versions access latest --secret=DB_PORT_$ENV --project="$PROJECT")"; export DB_PORT
            DB_USER="$(gcloud secrets versions access latest --secret=DB_USER_$ENV --project="$PROJECT")"; export DB_USER
            DB_PASSWORD="$(gcloud secrets versions access latest --secret=DB_PASSWORD_$ENV --project="$PROJECT")"; export DB_PASSWORD
            DB_SSL_CA="$(gcloud secrets versions access latest --secret=DB_SSL_CA_$ENV --project="$PROJECT")"; export DB_SSL_CA
            DB_SSL_CERT="$(gcloud secrets versions access latest --secret=DB_SSL_CERT_$ENV --project="$PROJECT")"; export DB_SSL_CERT
            DB_SSL_KEY="$(gcloud secrets versions access latest --secret=DB_SSL_KEY_$ENV --project="$PROJECT")"; export DB_SSL_KEY
            EMAIL_INDEX_SECRET="$(gcloud secrets versions access latest --secret=EMAIL_INDEX_SECRET_$ENV --project="$PROJECT")"; export EMAIL_INDEX_SECRET
            TWILIO_ACCOUNT_SID="$(gcloud secrets versions access latest --secret=TWILIO_ACCOUNT_SID_$ENV --project="$PROJECT")"; export TWILIO_ACCOUNT_SID
            TWILIO_AUTH_TOKEN="$(gcloud secrets versions access latest --secret=TWILIO_AUTH_TOKEN_$ENV --project="$PROJECT")"; export TWILIO_AUTH_TOKEN
            TWILIO_MESSAGING_SERVICE_SID="$(gcloud secrets versions access latest --secret=TWILIO_MESSAGING_SERVICE_SID_$ENV --project="$PROJECT")"; export TWILIO_MESSAGING_SERVICE_SID
            KMS_KEY_NAME="$(gcloud secrets versions access latest --secret=KMS_KEY_NAME_$ENV --project="$PROJECT")"; export KMS_KEY_NAME
            DEK_PATH="$(gcloud secrets versions access latest --secret=DEK_PATH_$ENV --project="$PROJECT")"; export DEK_PATH
            SUPPORT_SENDGRID_API_KEY="$(gcloud secrets versions access latest --secret=SUPPORT_SENDGRID_API_KEY_$ENV --project="$PROJECT")"; export SUPPORT_SENDGRID_API_KEY
            GOOGLE_MAPS_API_KEY="$(gcloud secrets versions access latest --secret=GOOGLE_MAPS_API_KEY_$ENV --project="$PROJECT")"; export GOOGLE_MAPS_API_KEY
            SERVER1_PORT="$(gcloud secrets versions access latest --secret=SERVER1_PORT_$ENV --project="$PROJECT")"; export SERVER1_PORT
            SERVER2_PORT="$(gcloud secrets versions access latest --secret=SERVER2_PORT_$ENV --project="$PROJECT")"; export SERVER2_PORT
            SERVER3_PORT="$(gcloud secrets versions access latest --secret=SERVER3_PORT_$ENV --project="$PROJECT")"; export SERVER3_PORT
            ENV_NAME="$(gcloud secrets versions access latest --secret=ENV_NAME_$ENV --project="$PROJECT")"; export ENV_NAME
            CORS_ALLOWED_ORIGINS="$(gcloud secrets versions access latest --secret=CORS_ALLOWED_ORIGINS_$ENV --project="$PROJECT" 2>/dev/null || true)"; export CORS_ALLOWED_ORIGINS="${CORS_ALLOWED_ORIGINS:-}"
            APTIVA_API_BASE="$(gcloud secrets versions access latest --secret=APTIVA_API_BASE_$ENV --project="$PROJECT")"; export APTIVA_API_BASE
            TOKEN_MAX_AGE_MS="$(gcloud secrets versions access latest --secret=TOKEN_MAX_AGE_MS_$ENV --project="$PROJECT")"; export TOKEN_MAX_AGE_MS
            COOKIE_SECURE="$(gcloud secrets versions access latest --secret=COOKIE_SECURE_$ENV --project="$PROJECT")"; export COOKIE_SECURE
            COOKIE_SAMESITE="$(gcloud secrets versions access latest --secret=COOKIE_SAMESITE_$ENV --project="$PROJECT")"; export COOKIE_SAMESITE
            ACCESS_COOKIE_NAME="$(gcloud secrets versions access latest --secret=ACCESS_COOKIE_NAME_$ENV --project="$PROJECT")"; export ACCESS_COOKIE_NAME
            export FROM_SECRETS_MANAGER=true

            cd /home/jcoakley_aptivaai_com

            # Make Artifact Registry creds available to root (docker compose runs under sudo)
            gcloud auth configure-docker us-central1-docker.pkg.dev -q
            sudo gcloud auth configure-docker us-central1-docker.pkg.dev -q

            sudo --preserve-env=IMG_TAG,FROM_SECRETS_MANAGER,JWT_SECRET,OPENAI_API_KEY,ONET_USERNAME,ONET_PASSWORD,STRIPE_SECRET_KEY,STRIPE_PUBLISHABLE_KEY,STRIPE_WH_SECRET,STRIPE_PRICE_PREMIUM_MONTH,STRIPE_PRICE_PREMIUM_YEAR,STRIPE_PRICE_PRO_MONTH,STRIPE_PRICE_PRO_YEAR,DB_NAME,DB_HOST,DB_PORT,DB_USER,DB_PASSWORD,DB_SSL_CA,DB_SSL_CERT,DB_SSL_KEY,TWILIO_ACCOUNT_SID,TWILIO_AUTH_TOKEN,TWILIO_MESSAGING_SERVICE_SID,KMS_KEY_NAME,DEK_PATH,SUPPORT_SENDGRID_API_KEY,GOOGLE_MAPS_API_KEY,SERVER1_PORT,SERVER2_PORT,SERVER3_PORT,CORS_ALLOWED_ORIGINS,ENV_NAME,APTIVA_API_BASE,PROJECT,TOKEN_MAX_AGE_MS,COOKIE_SECURE,COOKIE_SAMESITE,ACCESS_COOKIE_NAME,EMAIL_INDEX_SECRET \
              docker compose pull

            sudo --preserve-env=IMG_TAG,FROM_SECRETS_MANAGER,JWT_SECRET,OPENAI_API_KEY,ONET_USERNAME,ONET_PASSWORD,STRIPE_SECRET_KEY,STRIPE_PUBLISHABLE_KEY,STRIPE_WH_SECRET,STRIPE_PRICE_PREMIUM_MONTH,STRIPE_PRICE_PREMIUM_YEAR,STRIPE_PRICE_PRO_MONTH,STRIPE_PRICE_PRO_YEAR,DB_NAME,DB_HOST,DB_PORT,DB_USER,DB_PASSWORD,DB_SSL_CA,DB_SSL_CERT,DB_SSL_KEY,TWILIO_ACCOUNT_SID,TWILIO_AUTH_TOKEN,TWILIO_MESSAGING_SERVICE_SID,KMS_KEY_NAME,DEK_PATH,SUPPORT_SENDGRID_API_KEY,GOOGLE_MAPS_API_KEY,SERVER1_PORT,SERVER2_PORT,SERVER3_PORT,CORS_ALLOWED_ORIGINS,ENV_NAME,APTIVA_API_BASE,PROJECT,TOKEN_MAX_AGE_MS,COOKIE_SECURE,COOKIE_SAMESITE,ACCESS_COOKIE_NAME,EMAIL_INDEX_SECRET \
              docker compose up -d --force-recreate --remove-orphans

            echo "✅ Prod stack refreshed with tag $IMG_TAG"
            EOSSH

    secrets:
      - PROD_SSH_KEY
      - PROD_SSH_TARGET

when:
  event:
    - manual
  branch:
    - master