#!/usr/bin/env bash
# nerf-az-aks-get-credentials-admin -- Fetch the cluster-admin (local accounts) kubeconfig for an AKS cluster. The fetched credentials grant cluster-admin via static client cert and bypass Azure RBAC entirely, so subsequent kubectl calls operate at the cluster-admin level. Marked admin so the harness can default-deny; only use for clusters where local accounts are intentionally enabled and admin access is required.
# Generated from az-aks manifest. Do not edit directly.
# nerf:threat:read=remote
# nerf:threat:write=admin

if [[ "${BASH_VERSINFO[0]:-0}" -lt 4 ]]; then
  echo "error: nerf-az-aks-get-credentials-admin requires bash 4+. Found bash ${BASH_VERSION:-unknown}" >&2
  echo "  hint: on macOS, install a newer bash via 'brew install bash'" >&2
  exit 1
fi

set -euo pipefail

_NERF_DRY_RUN=""

usage() {
  cat >&2 <<'EOF'
Usage: nerf-az-aks-get-credentials-admin [--overwrite-existing] --resource-group|-g <resource_group> [--subscription <subscription>] <name>

Switches:
  --overwrite-existing
      Overwrite an existing kubeconfig entry with the same name

Options:
  --resource-group, -g <resource_group> (required)
      Resource group containing the cluster
  --subscription <subscription>
      Subscription name or ID (defaults to active)

Arguments:
  <name> (required)
      AKS cluster name

Maps to: az aks get-credentials --admin --resource-group <resource_group> --name <name> <overwrite_existing> <subscription>

Fetch the cluster-admin (local accounts) kubeconfig for an AKS cluster. The fetched credentials grant cluster-admin via static client cert and bypass Azure RBAC entirely, so subsequent kubectl calls operate at the cluster-admin level. Marked admin so the harness can default-deny; only use for clusters where local accounts are intentionally enabled and admin access is required.
EOF
  exit 1
}

OVERWRITE_EXISTING=""
RESOURCE_GROUP=""
_RESOURCE_GROUP_SET=""
SUBSCRIPTION=""
_SUBSCRIPTION_SET=""

while [[ $# -gt 0 ]]; do
  case "$1" in
    --overwrite-existing) if [[ -n "${OVERWRITE_EXISTING}" ]]; then echo "error: --overwrite-existing can only be specified once" >&2; exit 1; fi; OVERWRITE_EXISTING="true"; shift 1 ;;
    --resource-group|-g) if [[ -n "${_RESOURCE_GROUP_SET}" ]]; then echo "error: --resource-group can only be specified once" >&2; exit 1; fi; RESOURCE_GROUP="$2"; _RESOURCE_GROUP_SET=true; shift 2 ;;
    --subscription) if [[ -n "${_SUBSCRIPTION_SET}" ]]; then echo "error: --subscription can only be specified once" >&2; exit 1; fi; SUBSCRIPTION="$2"; _SUBSCRIPTION_SET=true; shift 2 ;;
    --nerf-dry-run) _NERF_DRY_RUN="true"; shift 1 ;;
    -h|--help) usage ;;
    --) shift; break ;;
    *) break ;;
  esac
done

_NAME_SET=""
if [[ $# -gt 0 ]]; then
  NAME="$1"
  _NAME_SET=true
  shift
else
  NAME=""
fi
if [[ $# -gt 0 ]]; then
  echo "error: nerf-az-aks-get-credentials-admin: unexpected extra arguments: $*" >&2
  echo "  hint: switches and options must come before positional arguments" >&2
  exit 1
fi

if [[ -z "${RESOURCE_GROUP}" ]]; then
  echo "error: nerf-az-aks-get-credentials-admin: missing required option --resource-group" >&2
  echo "  hint: provide --resource-group <value>" >&2
  usage
fi

if [[ -n "${_NAME_SET}" ]] && [[ "${NAME}" == -* ]]; then
  echo "error: nerf-az-aks-get-credentials-admin: <name> cannot start with '-'" >&2
  echo "  hint: use -- before positional arguments if needed" >&2
  exit 1
fi

if [[ -z "${NAME}" ]]; then
  echo "error: nerf-az-aks-get-credentials-admin: missing required argument <name>" >&2
  echo "  hint: provide a value for <name>" >&2
  usage
fi

if [[ "$_NERF_DRY_RUN" == "true" ]]; then
  _NERF_DRY_CMD=(az aks get-credentials --admin --resource-group "${RESOURCE_GROUP}" --name "${NAME}" ${OVERWRITE_EXISTING:+"--overwrite-existing"} ${_SUBSCRIPTION_SET:+"--subscription"} ${_SUBSCRIPTION_SET:+"$SUBSCRIPTION"})
  printf 'dry-run:'
  for _a in "${_NERF_DRY_CMD[@]}"; do printf " %q" "$_a"; done
  echo
  exit 0
fi

exec az aks get-credentials --admin --resource-group "${RESOURCE_GROUP}" --name "${NAME}" ${OVERWRITE_EXISTING:+"--overwrite-existing"} ${_SUBSCRIPTION_SET:+"--subscription"} ${_SUBSCRIPTION_SET:+"$SUBSCRIPTION"}
