#!/usr/bin/env bash
# 02 系列逐个验证：清理 → 逐个部署 02-01～02-04 → TLS 矩阵 → onecloud 验证
# 用法：./scripts/02-verify-nginx-matrix-individual.sh
# 前置：ssh ylc61、ssh onecloud 可用；OpenWrt HAProxy 18080/18443 已部署
set -euo pipefail

ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
REMOTE_HOST="${REMOTE_HOST:-ylc61}"
REMOTE_USER="${REMOTE_USER:-root}"
REMOTE_REPO="${REMOTE_REPO:-/root/实验室建设}"
VERIFY_HOST="${VERIFY_HOST:-onecloud}"
OPENWRT_IP="${OPENWRT_IP:-192.168.2.1}"
HTTP_PORT="${HTTP_PORT:-18080}"
HTTPS_PORT="${HTTPS_PORT:-18443}"
KUBECONFIG="${KUBECONFIG:-/etc/rancher/k3s/k3s.yaml}"

SSH_OPTS="-o BatchMode=yes -o ConnectTimeout=10"
SSH_KEY="${ROOT_DIR}/.ssh/id_ed25519_k3s_192.168.2.61"
[[ -f "$SSH_KEY" ]] && SSH_OPTS="$SSH_OPTS -i $SSH_KEY"
SSH_YLC="ssh $SSH_OPTS ${REMOTE_USER}@${REMOTE_HOST}"

echo "=== 02 系列 nginx 矩阵逐个验证（${REMOTE_HOST} + ${VERIFY_HOST}）==="

# 1. 同步 SSH 密钥与 nginx-matrix 到 ylc61
echo "[0] 同步 SSH 密钥与 ansible 到 ${REMOTE_HOST}..."
if [[ -d "${ROOT_DIR}/.ssh" ]]; then
  $SSH_YLC "mkdir -p /root/.ssh && chmod 700 /root/.ssh"
  for k in "${ROOT_DIR}"/.ssh/id_ed25519_k3s_192.168.2.61 "${ROOT_DIR}"/.ssh/id_ed25519_k3s_192.168.2.62 \
           "${ROOT_DIR}"/.ssh/id_ed25519_k3s_192.168.2.63 "${ROOT_DIR}"/.ssh/id_ed25519_k3s_192.168.2.64; do
    [[ -f "$k" ]] || continue
    scp -q $SSH_OPTS "$k" "${k}.pub" "${REMOTE_USER}@${REMOTE_HOST}:/root/.ssh/" 2>/dev/null || true
  done
  $SSH_YLC "chmod 600 /root/.ssh/id_ed25519_k3s_* 2>/dev/null || true"
fi

$SSH_YLC "mkdir -p ${REMOTE_REPO}/ansible/files"
rsync -az -e "ssh $SSH_OPTS" --delete "${ROOT_DIR}/ansible/files/nginx-matrix/" \
  "${REMOTE_USER}@${REMOTE_HOST}:${REMOTE_REPO}/ansible/files/nginx-matrix/" 2>/dev/null || {
  scp -r $SSH_OPTS "${ROOT_DIR}/ansible/files/nginx-matrix/"* \
    "${REMOTE_USER}@${REMOTE_HOST}:${REMOTE_REPO}/ansible/files/nginx-matrix/"
}

# 2. 清理所有 nginx 相关资源
echo "[1] 清理 nginx 矩阵（path-based + TLS）..."
$SSH_YLC "KUBECONFIG=${KUBECONFIG} kubectl delete deployment,svc -n default nginx-m1 nginx-m2 nginx-m3 nginx-m4 --ignore-not-found=true"
$SSH_YLC "KUBECONFIG=${KUBECONFIG} kubectl delete ingress -n default nginx-m1 nginx-m3 nginx-m1-http nginx-m3-http --ignore-not-found=true"
$SSH_YLC "KUBECONFIG=${KUBECONFIG} kubectl delete ingressroute -n default nginx-m2 nginx-m4 nginx-m2-http nginx-m4-http --ignore-not-found=true"
$SSH_YLC "KUBECONFIG=${KUBECONFIG} kubectl delete middleware -n default stripprefix-m1 stripprefix-m2 stripprefix-m3 stripprefix-m4 --ignore-not-found=true"
$SSH_YLC "KUBECONFIG=${KUBECONFIG} kubectl delete configmap -n default nginx-m1-html nginx-m2-html nginx-m3-html nginx-m4-html --ignore-not-found=true"
sleep 2

# 3. 逐个部署 02-01～02-04 并验证
MATRIX=(
  "01-control-ingress.yaml:demo-m1:M1"
  "02-control-ingressroute.yaml:demo-m2:M2"
  "03-worker-ingress.yaml:demo-m3:M3"
  "04-worker-ingressroute.yaml:demo-m4:M4"
)

for item in "${MATRIX[@]}"; do
  file="${item%%:*}"
  rest="${item#*:}"
  path="${rest%%:*}"
  expect="${rest##*:}"
  echo "[2] 部署 ${file}（${path} → ${expect}）..."
  $SSH_YLC "KUBECONFIG=${KUBECONFIG} kubectl apply -f ${REMOTE_REPO}/ansible/files/nginx-matrix/${file}"
  $SSH_YLC "KUBECONFIG=${KUBECONFIG} kubectl wait --for=condition=ready pod -l app=nginx-m${expect#M} -n default --timeout=120s"
  code=$(ssh $SSH_OPTS "$VERIFY_HOST" "curl -s -o /dev/null -w '%{http_code}' --max-time 10 'http://${OPENWRT_IP}:${HTTP_PORT}/${path}/' 2>/dev/null" || echo "000")
  body=$(ssh $SSH_OPTS "$VERIFY_HOST" "curl -s --max-time 10 'http://${OPENWRT_IP}:${HTTP_PORT}/${path}/' 2>/dev/null" || echo "")
  if [[ "$code" != "200" ]]; then
    echo "  [FAIL] /${path}/ 返回 ${code}" >&2
    exit 1
  fi
  if [[ "$body" != *"$expect"* ]]; then
    echo "  [FAIL] /${path}/ body 不含 ${expect}" >&2
    exit 1
  fi
  echo "  [OK] /${path}/ 200 含 ${expect}"
done

# 4. 部署 TLS 矩阵
echo "[3] 部署 nginx TLS 矩阵..."
"${ROOT_DIR}/scripts/01-08-deploy-nginx-tls-via-ylc61.sh"

# 5. 验证 HTTPS（test01～04）
echo "[4] 经 ${VERIFY_HOST} 验证 HTTPS（test01～04.jackadam.top:${HTTPS_PORT}）..."
HTTPS_HOSTS="test01.jackadam.top,test02.jackadam.top,test03.jackadam.top,test04.jackadam.top"
IFS=',' read -ra HOSTS <<< "$HTTPS_HOSTS"
for i in "${!HOSTS[@]}"; do
  host="${HOSTS[$i]}"
  expect="M$((i+1))"
  code=$(ssh $SSH_OPTS "$VERIFY_HOST" "curl -s -o /dev/null -w '%{http_code}' --max-time 10 'https://${host}:${HTTPS_PORT}/' --resolve '${host}:${HTTPS_PORT}:${OPENWRT_IP}' 2>/dev/null" || echo "000")
  body=$(ssh $SSH_OPTS "$VERIFY_HOST" "curl -s --max-time 10 'https://${host}:${HTTPS_PORT}/' --resolve '${host}:${HTTPS_PORT}:${OPENWRT_IP}' 2>/dev/null" || echo "")
  if [[ "$code" != "200" ]]; then
    echo "  [FAIL] https://${host}:${HTTPS_PORT}/ 返回 ${code}" >&2
    exit 1
  fi
  if [[ "$body" != *"$expect"* ]]; then
    echo "  [FAIL] https://${host}:${HTTPS_PORT}/ body 不含 ${expect}" >&2
    exit 1
  fi
  echo "  [OK] https://${host}:${HTTPS_PORT}/ 200 含 ${expect}"
done

echo ""
echo "[PASS] 02 系列 nginx 矩阵逐个验证通过（02-01～02-04 HTTP path + TLS domain）"