#!/usr/bin/env bash
# nerf-kubectl-get-secrets -- List Secret metadata with .data, .stringData, and ALL metadata.annotations removed. Cannot reveal secret values. Annotations are dropped wholesale because kubectl apply stores the rendered manifest (including .data) in the last-applied-configuration annotation, and operator-injected annotations may carry sensitive content. Labels are preserved. For secret values, go through az-keyvault or the secret-syncing source.
# Generated from kubectl manifest. Do not edit directly.
# nerf:threat:read=remote
# nerf:threat:write=none

set -euo pipefail

_NERF_DRY_RUN=""

usage() {
  cat >&2 <<'EOF'
Usage: nerf-kubectl-get-secrets [--all-namespaces|-A] [--namespace|-n <namespace>] [--selector|-l <selector>] [<name>]

Switches:
  --all-namespaces, -A
      List across all namespaces

Options:
  --namespace, -n <namespace>
      Namespace
      Must match: ^[a-z0-9-]+$
  --selector, -l <selector>
      Label selector

Arguments:
  <name>
      Specific secret name (optional)
      Must match: ^[a-z0-9.-]+$

List Secret metadata with .data, .stringData, and ALL metadata.annotations removed. Cannot reveal secret values. Annotations are dropped wholesale because kubectl apply stores the rendered manifest (including .data) in the last-applied-configuration annotation, and operator-injected annotations may carry sensitive content. Labels are preserved. For secret values, go through az-keyvault or the secret-syncing source.
EOF
  exit 1
}

ALL_NAMESPACES=""
NAMESPACE=""
_NAMESPACE_SET=""
SELECTOR=""
_SELECTOR_SET=""

while [[ $# -gt 0 ]]; do
  case "$1" in
    --all-namespaces|-A) if [[ -n "${ALL_NAMESPACES}" ]]; then echo "error: --all-namespaces can only be specified once" >&2; exit 1; fi; ALL_NAMESPACES="true"; shift 1 ;;
    --namespace|-n) if [[ -n "${_NAMESPACE_SET}" ]]; then echo "error: --namespace can only be specified once" >&2; exit 1; fi; NAMESPACE="$2"; _NAMESPACE_SET=true; shift 2 ;;
    --selector|-l) if [[ -n "${_SELECTOR_SET}" ]]; then echo "error: --selector can only be specified once" >&2; exit 1; fi; SELECTOR="$2"; _SELECTOR_SET=true; shift 2 ;;
    --nerf-dry-run) _NERF_DRY_RUN="true"; shift 1 ;;
    -h|--help) usage ;;
    --) shift; break ;;
    *) break ;;
  esac
done

_NAME_SET=""
if [[ $# -gt 0 ]]; then
  NAME="$1"
  _NAME_SET=true
  shift
else
  NAME=""
fi
if [[ $# -gt 0 ]]; then
  echo "error: nerf-kubectl-get-secrets: unexpected extra arguments: $*" >&2
  echo "  hint: switches and options must come before positional arguments" >&2
  exit 1
fi

_NERF_PATTERN='^[a-z0-9-]+$'
if [[ -n "${_NAMESPACE_SET}" ]] && ! [[ "${NAMESPACE}" =~ $_NERF_PATTERN ]]; then
  echo "error: nerf-kubectl-get-secrets: option --namespace does not match required pattern" >&2
  echo "  value:   \"${NAMESPACE}\"" >&2
  echo "  pattern: ^[a-z0-9-]+$" >&2
  echo "  hint: value must match ^[a-z0-9-]+$" >&2
  exit 1
fi

if [[ -n "${_NAME_SET}" ]] && [[ "${NAME}" == -* ]]; then
  echo "error: nerf-kubectl-get-secrets: <name> cannot start with '-'" >&2
  echo "  hint: use -- before positional arguments if needed" >&2
  exit 1
fi

_NERF_PATTERN='^[a-z0-9.-]+$'
if [[ -n "${_NAME_SET}" ]] && ! [[ "${NAME}" =~ $_NERF_PATTERN ]]; then
  echo "error: nerf-kubectl-get-secrets: argument <name> does not match required pattern" >&2
  echo "  value:   \"${NAME}\"" >&2
  echo "  pattern: ^[a-z0-9.-]+$" >&2
  echo "  hint: value must match ^[a-z0-9.-]+$" >&2
  exit 1
fi

which jq > /dev/null 2>&1 || { echo 'error: nerf-kubectl-get-secrets: jq is required but not installed (e.g. apt-get install jq, brew install jq).' >&2; exit 1; }

if [[ "$_NERF_DRY_RUN" == "true" ]]; then
  echo "dry-run: nerf-kubectl-get-secrets would run inline script"
  exit 0
fi

ARGS=(kubectl get secrets)
[[ -n "${NAME}" ]] && ARGS+=("${NAME}")
[[ -n "${NAMESPACE}" ]] && ARGS+=(--namespace "${NAMESPACE}")
[[ -n "${ALL_NAMESPACES}" ]] && ARGS+=(--all-namespaces)
[[ -n "${SELECTOR}" ]] && ARGS+=(--selector "${SELECTOR}")
ARGS+=(--output json)
"${ARGS[@]}" | jq 'walk(if type == "object" then
  del(.data, .stringData, .metadata.annotations)
else . end)'
