name: Deploy Vault Stack to Production

on:
  push:
    branches:
      - prod-env

concurrency:
  group: vault-prod-deploy
  cancel-in-progress: false

jobs:
  deploy:
    runs-on: prod-runner
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Connect Runner to Overlay Network
        run: docker network connect iklimco-net $(hostname) || true

      - name: Ensure vault_unseal_key placeholder exists
        run: |
          docker secret ls --format '{{.Name}}' | grep -q '^vault_unseal_key' || \
            echo "bootstrap" | docker secret create vault_unseal_key -

      - name: Deploy Vault Stack
        run: |
          docker stack deploy \
            --with-registry-auth \
            -c docker-stack-vault.yml \
            iklimco

      - name: Run Bootstrap
        env:
          SKIP_DEPLOY: "true"
        run: bash vault-bootstrap.sh

      - name: Verify Vault Cluster Health
        run: |
          # Fire 9 requests to the shared alias (load-balanced across all 3 nodes).
          # Every request must return Sealed: false — one healthy node is not enough.
          SEALED_COUNT=0
          for i in $(seq 1 9); do
            SEALED=$(docker run --rm --network iklimco-net hashicorp/vault:2.0.1 \
              sh -c "VAULT_ADDR=https://vault.iklim.co:8200 VAULT_SKIP_VERIFY=true vault status 2>/dev/null" \
              | awk '/^Sealed/{print $2}' || echo "true")
            [ "$SEALED" = "true" ] && SEALED_COUNT=$((SEALED_COUNT+1))
            sleep 1
          done
          if [ "$SEALED_COUNT" -eq 0 ]; then
            echo "Vault cluster is fully unsealed and healthy (9/9 checks passed)"
          else
            echo "ERROR: $SEALED_COUNT/9 checks returned sealed or unreachable"
            exit 1
          fi