env.sh

# source me to have all the nice things

if [ "$0" == "$BASH_SOURCE" ]; then
    echo "You should be sourcing this."
    exit 1
fi

hscloud_root="$( cd "$(dirname "$BASH_SOURCE")"; pwd -P )"

if [ ! -f "$hscloud_root/WORKSPACE" ]; then
    echo "Could not find WORKSPACE"
    exit 1
fi

hscloud_path="$hscloud_root/bazel-bin/tools"

[[ ":$PATH:" != *":$hscloud_path:"* ]] && PATH="$hscloud_path:${PATH}"

# legacy crap follows

hscloud-dc() {
    ( cd "$hscloud_root" && docker-compose -f "docker/docker-compose.yml" "$@" )
}

hscloud-pki-dev() {
    (
        set -e

        cd "$hscloud_root"
        rm -rf docker/pki

        cp -rv go/pki/dev-certs docker/pki
        cd docker/pki
        bash gen.sh m6220-proxy arista-proxy cmc-proxy topo client
        ls *pem
    )
}

# Generate a per-node certificate remotely on the node.
hscloud-node-remote-cert() {
    (
        set -e
        if [ -z "$1" ] || [ -z "$2" ] || [ -x "$3" ]; then
            echo >&2 "Usage: hscloud-node-remote-cert node.fqdn.com certname subj"
            exit 1
        fi
        fqdn="$1"
        certname="$2"
        subj="$3"

        echo "Node: ${fqdn}; Cert: ${certname}"

        echo "Checking node livenes..."
        ssh root@$fqdn uname -a

        echo "Checking if node already has key..."
        ssh root@$fqdn stat /opt/hscloud/${certname}.key || (
            echo "Generating key..."
            ssh root@$fqdn -- mkdir -p /opt/hscloud
            ssh root@$fqdn -- nix-shell -p openssl --command "\"openssl genrsa -out /opt/hscloud/${certname}.key 4096\"" 
            ssh root@$fqdn -- chmod 400 /opt/hscloud/${certname}.key
        )

        echo "Checking if node already has cert..."
        ssh root@$fqdn stat /opt/hscloud/${certname}.crt && exit 0
        echo "No cert, will generate..."

        cd "$hscloud_root"
        secrets="$hscloud_root/secrets"
        ca="$secrets/ca.key"
        [ ! -f "$ca" ] && ( scripts/secretstore decrypt "$secrets/cipher/ca.key" > $ca )

        cp data/openssl.cnf san.cnf
        echo -ne "\n[SAN]\nsubjectAltName=DNS:${fqdn}" >> san.cnf
        scp san.cnf root@$fqdn:/opt/hscloud/san.cnf

        ssh root@$fqdn -- nix-shell -p openssl --command "\"openssl req -new -key /opt/hscloud/${certname}.key -out /opt/hscloud/${certname}.csr -subj '${subj}' -config /opt/hscloud/san.cnf -reqexts SAN\""
        scp root@$fqdn:/opt/hscloud/${certname}.csr ${fqdn}-${certname}.csr
        openssl x509 -req \
                -in ${fqdn}-${certname}.csr \
                -CA data/ca.crt \
                -CAkey "$ca" -CAcreateserial \
                -out "data/${fqdn}-${certname}.crt" \
                -extensions SAN -extfile san.cnf

        scp "data/${fqdn}-${certname}.crt" root@$fqdn:/opt/hscloud/${certname}.crt
        scp "data/ca.crt" root@$fqdn:/opt/hscloud/ca.crt
        ssh root@$fqdn -- chmod 444 /opt/hscloud/${certname}.crt /opt/hscloud/ca.crt
        rm ${fqdn}-${certname}.csr
        rm san.cnf
    )
}

# Generate locally (if not present) a shared certificate, and upload it to the node
hscloud-node-shared-cert() {
    (
        set -e
        if [ -z "$1" ] || [ -z "$2" ] || [ -x "$3" ]; then
            echo >&2 "Usage: hscloud-node-shared-cert node.fqdn.com certname subj"
            exit 1
        fi
        fqdn="$1"
        certname="$2"
        subj="$3"

        cd "$hscloud_root"
        secrets="$hscloud_root/secrets"
        keyfile="$secrets/$certname.key"
        cert="$hscloud_root/data/$certname.crt"
        csr="$hscloud_root/data/$certname.csr"
        ca="$secrets/ca.key"
        [ ! -f "$ca" ] && ( scripts/secretstore decrypt "$secrets/cipher/ca.key" > $ca )

        echo "Checking if key exists..."
        if [ ! -f "$keyfile" ]; then
            echo "No key, trying to decrypt..."
            if ! scripts/secretstore decrypt "$secrets/cipher/$certname.key" > "$keyfile" ; then
                echo "No encrypted key, generating..."
                openssl genrsa -out $keyfile 4096
                echo "Encrypting..."
                scripts/secretstore encrypt "$keyfile" > "$secrets/cipher/$certname.key"
            fi
        fi

        echo "Checking if cert exists..."
        if [ ! -f "$cert" ]; then
            echo "No cert, generating..."
            rm -f "${csr}"
            openssl req -new -key "${keyfile}" -out "${csr}" -subj "${subj}"
            openssl x509 -req -in "${csr}" -CA data/ca.crt -CAkey "$ca" -CAcreateserial -out "${cert}"
        fi

        echo "Copying certificate to node..."
        scp "${cert}" root@$fqdn:/opt/hscloud/${certname}.crt
        scp "${keyfile}" root@$fqdn:/opt/hscloud/${certname}.key
        ssh root@$fqdn -- chmod 444 /opt/hscloud/${certname}.crt
        ssh root@$fqdn -- chmod 400 /opt/hscloud/${certname}.key
    )
}

hscloud-node-certs() {
    (
        set -e
            
        if [ -z "$1" ]; then
            echo >&2 "Usage: hscloud-node-certs node.fqdn.com"
            exit 1
        fi
        fqdn="$1"

        hscloud-node-remote-cert ${fqdn} node "/C=PL/ST=Mazowieckie/L=Mazowieckie/O=Stowarzyszenie Warszawski Hackerspace/OU=Node Bootstrap Certificate/CN=\"$fqdn\""
        hscloud-node-remote-cert ${fqdn} kube-node "/C=PL/ST=Mazowieckie/L=Mazowieckie/O=system:nodes/OU=Kubernetes Node Certificate/CN=system:node:\"$fqdn\""
        for component in controller-manager proxy scheduler; do
            hscloud-node-shared-cert ${fqdn} kube-${component} "/C=PL/ST=Mazowieckie/L=Mazowieckie/O=system:kube-${component}/OU=Kubernetes Component ${component}/CN=system:kube-${component}"
        done
        hscloud-node-shared-cert ${fqdn} kube-apiserver "/C=PL/ST=Mazowieckie/L=Mazowieckie/O=Kubernetes API/CN=k0.hswaw.net"
        hscloud-node-shared-cert ${fqdn} kube-serviceaccounts "/C=PL/ST=Mazowieckie/L=Mazowieckie/O=Kubernetes Service Accounts/CN=service-accounts"
    )
}

hscloud-k8s-config() {
    (
        set -e

        if [ -z "$1" ]; then
            echo >&2 "Usage: hscloud-k8s-config username"
            exit 1
        fi
        username="$1"

        cd "$hscloud_root"
        mkdir -p .kubectl

        cert="$hscloud_root/.kubectl/client.crt"
        csr="$hscloud_root/.kubectl/client.csr"
        keyfile="$hscloud_root/.kubectl/client.key"
        secrets="$hscloud_root/secrets"
        ca="$secrets/ca.key"

        if [ ! -f "$keyfile" ]; then
            echo "Generating ${keyfile}..."
            openssl genrsa -out $keyfile 4096
            rm -f "$cert"
        fi
        if [ ! -f "$cert" ]; then
            echo "Signing ${cert}..."
            [ ! -f "$ca" ] && ( scripts/secretstore decrypt "$secrets/cipher/ca.key" > $ca )
            openssl req -new -key "${keyfile}" -out "${csr}" -subj "/C=PL/ST=Mazowieckie/O=system:masters/OU=Kubernetes Admin Account for ${username}/CN=${username}"
            openssl x509 -req -in "${csr}" -CA data/ca.crt -CAkey "$ca" -CAcreateserial -out "${cert}"
        fi

        kubeconfig="$hscloud_root/.kubectl/client.kubeconfig"
        echo "Generating ${kubeconfig}..."
        rm -rf ${kubeconfig}

        kubectl config set-cluster k0.hswaw.net \
          --certificate-authority=${hscloud_root}/data/ca.crt \
          --embed-certs=true \
          --server=https://k0.hswaw.net:4001 \
          --kubeconfig=${kubeconfig}

        kubectl config set-credentials ${username} \
          --client-certificate=${cert} \
          --client-key=${keyfile} \
          --embed-certs=true \
          --kubeconfig=${kubeconfig}

        kubectl config set-context default \
          --cluster=k0.hswaw.net \
          --user=${username} \
          --kubeconfig=${kubeconfig}

        kubectl config use-context default --kubeconfig=${kubeconfig}
    )
}