---
apiVersion: batch/v1
kind: Job
metadata:
  name: decidim-db-init
  namespace: decidim
spec:
  ttlSecondsAfterFinished: 300
  template:
    metadata:
      labels:
        component: db-init
    spec:
      restartPolicy: OnFailure
      securityContext:
        runAsNonRoot: true
        runAsUser: 999
        runAsGroup: 999
        fsGroup: 999
        seccompProfile:
          type: RuntimeDefault
      containers:
        - name: db-init
          image: postgres:17
          imagePullPolicy: IfNotPresent
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
            readOnlyRootFilesystem: false
          command:
            - /bin/bash
            - -c
            - |
              set -e
              export PGPASSWORD="${POSTGRES_ADMIN_PASSWORD}"

              # Create database if it doesn't exist
              psql -h "${POSTGRES_HOST}" -U "${POSTGRES_ADMIN_USER}" -d postgres -tc "SELECT 1 FROM pg_database WHERE datname = '${DB_NAME}'" | grep -q 1 || \
                psql -h "${POSTGRES_HOST}" -U "${POSTGRES_ADMIN_USER}" -d postgres -c "CREATE DATABASE ${DB_NAME};"

              # Create user if it doesn't exist, or update password if it does
              psql -h "${POSTGRES_HOST}" -U "${POSTGRES_ADMIN_USER}" -d postgres -tc "SELECT 1 FROM pg_roles WHERE rolname = '${DB_USER}'" | grep -q 1 && \
                psql -h "${POSTGRES_HOST}" -U "${POSTGRES_ADMIN_USER}" -d postgres -c "ALTER USER ${DB_USER} WITH PASSWORD '${DB_PASSWORD}';" || \
                psql -h "${POSTGRES_HOST}" -U "${POSTGRES_ADMIN_USER}" -d postgres -c "CREATE USER ${DB_USER} WITH PASSWORD '${DB_PASSWORD}';"

              # Grant privileges
              psql -h "${POSTGRES_HOST}" -U "${POSTGRES_ADMIN_USER}" -d postgres -c "GRANT ALL PRIVILEGES ON DATABASE ${DB_NAME} TO ${DB_USER};"

              # Grant schema privileges (needed for Rails migrations)
              psql -h "${POSTGRES_HOST}" -U "${POSTGRES_ADMIN_USER}" -d "${DB_NAME}" -c "GRANT ALL ON SCHEMA public TO ${DB_USER};"

              echo "Database initialization completed successfully"
          env:
            - name: POSTGRES_HOST
              value: {{ .dbHostname }}
            - name: POSTGRES_ADMIN_USER
              value: postgres
            - name: POSTGRES_ADMIN_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: decidim-secrets
                  key: postgres.password
            - name: DB_NAME
              value: {{ .dbName }}
            - name: DB_USER
              value: {{ .dbUsername }}
            - name: DB_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: decidim-secrets
                  key: dbPassword