pipeline {
    agent any

    parameters {
        choice(name: 'env', choices: ['dev', 'test', 'prod'], description: '部署环境')
        string(name: 'NAMESPACE', defaultValue: 'portal-frontend', description: 'K8s 命名空间')
        string(name: 'DOMAIN', defaultValue: '', description: 'Ingress 域名（留空则不创建 Ingress）')
        string(name: 'TLS_SECRET', defaultValue: 'portal-tls', description: 'TLS Secret 名称（仅在 DOMAIN 非空时使用）')
        booleanParam(name: 'FORCE_UPDATE_CONFIG', defaultValue: false, description: '强制更新配置（包括 Deployment 和 Ingress）')
    }

    environment {
        PROJECT_NAME    = 'portal-frontend'
        BUILD_DIR       = 'dist'
        NODE_ENV        = 'production'
        HARBOR_HOST     = '8.130.28.21:81'
        KUBECONFIG_PATH = '/root/.kube/config'
        HARBOR_USER     = 'admin'
        HARBOR_PASS     = 'Hfln@1024'
        HARBOR_RETENTION_ID = '1'
    }

    stages {
        stage('🧬 初始化环境') {
            steps {
                script {
                    env.HARBOR_PROJECT = params.env
                    env.IMAGE_TAG = "${HARBOR_HOST}/${env.HARBOR_PROJECT}/${PROJECT_NAME}:${BUILD_NUMBER}"
                    echo ">>> 环境：${params.env}, Harbor项目：${env.HARBOR_PROJECT}, K8s命名空间：${params.NAMESPACE}"
                    if (params.DOMAIN?.trim()) {
                        echo ">>> 域名：${params.DOMAIN}, TLS Secret：${params.TLS_SECRET}"
                        echo ">>> 将使用 LoadBalancer 类型访问"
                    } else {
                        echo ">>> 未配置域名，将使用 NodePort 类型访问"
                    }
                    echo ">>> 强制更新配置：${params.FORCE_UPDATE_CONFIG}"
                }
            }
        }

        stage('📥 拉取代码') {
            steps {
                checkout scm
                echo "✅ 代码拉取成功"
            }
        }

       stage('🔐 配置 Ingress 控制器') {
           when {
               expression { params.DOMAIN?.trim() }
           }
           steps {
               script {
                   sh """
                       export KUBECONFIG=${KUBECONFIG_PATH}

                       echo ">>> 配置 Ingress 控制器为 LoadBalancer 类型..."

                       # 检查 Ingress 控制器 Service 类型
                       INGRESS_SERVICE_TYPE=\$(kubectl get svc ingress-nginx-controller -n ingress-nginx -o jsonpath='{.spec.type}')
                       echo ">>> 当前 Ingress 控制器类型: \${INGRESS_SERVICE_TYPE}"

                       if [ "\${INGRESS_SERVICE_TYPE}" != "LoadBalancer" ]; then
                           echo ">>> 修改 Ingress 控制器为 LoadBalancer 类型..."
                           kubectl patch svc ingress-nginx-controller -n ingress-nginx -p '{"spec":{"type":"LoadBalancer"}}'
                           echo "✅ Ingress 控制器已修改为 LoadBalancer 类型"
                           echo "⚠️  注意：外部 IP 分配可能需要一些时间，请稍后检查"
                       else
                           echo "✅ Ingress 控制器已经是 LoadBalancer 类型"
                       fi

                       # 显示当前状态
                       echo ">>> 当前 Ingress 控制器状态："
                       kubectl get svc ingress-nginx-controller -n ingress-nginx
                   """
               }
           }
       }

        stage('�� 验证 TLS Secret') {
            when {
                expression { params.DOMAIN?.trim() }
            }
            steps {
                script {
                    sh """
                        export KUBECONFIG=${KUBECONFIG_PATH}

                        # 验证 TLS Secret 是否存在
                        if ! kubectl get secret ${params.TLS_SECRET} -n ${params.NAMESPACE} >/dev/null 2>&1; then
                            echo "❌ TLS Secret '${params.TLS_SECRET}' 在命名空间 '${params.NAMESPACE}' 中不存在！"
                            echo "请先创建 TLS Secret："
                            echo "kubectl create secret tls ${params.TLS_SECRET} --cert=fullchain.pem --key=privkey.pem -n ${params.NAMESPACE}"
                            exit 1
                        fi

                        echo "✅ TLS Secret '${params.TLS_SECRET}' 验证成功"
                    """
                }
            }
        }

        stage('🔧 构建 Docker 镜像') {
            steps {
                script {
                    sh """
                        docker login -u ${HARBOR_USER} -p ${HARBOR_PASS} ${HARBOR_HOST}
                        docker build --build-arg ENV=${params.env} -t ${IMAGE_TAG} .
                    """
                    echo "✅ 镜像构建成功：${IMAGE_TAG}"
                }
            }
        }

        stage('🚀 推送镜像到 Harbor') {
            steps {
                script {
                    sh """
                        docker push ${IMAGE_TAG}
                        docker rmi ${IMAGE_TAG}
                    """
                    echo "✅ 镜像推送并本地清理完成"
                }
            }
        }

        stage(' Kubernetes 部署') {
            steps {
                script {
                    def domain = params.DOMAIN?.trim()
                    sh """
                        export KUBECONFIG=${KUBECONFIG_PATH}

                        # 确保命名空间存在
                        kubectl get ns ${params.NAMESPACE} >/dev/null 2>&1 || kubectl create ns ${params.NAMESPACE}

                        # 如果强制更新配置或 Deployment 不存在，则重新创建
                        if [ "${params.FORCE_UPDATE_CONFIG}" = "true" ] || ! kubectl get deployment ${PROJECT_NAME} -n ${params.NAMESPACE} >/dev/null 2>&1; then

                            if [ "${params.FORCE_UPDATE_CONFIG}" = "true" ]; then
                                echo ">>> 强制更新配置，删除现有资源..."
                                kubectl delete deployment ${PROJECT_NAME} -n ${params.NAMESPACE} --ignore-not-found=true
                                kubectl delete svc ${PROJECT_NAME} -n ${params.NAMESPACE} --ignore-not-found=true
                                kubectl delete svc ${PROJECT_NAME}-nodeport -n ${params.NAMESPACE} --ignore-not-found=true
                                kubectl delete ingress ${PROJECT_NAME}-ingress -n ${params.NAMESPACE} --ignore-not-found=true
                            fi

                            echo ">>> 创建 Deployment..."
                            kubectl apply -n ${params.NAMESPACE} -f - <<EOF
apiVersion: apps/v1
kind: Deployment
metadata:
  name: ${PROJECT_NAME}
spec:
  replicas: 2
  selector:
    matchLabels:
      app: ${PROJECT_NAME}
  template:
    metadata:
      labels:
        app: ${PROJECT_NAME}
    spec:
      containers:
      - name: ${PROJECT_NAME}
        image: ${IMAGE_TAG}
        ports:
        - containerPort: 80
        resources:
          requests:
            memory: "128Mi"
            cpu: "100m"
          limits:
            memory: "256Mi"
            cpu: "200m"
        livenessProbe:
          httpGet:
            path: /
            port: 80
          initialDelaySeconds: 30
          periodSeconds: 10
        readinessProbe:
          httpGet:
            path: /
            port: 80
          initialDelaySeconds: 5
          periodSeconds: 5
EOF

                            # 根据是否配置域名创建不同的 Service
                            if [ -n "${domain}" ]; then
                                echo ">>> 创建 ClusterIP Service（用于 Ingress）..."
                                kubectl apply -n ${params.NAMESPACE} -f - <<EOF
apiVersion: v1
kind: Service
metadata:
  name: ${PROJECT_NAME}
spec:
  type: ClusterIP
  selector:
    app: ${PROJECT_NAME}
  ports:
  - port: 80
    targetPort: 80
    protocol: TCP
EOF
                            else
                                echo ">>> 创建 NodePort Service（用于直接访问）..."
                                kubectl apply -n ${params.NAMESPACE} -f - <<EOF
apiVersion: v1
kind: Service
metadata:
  name: ${PROJECT_NAME}-nodeport
spec:
  type: NodePort
  selector:
    app: ${PROJECT_NAME}
  ports:
  - port: 80
    targetPort: 80
    nodePort: 30085
    protocol: TCP
EOF
                            fi

                            # 创建 Ingress（如果提供了域名）
                            if [ -n "${domain}" ]; then
                                echo ">>> 创建 Ingress..."
                                kubectl apply -n ${params.NAMESPACE} -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ${PROJECT_NAME}-ingress
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
    nginx.ingress.kubernetes.io/ssl-passthrough: "false"
    nginx.ingress.kubernetes.io/proxy-body-size: "8m"
    nginx.ingress.kubernetes.io/rewrite-target: /
    nginx.ingress.kubernetes.io/ssl-ciphers: "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384"
    nginx.ingress.kubernetes.io/ssl-protocols: "TLSv1.2 TLSv1.3"
spec:
  tls:
  - hosts:
    - ${domain}
    secretName: ${params.TLS_SECRET}
  rules:
  - host: ${domain}
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: ${PROJECT_NAME}
            port:
              number: 80
EOF
                            fi

                        else
                            # 只更新镜像
                            echo ">>> Deployment 已存在，仅更新镜像..."
                            kubectl set image deployment/${PROJECT_NAME} ${PROJECT_NAME}=${IMAGE_TAG} -n ${params.NAMESPACE}
                            echo "✅ 镜像更新完成，Kubernetes 将自动处理滚动更新"
                        fi

                        # 等待 Deployment 就绪
                        # echo ">>> 等待 Deployment 就绪..."
                        # kubectl wait --for=condition=available --timeout=300s deployment/${PROJECT_NAME} -n ${params.NAMESPACE}

                        # 显示部署状态
                        echo ">>> 部署状态："
                        kubectl get all -n ${params.NAMESPACE}
                        kubectl get ingress -n ${params.NAMESPACE} || echo ">>> 未配置 Ingress"

                        # 根据配置显示访问信息
                        if [ -n "${domain}" ]; then
                            echo "✅ 应用部署完成！"
                            echo "🌐 访问地址：https://${domain}"
                            echo " 注意：请确保域名 ${domain} 已正确解析到 Ingress 控制器的外部 IP"
                        else
                            echo "✅ 应用部署完成！"
                            echo "🌐 访问地址："
                            echo "   HTTP:  http://47.121.135.46:30085"
                            echo "   HTTPS: https://47.121.135.46:30085"
                            echo " 注意：使用 NodePort 方式访问，端口为 30085"
                        fi
                    """
                }
            }
        }

        stage('🔍 部署验证') {
            steps {
                script {
                    def domain = params.DOMAIN?.trim()
                    sh """
                        export KUBECONFIG=${KUBECONFIG_PATH}

                        echo ">>> 验证部署状态..."

                        # 检查 Pod 状态
                        kubectl get pods -n ${params.NAMESPACE} -l app=${PROJECT_NAME}

                        # 检查 Service 状态
                        if [ -n "${domain}" ]; then
                            kubectl get svc -n ${params.NAMESPACE} ${PROJECT_NAME}
                            kubectl get ingress -n ${params.NAMESPACE} ${PROJECT_NAME}-ingress
                            kubectl get secret -n ${params.NAMESPACE} ${params.TLS_SECRET}
                        else
                            kubectl get svc -n ${params.NAMESPACE} ${PROJECT_NAME}-nodeport
                        fi

                        # 检查 Ingress 控制器状态（如果配置了域名）
                        if [ -n "${domain}" ]; then
                            echo ">>> Ingress 控制器状态："
                            kubectl get svc ingress-nginx-controller -n ingress-nginx
                        fi

                        echo "✅ 部署验证完成"
                    """
                }
            }
        }

        stage('🧹 清理本地旧镜像（保留最新3个）') {
            steps {
                script {
                    def baseImage = "${HARBOR_HOST}/${env.HARBOR_PROJECT}/${PROJECT_NAME}"
                    sh """
                        docker images ${baseImage} --format "{{.Repository}}:{{.Tag}}" \\
                        | grep -v latest \\
                        | sort -r -t ':' -k2 \\
                        | tail -n +4 \\
                        | xargs -r docker rmi || true
                    """
                    echo "✅ 本地旧镜像清理完成"
                }
            }
        }

        stage(' 清理悬空镜像 <none>') {
            steps {
                script {
                    sh """
                        docker images -f "dangling=true" -q | xargs -r docker rmi || true
                    """
                    echo "✅ 悬空镜像（<none>）清理完成"
                }
            }
        }

        stage(' 触发 Harbor 镜像保留策略') {
            steps {
                script {
                    sh """
                        curl -u ${HARBOR_USER}:${HARBOR_PASS} -X POST \\
                        "http://${HARBOR_HOST}/api/v2.0/retentions/${HARBOR_RETENTION_ID}/executions"
                    """
                    echo "✅ Harbor 镜像保留策略已触发"
                }
            }
        }
    }

    post {
        success {
            echo "✅ 构建 & 部署成功！"
            script {
                if (params.DOMAIN?.trim()) {
                    echo "🌐 应用可通过 https://${params.DOMAIN} 访问"
                    echo " 请确保域名已解析到 Ingress 控制器的外部 IP"
                } else {
                    echo "🌐 应用可通过以下地址访问："
                    echo "   HTTP:  http://47.121.135.46:30085"
                    echo "   HTTPS: https://47.121.135.46:30085"
                }
            }
        }
        failure {
            echo "❌ 构建或部署失败，请检查日志"
        }
        always {
            cleanWs()
        }
    }
}