#!/usr/bin/env bash
# nerf-kubectl-describe -- Describe a kubernetes resource. Refuses Secrets because "kubectl describe" prints the metadata.annotations section verbatim, and any Secret created via "kubectl apply" carries a kubectl.kubernetes.io/last-applied-configuration annotation containing the original (base64-encoded) .data, which would bypass kubectl-get-secrets' redaction.
# Generated from kubectl manifest. Do not edit directly.
# nerf:threat:read=remote
# nerf:threat:write=none

if [[ "${BASH_VERSINFO[0]:-0}" -lt 4 ]]; then
  echo "error: nerf-kubectl-describe requires bash 4+. Found bash ${BASH_VERSION:-unknown}" >&2
  echo "  hint: on macOS, install a newer bash via 'brew install bash'" >&2
  exit 1
fi

set -euo pipefail

_NERF_DRY_RUN=""

usage() {
  cat >&2 <<'EOF'
Usage: nerf-kubectl-describe [--namespace|-n <namespace>] <resource> <name>

Options:
  --namespace, -n <namespace>
      Namespace
      Must match: ^[a-z0-9-]+$

Arguments:
  <resource> (required)
      Resource type (e.g. pod, deployment)
      Must match: ^[a-z][a-zA-Z0-9.-]*$
  <name> (required)
      Resource name
      Must match: ^[a-zA-Z0-9._-]+$

Maps to: kubectl describe <resource> <name> <namespace>

Describe a kubernetes resource. Refuses Secrets because "kubectl describe" prints the metadata.annotations section verbatim, and any Secret created via "kubectl apply" carries a kubectl.kubernetes.io/last-applied-configuration annotation containing the original (base64-encoded) .data, which would bypass kubectl-get-secrets' redaction.
EOF
  exit 1
}

NAMESPACE=""
_NAMESPACE_SET=""

while [[ $# -gt 0 ]]; do
  case "$1" in
    --namespace|-n) if [[ -n "${_NAMESPACE_SET}" ]]; then echo "error: --namespace can only be specified once" >&2; exit 1; fi; NAMESPACE="$2"; _NAMESPACE_SET=true; shift 2 ;;
    --nerf-dry-run) _NERF_DRY_RUN="true"; shift 1 ;;
    -h|--help) usage ;;
    --) shift; break ;;
    *) break ;;
  esac
done

_RESOURCE_SET=""
if [[ $# -gt 0 ]]; then
  RESOURCE="$1"
  _RESOURCE_SET=true
  shift
else
  RESOURCE=""
fi
_NAME_SET=""
if [[ $# -gt 0 ]]; then
  NAME="$1"
  _NAME_SET=true
  shift
else
  NAME=""
fi
if [[ $# -gt 0 ]]; then
  echo "error: nerf-kubectl-describe: unexpected extra arguments: $*" >&2
  echo "  hint: switches and options must come before positional arguments" >&2
  exit 1
fi

_NERF_PATTERN='^[a-z0-9-]+$'
if [[ -n "${_NAMESPACE_SET}" ]] && ! [[ "${NAMESPACE}" =~ $_NERF_PATTERN ]]; then
  echo "error: nerf-kubectl-describe: option --namespace does not match required pattern" >&2
  echo "  value:   \"${NAMESPACE}\"" >&2
  echo "  pattern: ^[a-z0-9-]+$" >&2
  echo "  hint: value must match ^[a-z0-9-]+$" >&2
  exit 1
fi

if [[ -n "${_RESOURCE_SET}" ]] && [[ "${RESOURCE}" == -* ]]; then
  echo "error: nerf-kubectl-describe: <resource> cannot start with '-'" >&2
  echo "  hint: use -- before positional arguments if needed" >&2
  exit 1
fi

if [[ -z "${RESOURCE}" ]]; then
  echo "error: nerf-kubectl-describe: missing required argument <resource>" >&2
  echo "  hint: provide a value for <resource>" >&2
  usage
fi

_NERF_PATTERN='^[a-z][a-zA-Z0-9.-]*$'
if [[ -n "${_RESOURCE_SET}" ]] && ! [[ "${RESOURCE}" =~ $_NERF_PATTERN ]]; then
  echo "error: nerf-kubectl-describe: argument <resource> does not match required pattern" >&2
  echo "  value:   \"${RESOURCE}\"" >&2
  echo "  pattern: ^[a-z][a-zA-Z0-9.-]*$" >&2
  echo "  hint: value must match ^[a-z][a-zA-Z0-9.-]*$" >&2
  exit 1
fi

if [[ -n "${_NAME_SET}" ]] && [[ "${NAME}" == -* ]]; then
  echo "error: nerf-kubectl-describe: <name> cannot start with '-'" >&2
  echo "  hint: use -- before positional arguments if needed" >&2
  exit 1
fi

if [[ -z "${NAME}" ]]; then
  echo "error: nerf-kubectl-describe: missing required argument <name>" >&2
  echo "  hint: provide a value for <name>" >&2
  usage
fi

_NERF_PATTERN='^[a-zA-Z0-9._-]+$'
if [[ -n "${_NAME_SET}" ]] && ! [[ "${NAME}" =~ $_NERF_PATTERN ]]; then
  echo "error: nerf-kubectl-describe: argument <name> does not match required pattern" >&2
  echo "  value:   \"${NAME}\"" >&2
  echo "  pattern: ^[a-zA-Z0-9._-]+$" >&2
  echo "  hint: value must match ^[a-zA-Z0-9._-]+$" >&2
  exit 1
fi

( [[ ! "$(echo "${RESOURCE}" | tr '[:upper:]' '[:lower:]')" =~ ^secrets?($|\.|/) ]] ) || { echo 'error: nerf-kubectl-describe: kubectl-describe refuses secrets (annotations may include last-applied-configuration with raw .data). Use kubectl-get-secrets which redacts.' >&2; exit 1; }

if [[ "$_NERF_DRY_RUN" == "true" ]]; then
  _NERF_DRY_CMD=(kubectl describe "${RESOURCE}" "${NAME}" ${_NAMESPACE_SET:+"--namespace"} ${_NAMESPACE_SET:+"$NAMESPACE"})
  printf 'dry-run:'
  for _a in "${_NERF_DRY_CMD[@]}"; do printf " %q" "$_a"; done
  echo
  exit 0
fi

exec kubectl describe "${RESOURCE}" "${NAME}" ${_NAMESPACE_SET:+"--namespace"} ${_NAMESPACE_SET:+"$NAMESPACE"}
