#!/bin/bash
#
# Copyright (c) 2023 Oracle and/or its affiliates. All rights reserved.
# Licensed under the GNU General Public License Version 3 as shown at https://www.gnu.org/licenses/gpl-3.0.txt.

# $1 Namespace             string
# $2 UseInstancePrincipals bool
# $3 Region      string
# $4 Tenancy     string
# $5 User        string
# $6 Key-path    string
# $7 key-base64  string
# $8 Passphrase  string
# $9 Fingerprint string
# $10 Compartment string
# $11 Vcn         string
# $12 LBSubnet1   string
# $13 LBSubnet2   string
# $14 LBSecMode   string
# $15 KUBECFG     string
# $16 oci-volume-provisioner     string
# $17 oci-cloud-controller-manager  string
NS=${1}
KUBECFG=${15}

KEY=""
if [ "${7}" == "''" ] || [ "${7}" = "" ]; then
    KEY=`sed 's/^/    /' ${6}`
else
    KEY=`echo ${7} | base64 -d | sed 's/^/    /'`
fi

W=""
# Some base64 version support wrap, -w 0 to disable it
BW=`base64 --help | grep wrap`
if [[ "${BW}" != "" ]]; then
    W="-w 0"
fi

CFG=""
if [[ "${2}" != "true" ]]; then
    CFG=`base64 ${W} <<EOF
auth:
  region: ${3}
  tenancy: ${4}
  user: ${5}
  key: |
${KEY}
  # Omit if there is not a password for the key
  passphrase: ${8}
  fingerprint: ${9}
# Omit all of the above options then set useInstancePrincipals to true if you
# want to use Instance Principals API access
# (https://docs.us-phoenix-1.oraclecloud.com/Content/Identity/Tasks/callingservicesfrominstances.htm).
# Ensure you have setup the following OCI policies and your kubernetes nodes are running within them
# allow dynamic-group [your dynamic group name] to read instance-family in compartment [your compartment name]
# allow dynamic-group [your dynamic group name] to use virtual-network-family in compartment [your compartment name]
# allow dynamic-group [your dynamic group name] to manage load-balancers in compartment [your compartment name]
useInstancePrincipals: false

# compartment configures Compartment within which the cluster resides.
compartment: ${10}

# vcn configures the Virtual Cloud Network (VCN) within which the cluster resides.
vcn: ${11}

loadBalancer:
  # subnet1 configures one of two subnets to which load balancers will be added.
  # OCI load balancers require two subnets to ensure high availability.
  subnet1: ${12}

  # subnet2 configures the second of two subnets to which load balancers will be
  # added. OCI load balancers require two subnets to ensure high availability.
  subnet2: ${13}

  # SecurityListManagementMode configures how security lists are managed by the CCM.
  # If you choose to have security lists managed by the CCM, ensure you have setup the following additional OCI policy:
  # Allow dynamic-group [your dynamic group name] to manage security-lists in compartment [your compartment name]
  #
  #   "All" (default): Manage all required security list rules for load balancer services.
  #   "Frontend":      Manage only security list rules for ingress to the load
  #                    balancer. Requires that the user has setup a rule that
  #                    allows inbound traffic to the appropriate ports for kube
  #                    proxy health port, node port ranges, and health check port ranges.
  #                    E.g. 10.82.0.0/16 30000-32000.
  #   "None":          Disables all security list management. Requires that the
  #                    user has setup a rule that allows inbound traffic to the
  #                    appropriate ports for kube proxy health port, node port
  #                    ranges, and health check port ranges. E.g. 10.82.0.0/16 30000-32000.
  #                    Additionally requires the user to mange rules to allow
  #                    inbound traffic to load balancers.
  securityListManagementMode: ${14}

  # Optional specification of which security lists to modify per subnet. This does not apply if security list management is off.
  #securityLists:
  #  ocid1.subnet.oc1.phx.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa: ocid1.securitylist.oc1.iad.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
  #  ocid1.subnet.oc1.phx.bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb: ocid1.securitylist.oc1.iad.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

# Optional rate limit controls for accessing OCI API
rateLimiter:
  rateLimitQPSRead: 20.0
  rateLimitBucketRead: 5
  rateLimitQPSWrite: 20.0
  rateLimitBucketWrite: 5
EOF`
else
    CFG=`base64 ${W} <<EOF
auth:
useInstancePrincipals: true
compartment: ${10}
vcn: ${11}
loadBalancer:
  subnet1: ${12}
  subnet2: ${13}
  securityListManagementMode: ${14}
rateLimiter:
  rateLimitQPSRead: 20.0
  rateLimitBucketRead: 5
  rateLimitQPSWrite: 20.0
  rateLimitBucketWrite: 5
EOF`
fi

kubectl --kubeconfig="${KUBECFG}" apply -n "${NS}" -f - <<EOF
---
apiVersion: v1
kind: Secret
metadata:
  name: ${16}
  namespace: ${NS}
type: Opaque
data:
  config.yaml: ${CFG}
---
apiVersion: v1
kind: Secret
metadata:
  name: ${17}
  namespace: ${NS}
type: Opaque
data:
  cloud-provider.yaml: ${CFG}
EOF
