#!/bin/sh
set -xe

if [ -f "${K3D_ENV}" ]; then
  source "${K3D_ENV}"
fi

if [ "x${DOMAIN}" == "x" ]; then
  echo "[-] ERROR: DOMAIN (aka example.com) not set" >&2
  exit 1
fi

if [ "x${EMAIL}" == "x" ]; then
  echo "[-] ERROR: EMAIL (Your email for Let's Encrypt ACME) not set" >&2
  exit 1
fi

if [ "x${DO_PA_TOKEN}" == "x" ]; then
  echo "[-] ERROR: DO_PA_TOKEN (DigitalOcean Personal Access Token) not set" >&2
  exit 1
fi

k3d create --auto-restart --workers 3 --publish 80:80 --publish 443:433 --image docker.io/rancher/k3s:v0.7.0-rc6

 kube_up() {
  k3d get-kubeconfig --name='k3s-default' 2>&1
}

set +e

KUBE_UP="$(kube_up | grep -E 'does not exist|copy kubeconfig')"
while [ "x${KUBE_UP}" != "x" ]; do
  sleep 0.25s
	KUBE_UP="$(kube_up | grep -E 'does not exist|copy kubeconfig')"
done

set -e

export KUBECONFIG="$(k3d get-kubeconfig --name='k3s-default')"

kubectl cluster-info
kubectl create namespace helm-world
kubectl create namespace tiller-world
kubectl create serviceaccount tiller --namespace tiller-world
kubectl create -f - << EOF
apiVersion: v1
kind: ServiceAccount
metadata:
  name: helm
  namespace: helm-world
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: tiller-user
  namespace: tiller-world
rules:
- apiGroups:
  - ""
  resources:
  - pods/portforward
  verbs:
  - create
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: tiller-user-binding
  namespace: tiller-world
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: tiller-user
subjects:
- kind: ServiceAccount
  name: helm
  namespace: helm-world
EOF

terraform init
rm -f *.pem
terraform apply -auto-approve

# Installing Helm - Helm init

helm init \
  --override 'spec.template.spec.containers[0].command'='{/tiller,--storage=secret}' \
  --tiller-tls \
  --tiller-tls-verify \
  --tls-ca-cert ca.cert.pem \
  --tiller-tls-cert ./tiller.cert.pem \
  --tiller-tls-key ./tiller.key.pem \
  --tiller-namespace=tiller-world \
  --service-account=tiller-user \

# Installing Istio

for i in istio-?.?.?/install/kubernetes/helm/istio-init/files/crd*yaml; do kubectl apply -f $i; done

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Namespace
metadata:
  name: istio-system
  labels:
    istio-injection: disabled
EOF

helm template --namespace=istio-system \
  --set sidecarInjectorWebhook.enabled=true \
  --set sidecarInjectorWebhook.enableNamespacesByDefault=true \
  --set global.proxy.autoInject=disabled \
  --set global.disablePolicyChecks=true \
  --set prometheus.enabled=false \
  `# Disable mixer prometheus adapter to remove istio default metrics.` \
  --set mixer.adapters.prometheus.enabled=false \
  `# Disable mixer policy check, since in our template we set no policy.` \
  --set global.disablePolicyChecks=true \
  `# Set gateway pods to 1 to sidestep eventual consistency / readiness problems.` \
  --set gateways.istio-ingressgateway.autoscaleMin=1 \
  --set gateways.istio-ingressgateway.autoscaleMax=1 \
  --set gateways.istio-ingressgateway.resources.requests.cpu=500m \
  --set gateways.istio-ingressgateway.resources.requests.memory=256Mi \
  `# Enable SDS in the gateway to allow dynamically configuring TLS of gateway.` \
  --set gateways.istio-ingressgateway.sds.enabled=true \
  `# More pilot replicas for better scale` \
  --set pilot.autoscaleMin=1 \
  `# Set pilot trace sampling to 100%` \
  --set pilot.traceSampling=100 \
  `# Tune down required resources for pilot.` \
  --set pilot.resources.requests.cpu=30m \
  `# Tune down required resources for telemetry.` \
  --set mixer.telemetry.resources.requests.cpu=30m \
  istio-?.?.?/install/kubernetes/helm/istio \
  > ./istio.yaml

kubectl apply -f istio.yaml

helm template --namespace=istio-system \
  --set gateways.custom-gateway.autoscaleMin=1 \
  --set gateways.custom-gateway.autoscaleMax=1 \
  --set gateways.custom-gateway.cpu.targetAverageUtilization=60 \
  --set gateways.custom-gateway.labels.app='cluster-local-gateway' \
  --set gateways.custom-gateway.labels.istio='cluster-local-gateway' \
  --set gateways.custom-gateway.type='NodePort' \
  --set gateways.istio-ingressgateway.enabled=false \
  --set gateways.istio-egressgateway.enabled=false \
  --set gateways.istio-ilbgateway.enabled=false \
  istio-?.?.?/install/kubernetes/helm/istio \
  -f istio-?.?.?/install/kubernetes/helm/istio/example-values/values-istio-gateways.yaml \
  | sed -e "s/custom-gateway/cluster-local-gateway/g" -e "s/customgateway/clusterlocalgateway/g" \
  > ./istio-local-gateway.yaml

kubectl apply -f istio-local-gateway.yaml

ISTIO_UP="$(kubectl get pods --namespace istio-system 2>&1)"
while [ "x${ISTIO_UP}" == "xNo resources found." ]; do
  sleep 0.25s
  ISTIO_UP="$(kubectl get pods --namespace istio-system 2>&1)"
done

kubectl get pods --namespace istio-system

set +e

ISTIO_UP="$(kubectl get pods --namespace istio-system | grep -viE 'status|running|complete')"
while [ "x${ISTIO_UP}" != "x" ]; do
  sleep 0.25s
  ISTIO_UP="$(kubectl get pods --namespace istio-system | grep -viE 'status|running|complete')"
done

kubectl get pods --namespace istio-system

kubectl apply \
  --selector knative.dev/crd-install=true \
  --filename serving.yaml \
  --filename build.yaml \
  --filename release.yaml \
  --filename monitoring.yaml

kubectl apply \
  --filename serving.yaml \
  --selector networking.knative.dev/certificate-provider=cert-manager \
  --filename build.yaml \
  --filename release.yaml \
  --filename monitoring.yaml

sleep 2

kubectl get pods --namespace knative-serving
kubectl get pods --namespace knative-build
kubectl get pods --namespace knative-eventing
kubectl get pods --namespace knative-monitoring

kubectl get deploy -n knative-serving --label-columns=serving.knative.dev/release

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: ConfigMap
metadata:
  name: config-domain
  namespace: knative-serving
data:
  # Default value for domain, for routes that does not have app=prod labels.
  # Although it will match all routes, it is the least-specific rule so it
  # will only be used if no other domain matches.
  ${DOMAIN}: ""
EOF

sleep 2

kubectl apply -f cert-manager-?.?.?/deploy/manifests/00-crds.yaml
kubectl apply -f cert-manager-?.?.?/deploy/manifests/cert-manager.yaml

sleep 2

kubectl apply -f - <<EOF
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
  name: letsencrypt-issuer
  namespace: cert-manager
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    # This will register an issuer with LetsEncrypt.  Replace
    # with your admin email address.
    email: ${EMAIL}
    privateKeySecretRef:
      # Set privateKeySecretRef to any unused secret name.
      name: letsencrypt-issuer
    dns01:
      providers:
      - name: digitalocean
        digitalocean:
          tokenSecretRef:
            name: digitalocean-dns
            key: ${DO_PA_TOKEN}
EOF

sleep 2

kubectl get clusterissuer --namespace cert-manager letsencrypt-issuer --output yaml

kubectl apply -f - <<EOF
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
  name: my-certificate
  # Istio certs secret lives in the istio-system namespace, and
  # a cert-manager Certificate is namespace-scoped.
  namespace: istio-system
spec:
  # Reference to the Istio default cert secret.
  secretName: istio-ingressgateway-certs
  acme:
    config:
    # Each certificate could rely on different ACME challenge
    # solver.  In this example we are using one provider for all
    # the domains.
    - dns01:
        provider: digitalocean
      domains:
      # Since certificate wildcards only allow one level, we will
      # need to one for every namespace that Knative is used in.
      # We don't need to use wildcard here, fully-qualified domains
      # will work fine too.
      - "*.default.$DOMAIN"
      - "*.other-namespace.$DOMAIN"
  # The certificate common name, use one from your domains.
  commonName: "*.default.$DOMAIN"
  dnsNames:
  # Provide same list as `domains` section.
  - "*.default.$DOMAIN"
  - "*.other-namespace.$DOMAIN"
  # Reference to the ClusterIssuer we created in the previous step.
  issuerRef:
    kind: ClusterIssuer
    name: letsencrypt-issuer
EOF

sleep 2

kubectl get certificate --namespace istio-system my-certificate --output yaml

kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: knative-ingress-gateway
  namespace: knative-serving
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "*"
    tls:
      # Sends 301 redirect for all http requests.
      # Omit to allow http and https.
      httpsRedirect: true
  - port:
      number: 443
      name: https
      protocol: HTTPS
    hosts:
    - "*"
    tls:
      mode: SIMPLE
      privateKey: /etc/istio/ingressgateway-certs/tls.key
      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
EOF