#!/usr/bin/env bash
# Emit a SealedSecret for newt-pangolin-auth (namespace newt).
# Prerequisites: sealed-secrets controller running; kubeseal client (same minor as controller).
# Rotate Pangolin/Newt credentials in the UI first if they were exposed, then set env vars and run:
#
#   export PANGOLIN_ENDPOINT='https://pangolin.example.com'
#   export NEWT_ID='...'
#   export NEWT_SECRET='...'
#   ./kubeseal-newt-pangolin-auth.sh > newt-pangolin-auth.sealedsecret.yaml
#   kubectl apply -f newt-pangolin-auth.sealedsecret.yaml
#
set -euo pipefail
kubectl apply -f "$(dirname "$0")/../../newt/namespace.yaml" >/dev/null 2>&1 || true
kubectl -n newt create secret generic newt-pangolin-auth \
  --dry-run=client \
  --from-literal=PANGOLIN_ENDPOINT="${PANGOLIN_ENDPOINT:?}" \
  --from-literal=NEWT_ID="${NEWT_ID:?}" \
  --from-literal=NEWT_SECRET="${NEWT_SECRET:?}" \
  -o yaml | kubeseal -o yaml