resource "random_password" "rancher_admin_password" {
  length  = 20
  special = false
}

resource "vault_kv_secret_v2" "rancher_creds" {
  mount               = "management"
  name                = "rancher"
  delete_all_versions = true
  data_json = jsonencode({
    admin_password = random_password.rancher_admin_password.result
  })
}

resource "kubernetes_secret" "bootstrap_secret" {
  metadata {
    name      = "bootstrap-secret"
    namespace = "cattle-system"
    annotations = {
      "field.cattle.io/projectId" = "local:p-q7vbv"
      "helm.sh/hook"              = "pre-install,pre-upgrade"
      "helm.sh/hook-weight"       = "-5"
      "helm.sh/resource-policy"   = "keep"
    }
  }

  data = {
    bootstrapPassword = vault_kv_secret_v2.rancher_creds.data["admin_password"]
  }

  type = "Opaque"
}

# Force a rollout of the Rancher deployment to pick up the new secret
resource "null_resource" "rancher_rollout" {
  triggers = {
    password_change = kubernetes_secret.bootstrap_secret.data["bootstrapPassword"]
  }

  provisioner "remote-exec" {
    inline = ["kubectl rollout restart deployment rancher -n cattle-system"]
    connection {
      type        = "ssh"
      host        = var.node_ip
      user        = var.node_username
      private_key = data.minio_s3_object.id_rsa.content
    }
  }

  depends_on = [kubernetes_secret.bootstrap_secret]
}