#!/bin/bash

# Copyright 2018 by the contributors
#
#    Licensed under the Apache License, Version 2.0 (the "License");
#    you may not use this file except in compliance with the License.
#    You may obtain a copy of the License at
#
#        http://www.apache.org/licenses/LICENSE-2.0
#
#    Unless required by applicable law or agreed to in writing, software
#    distributed under the License is distributed on an "AS IS" BASIS,
#    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
#    See the License for the specific language governing permissions and
#    limitations under the License.


set -o verbose
set -o errexit
set -o nounset
set -o pipefail

# Sanity check: This is a mustache template, so make the script die if any of
# these aren't set.
test -n "{{LoadBalancerDns}}"
test -n "{{LoadBalancerName}}"
test -n "{{ClusterToken}}"
test -n "{{NetworkingProvider}}"
test -n "/tmp/NetworkingProvider.yaml"
test -n "/tmp/dashboard.yaml"
test -n "/tmp/default.storageclass.yaml"
test -n "/tmp/network-policy.yaml"
test -n "{{Region}}"
test -n "{{ClusterInfoBucket}}"
test -n "{{ClusterDNSProvider}}"

INSTANCE_ID=$(ec2metadata --instance-id)

# Add this machine (master) to the load balancer for external access
aws elb register-instances-with-load-balancer \
  --load-balancer-name {{LoadBalancerName}} \
  --instances ${INSTANCE_ID} \
  --region {{Region}}

# kubeadm wants lowercase for DNS (as it probably should)
LB_DNS=$(echo "{{LoadBalancerDns}}" | tr 'A-Z' 'a-z')

# get load balancer ip address to be advertised
LB_IPV4=$(dig +short {{LoadBalancerDns}})

HOSTNAME="$(hostname -f 2>/dev/null || curl http://169.254.169.254/latest/meta-data/local-hostname)"

# reset kubeadm (workaround for kubelet package presence)
kubeadm reset --force

cat >/tmp/kubeadm.yaml <<EOF
---
apiVersion: kubeadm.k8s.io/v1beta1
kind: InitConfiguration
bootstrapTokens:
- groups:
  - "system:bootstrappers:kubeadm:default-node-token"
  token: "{{ClusterToken}}"
  ttl: "0s"
  usages:
  - signing
  - authentication
nodeRegistration:
  name: "${HOSTNAME}"
  kubeletExtraArgs:
    cloud-provider: "aws"
---
apiVersion: kubeadm.k8s.io/v1beta1
kind: ClusterConfiguration
kubernetesVersion: "$(cat /etc/kubernetes_community_ami_version)"
apiServer:
  timeoutForControlPlane: 4m0s
  certSANs:
  - "${LB_IPV4}"
  extraArgs:
    cloud-provider: "aws"
clusterName: kubernetes
controlPlaneEndpoint: "${LB_DNS}:443"
controllerManager:
  extraArgs:
    cloud-provider: "aws"
    allocate-node-cidrs: "false"
EOF

# Feature gates
echo "dns:" >> /tmp/kubeadm.yaml
if [[ "{{ClusterDNSProvider}}" == "CoreDNS" ]]; then
  echo "  type: CoreDNS" >> /tmp/kubeadm.yaml
else
  echo "  type: kube-dns" >> /tmp/kubeadm.yaml
fi

if [[ "{{NetworkingProvider}}" == "calico" ]]; then
cat >>/tmp/kubeadm.yaml <<EOF
networking:
  podSubnet: 192.168.0.0/16
EOF
fi

# Initialize master node
kubeadm init --config /tmp/kubeadm.yaml
rm /tmp/kubeadm.yaml

kubectl --kubeconfig=/etc/kubernetes/admin.conf get cm -n kube-public cluster-info -o jsonpath={.data.kubeconfig} | aws s3 cp - s3://{{ClusterInfoBucket}}/cluster-info.yaml

export KUBECONFIG=/etc/kubernetes/admin.conf

# Grant the "admin" user complete access to the cluster
kubectl create clusterrolebinding admin-cluster-binding --clusterrole=cluster-admin --user=admin

# Add-on for networking providers, so pods can communicate.  see the scripts/
# directory of the quickstart.  Currently either calico.yaml or weave.yaml
kubectl apply -f /tmp/NetworkingProvider.yaml

# Install the kubernetes dashboard by default
kubectl apply -f /tmp/dashboard.yaml

# Install the default StorageClass
kubectl apply -f /tmp/default.storageclass.yaml

# Set up the network policy blocking the AWS metadata endpoint from the default namespace.
kubectl apply -f /tmp/network-policy.yaml

# Use kubeadm's kubeconfig command to grab a client-cert-authenticated
# kubeconfig file for administrative access to the cluster.
KUBECONFIG_OUTPUT=/home/ubuntu/kubeconfig

# kubeadm requires --apiserver-advertise-address to be an IP address but we
# want to use the DNS name in case the IP changes. Using the LB_IPV4 just as a
# a dummy value to facilitate precise replacement and avoid complications with
# ensuring we have the right IP.
kubeadm alpha kubeconfig user \
  --client-name admin \
  --apiserver-advertise-address "${LB_IPV4}" \
  >$KUBECONFIG_OUTPUT

sed -i "s~https://${LB_IPV4}:6443~https://${LB_DNS}:443~" $KUBECONFIG_OUTPUT

chown ubuntu:ubuntu $KUBECONFIG_OUTPUT
chmod 0600 $KUBECONFIG_OUTPUT

# And for local debugging, set up ~/.kube/config for the main user account on
# the master.
mkdir -p /home/ubuntu/.kube
cp /etc/kubernetes/admin.conf /home/ubuntu/.kube/config
chown -R ubuntu:ubuntu /home/ubuntu/.kube