.env

#!/usr/bin/env bash

# Copyright (C) 2021 Michael Joseph Walsh - All Rights Reserved
# You may use, distribute and modify this code under the
# terms of the the license.
#
# You should have received a copy of the license with
# this file. If not, please email <mjwalsh@nemonik.com>

if [[ -z ${cat_rendered_template} ]]; then
  cat_rendered_template=false
fi

if [[ -z ${pull_container_images} ]]; then
  pull_container_images=true
fi

if [[ -z ${save_container_images} ]]; then
  save_container_images=true
fi

## Figure out the path to the .env file, so that we can find the vault file.
##
SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"

## Echo text messaged in green to notify.
##
## e.g., `notify "This is a notice."`
##
function notify() {

  local green='\033[0;32m'
  local no_color='\033[0m'

  echo -e "${green}$1${no_color}"
}

## Echo text messaged in red to indicate an error.
##
## e.g., `error "This is an error."`
##
function error() {

  local red='\033[0;31m'
  local no_color='\033[0m'

  1>&2 echo -e "${red}$1${no_color}"
}

## Echo text message in yellow to indicate a warning.
##
## e.g., `warn "This is a warning."`
##
function warn() {

  local yellow='\033[1;33m'
  local no_color='\033[0m'

  echo -e "${yellow}$1${no_color}"

}

## Echo text message in blue to indicate asking for input.
##
## e.g., `ask_for_input "This is asking for input."`
##
function ask_for_input() {

  local light_blue='\033[1;34m'
  local no_color='\033[0m'

  echo -e "${light_blue}$1${no_color}"
}


## urlencode <string>
##
## e.g., msged "rancher/k3d-proxy:v4.4.7" will return "rancher%2Fk3d-proxy%3Av4.4.7%0A"
##
function urlencode() {

  if [ "$#" -ne 1 ]; then
    error "urlencode - Illegal number of parameters." >&2
    exit 1
  fi

  old_lc_collate=$LC_COLLATE
  LC_COLLATE=C

  local length="${#1}"
  for (( i = 0; i < length; i++ )); do
    local c="${1:i:1}"
    case $c in
      [a-zA-Z0-9.~_-]) printf "$c" ;;
      ' ') printf "%%20" ;;
      *) printf '%%%02X' "'$c" ;;
    esac
  done

  LC_COLLATE=$old_lc_collate
}


## urldecode <string>
##
## e.g., msged "rancher%2Fk3d-proxy%3Av4.4.7%0A" will return "rancher/k3d-proxy:v4.4.7"
##
function urldecode() {

  if [ "$#" -ne 1 ]; then
    error "urldecode - Illegal number of parameters." >&2
    exit 1
  fi

  local url_encoded="${1//+/ }"
  printf '%b' "${url_encoded//%/\\x}"
}


## index_keys <associative_array> 
##
## e.g., msged (["d"]="donald" ["c"]="cat" ["b"]="bottle") will return ("b" "c" "d")
##
## Entries in associative arrays can not be retrieved in order declared. This 
## funtion will sort the keys of a messaged associative array in alphabetical 
## order and return as spac delimited string wrap with call with parenthesis 
## to get the array (e.g., `indexed_keys=($(index_keys associative_array))`). 
## 
function index_keys() {

  if [ "$#" -ne 1 ]; then
    error "index_keys - Illegal number of parameters." >&2
    exit 1    
  fi

  local -n associative_array=$1

  keys=${!associative_array[*]}

  keys=($keys)

  readarray -t indexed_keys < <(printf '%s\n' "${keys[@]}" | sort)

  ## keys sorted
  echo "${indexed_keys[*]}"
}


## join_by <delimiter> <array>
##
## e.g., join_by ":" ( "a" "b" "c" ) will return "a:b:c"
##
## When messaged an delimiter and array will return a string with the contents
## of the array delimited.
##
function join_by() {

  if [ "$#" -ne 2 ]; then
    error "join_by Illegal number of parameters." >&2
    exit 1
  fi

  local delimiter=${1-}
  local array=${2-}
  if shift 2; then
    printf %s "$array" "${@/#/$delimiter}"
  fi	
}


## create_automation_token
##
## e.g., create_automation_token
##
## Requires gitlab_namespace be set globally.
##
## Will create and register an automation token with the root user with the name 
## 'Automation_token', and then return the pod name used to create the toke and the
## token itself.
##
## To retrieve the two values returned used the following:
##
##    read gitlab_pod_name gitlab_token < <(create_automation_token)
##
function create_automation_token() {

  #local gitlab_token=`tr -dc A-Za-z0-9 </dev/urandom | head -c 20`
  local gitlab_token=`pwgen -Bsv1 20`

  local create_automation_token_code="user = User.find_by_username('root'); token = user.personal_access_tokens.create(scopes: [:api], name: 'Automation_token'); token.set_token('$gitlab_token'); token.save"

  if [ "${gitlab_omnibus,,}" = "true" ]; then
    ## For Omnibus installations
    ##
    local gitlab_pod_name=`kubectl get pods -n ${gitlab_namespace} -l "app=task-runner,release=gitlab" -o json | jq -r '.items | .[] | .metadata.name'`

    create_automation_token_code="echo \"$create_automation_token_code\" | gitlab-rails console"
  else
    ## For installations from source
    ##
    local gitlab_pod_name=`kubectl get pod -n ${gitlab_namespace} -l "app.kubernetes.io/component=gitlab" -o json | jq -r '.items | .[] | .metadata.name'`

    create_automation_token_code="bundle exec rails runner -e production \"$create_automation_token_code\""
  fi

  if [ "${gitlab_pod_name}" = "" ]; then
    error
    error "GitLab pod not found for namespace $gitlab_namespace"
    error

    exit 1
  fi

  output=`kubectl exec -it pod/${gitlab_pod_name} -n $gitlab_namespace -- /bin/bash -c "$create_automation_token_code" 2>&1`

  warn "The following should be fine, but inspect and modify the code if a new issue is surfaced" >&2
  warn "$output" >&2
  warn "" >&2

  ## It takes time for the token to stick, so try and try again...
  ##
  ## This code block is used to repeatedly check if the token has become available.
  ##
  tries=0
  until curl -s --request PUT --header "PRIVATE-TOKEN: $gitlab_token" "${gitlab_protocol}://${gitlab_fdqn}/api/v4/application/setting" >/dev/null; do
    sleep 5
    tries=tries+1
    if [ $tries -eq 10 ]; then
      warn "The token has not become available in the expected anount of time.  The automation will keep trying until you interrupt it." >&2
    fi
  done

  echo "${gitlab_pod_name} ${gitlab_token}"
}


## revoke_automation_token <string gitlab_pod_name> <string gitlab_token>
##
## e.g., revoke_automation_token "gitlab-task-runner-69d5fdb957-5pw7z" "hvvLMJpTKqVAQGQojy0d"
##
## Will execute the token revocation on gitlab_pod_name. 
##
function revoke_automation_token() {

  if [ "$#" -ne 2 ]; then
    error "revoke_automation_token - Illegal number of parameters." >&2
    exit 1
  fi

  gitlab_pod_name="${1}"

  gitlab_token="${2}"
  
  notify "Revoke the GitLab automation token..."

  revoke_automation_token_code="bundle exec rails runner -e production \"PersonalAccessToken.find_by_token('$gitlab_token').revoke!\""

  kubectl exec -it pod/${gitlab_pod_name} -n ${gitlab_namespace} -- /bin/bash -c "$revoke_automation_token_code" >/dev/null
}


## get_image_name <string>
##
## Returns just the image name if passed the container image in either NAME[:TAG] form or
## registry path form.  Similar to a URL, but does not contain a protocol specifier (https://).
## An example would be 'docker.io:5000/nemonik/drone:2.0' or 'quay.io/nemonik/drone:2.0'.
##
## e.g., msged "drone:2.0" returns "drone",
##       msged "docker.io:5000/nemonik/drone:2.0" returns "nemonik/drone"
##
## The tricky part here is some official images are maintained by the Docker Community
## such as 'redis' which is not maintained by a user, but at the root of the docker.io
## registry. This function handles this.
##
function get_image_name() {

  if [ "$#" -ne 1 ]; then
    error "get_image_name - Illegal number of parameters." >&2
    exit 1
  fi

  ## Split the message string on colon (:) and strip off the tag and port if provided.
  ##

  IFS=':' read -ra parts <<< "${1}"

  if [ ${#parts[@]} == 1 ]; then
    ## no tag (e.g., for "drone", the return would be "drone")
    ##
    name=$1
  elif [ ${#parts[@]} == 2 ]; then
    ## return the repository, (e.g., for "drone:2.0 the return would be "rone")
    ##
    name="${parts[0]}"
  elif [ ${#parts[@]} == 3 ]; then
    ## strip off the registry, (e.g. for "docker.io:5000/nemonik/drone:2.0" return "nemonik/drone")
    ##
    IFS='/' read -ra parts <<< "${parts[1]}"

    if [[ "${parts[0]}" =~ ^[0-9]+$ ]]; then
      ## remove port if it exists from parts array
      ##
      unset parts[0]
    fi

    ## Combine all the parts that remain
    ##
    name=$(printf "/%s" "${parts[@]}")
    name=${name:1}
  else
    echo "Malformed image name: ${1}"
    exit 1
  fi

  ## Strip off registry if provided.
  ##

  declare -a parts

  IFS='/' read -ra parts <<< "${name}"

  if [ ${#parts[@]} == 1 ]; then
    ## Handle 'drone' for example by simply returning
    ##
    echo "${name}"
  else
    ## Is the first part resolvable this mean this part if a registry (e.g. "docker.io",
    ## "quay.io", "localhost", etc)
    ##
    host "${parts[0]}" &>/dev/null

    ## If it is then strip it out
    ##
    if [ "$?" -eq "0" ]; then
      unset parts[0]
    fi

    ## Combine all the parts that remain
    ##
    name=$(printf "/%s" "${parts[@]}")
    name=${name:1}

    echo $name
  fi
}


## Returns the image's tag when messaged .
##
## e.g., msged "redis:5.0.9" echos "5.0.9".
##
function get_image_tag() {

  if [ "$#" -ne 1 ]; then
    error "get_image_tag - Illegal number of parameters." >&2
    exit 1
  fi

  IFS=':' read -ra parts <<< "$1"

  if [ ${#parts[@]} == 1 ]; then
    ## Not tag, so return "latest"
    ##
    echo "latest"
  else

    echo "${parts[-1]}"
  fi

}


## Call `envsbt` cli command to replace the environment variables
## in a template and saves the resulting file.
##
## template_file <string> <string>
##
## e.g., msged "template" "rendered" will render
## environmental variable in template an
##
function template_file() {

  if [ "$#" -ne 2 ]; then
    error "Illegal number of parameters." >&2
    exit 1 
  fi

  notify "Using the $1 template to generate the $2"

  envsubst <$1 > $2

  if [ "$cat_rendered_templates" == true ]; then
    cat $2
  fi

}


## Creates a name namespace resource in K8s
##
## create_namespace <string>
##
## e.g., create_namespace "gitlab"
##
function create_namespace() {

  if [ "$#" -ne 1 ]; then
    error "Illegal number of parameters." >&2
    exit 1 
  else
    ns=$1
  fi

  notify "Creating namespace $ns"

  kubectl create namespace $ns 2>/dev/null | true
}


## Uses docker_creds_username, docker_creds_password and docker_creds_host set in 
## environment to docker login.
##
## docker_login
##
function docker_login() {

  notify "Logging into private container ${docker_creds_host} registry..."

  data=`echo $docker_creds_password | docker login --username=$docker_creds_username $docker_creds_host --password-stdin 2>&1`

  if [[ "${data}" == *"Unauthorized"* ]]; then
    
    ## The login failed.
    ##
    error "${data}" >&2

    exit 1
  fi
}


## Uses docker_creds_username, docker_creds_password and docker_creds_host set in
## environment to create docker-registry regcred secret as per 
##
## https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-secret-by-providing-credentials-on-the-command-line
##
## kubectl_registry_regcred
##
function kubectl_registry_regcred () {
  notify "Creating docker-registry regcred for ${namespace}..."

  kubectl create secret -n $namespace docker-registry regcred --docker-server=$docker_creds_host --docker-username=$docker_creds_username --docker-password=$docker_creds_password
}


## When messaged an indexed array of images it will pull them from the public registry, tag them for
## private container regitry and push them it into it.  It will also create variables for
## the image name and tage using they key for each image.
##
## images_into_registry <indexed_array>
##
function images_into_registry() {

  if [ "$#" -ne 1 ]; then
    error "images_into_registry - Illegal number of parameters." >&2
    exit 1
  fi

  notify "Pulling images from public registry and placing into ${registry_name} registry..."

  # images passed by reference
  local -n images=$1

  for image in "${!images[@]}"; do

    local image_name=$(get_image_name ${images[$image]})
    local image_tag=$(get_image_tag ${images[$image]})

    ## Creates the <key>_image_name off the index array key
    ##
    ## e.g., gitlab_image_name
    ##
    eval "${image}_image_name=\"${image_name}\""

    ## Creates the <key>_image_tag off the index array key
    ##
    ## e.g., gitlab_tag_name
    ##
    eval "${image}_image_tag=\"${image_tag}\""

    ## Are we pulling images into the local docker cache?
    ##
    if [ "${pull_container_images}" = "true" ]; then
    
      ## But only for public registries, not our private registry
      ##
      if [[ "${image_name}" != *"${registry_name}"*  ]]; then

        ## Is the image already in the docker cache?
        ##
        if [ "$(docker images -q ${images[$image]} | wc -l | xargs)" = "0" ]; then
          ## Nope.
          ##
          ## Are we saving container images in the image_cache folder in the 
          ## root of the project?
          ##
  
          docker_pull=true

          if [ "${save_container_images}" = "true" ]; then

            ## And do we have the image saved there now, if so load it into
            ## the Docker cache
            ##
            if [[ -f "${SCRIPT_DIR}/image_cache/$(urlencode ${images[$image]}).tar" ]]; then
              notify "Loading image for saved image file located at ${SCRIPT_DIR}/image_cache/$(urlencode ${images[$image]}).tar"
              docker load --input ${SCRIPT_DIR}/image_cache/$(urlencode ${images[$image]}).tar
              docker_pull=false
            fi
          fi

          if [ "${docker_pull}" = "true" ]; then 

            ## If we're saving container images may not have the image in the cache or
            ## we may not be saving images, so pull
            notify "Pulling container image from public registry..."

            ## This may fail when pulling from private registry if the account has been locked
            ##
            data=`docker pull ${images[$image]} 2>&1`

            if [[ "${data}" == *"authentication required"* ]]; then

              error "${data}" >&2

              exit 1
            else
             echo "${data}"
            fi 
          fi
        else
          notify "All ready have ${images[$image]} in docker cache."
        fi

        notify "Tagging and pushing ${image_name}:${image_tag} into ${registry_name=}..."

        docker tag ${images[$image]} ${registry_name}:${registry_port}/${image_name}:${image_tag}

        data=`docker push ${registry_name}:${registry_port}/${image_name}:${image_tag} 2>&1`

        if [[ "${data}" == *"authentication required"* ]]; then 

          error "${data}" >&2

          exit 1
        else
          echo "${data}"
        fi

      else      
        notify "Image is from private container registry. Skipping..."
      fi
      
      ## Are we saving image?
      ##
      if [ "${save_container_images}" = "true" ]; then
        ## Is the image aleady saved to the image_cache folder?      
        ##
        if [[ -f "${SCRIPT_DIR}/image_cache/$(urlencode ${images[$image]}).tar" ]]; then
          notify "${images[$image]} already cached in ${SCRIPT_DIR}/image_cache/"
        else
          notify "Saving ${images[$image]} to ${SCRIPT_DIR}/image_cache/$(urlencode ${images[$image]}).tar"
          ## By writing to /tmp and moving there is less chance of breaking things on a 
          ## future run if the script is interrupted.
          ##
          rm -f /tmp/$(urlencode ${images[$image]}).tar
          docker save ${images[$image]} > /tmp/$(urlencode ${images[$image]}).tar
          mkdir -p ${SCRIPT_DIR}/image_cache && touch ${SCRIPT_DIR}/image_cache/.gitkeep
          mv /tmp/$(urlencode ${images[$image]}).tar ${SCRIPT_DIR}/image_cache/$(urlencode ${images[$image]}).tar
          ls -las ${SCRIPT_DIR}/image_cache/$(urlencode ${images[$image]}).tar
        fi
      fi
    fi
  done
}

## Verifies the current kube config is using the k3d-${k3d_cluster_name} cluster
##
function is_current_context_correct() {

  if [[ "$(kubectl config current-context 2>/dev/null)" != *"k3d-${k3d_cluster_name}"* ]]; then
    error
    error "The current kube config is not configured to use the k3d-${k3d_cluster_name} cluster."
    error

    exit 1
  fi

  echo true
}

## Verify the k3d-${k3d_cluster_name} cluster is running
##
function is_cluster_running() {

  if [[ "$(kubectl get nodes)" == *"did you specify the right host or port"* ]]; then
    error
    error "k3d-${k3d_cluster_name} cluster is not running."
    error

    exit 1
  fi

  echo true
}

## Source vault variables
##

if [ ! $skip_encrypted_variables ]; then

  if [[ "$(which openssl)" == *"no openssl in"* ]]; then
    error "Install the OpenSSL Software Foundation provided openssl system package and ensure the openssl binary is in your \$PATH." >&2
    exit 1
  elif [[ "$(openssl version)" != *"OpenSSL"* ]]; then
    error "The openssl installed is not provided by the OpenSSL Software Foundation, but is a variant." >&2
    exit 1
  fi

  notify "Attempting to load secrets from ${SCRIPT_DIR}/vault..."

  if [[ "$(file ${SCRIPT_DIR}/vault)" != *"script"* ]]; then
    if [ "${VAULT_PASSWORD}" == "" ]; then
      ask_for_input "Enter vault password to decrypt vault to access secured variables in ${SCRIPT_DIR}/vault:"
      read -s VAULT_PASSWORD
    else
     notify "Using VAULT_PASSWORD env variable to access secured variables contained in the ${SCRIPT_DIR}/vault..."
    fi
    eval "$(openssl enc -base64 -d -aes-256-cbc -md sha512 -pbkdf2 -iter 100000 -salt -pass pass:${VAULT_PASSWORD} -in ${SCRIPT_DIR}/vault)"
  else
    warn "${SCRIPT_DIR}/vault was found unecrypted and used..."
    source ${SCRIPT_DIR}/vault
  fi
fi


## Set variables for project
##

notify "Setting unsecured variables into current context..."

domain="nemonik.com"

## https://golang.org/dl/
##
## Only used when installed in Rocky 8
##
golang_version="1.17"

## https://golangci-lint.run/usage/install/
##
golangci_lint_version="1.42.1" 

## Vagrant
##
vagrant_enabled=false #true
vagrant_box="generic/arch" #"generic/rocky8"
vagrant_memory=32764
vagrant_cpus=4
vagrant_disksize="200GB"


## Private container registry
##
registry_name="k3d-registry.nemonik.com"
registry_port="5000"


## pullthrough container registry
pullthrough_registry_enabled=false #true
pullthrough_registry_port="5001"
pullthrough_registry_name="hands-on-devops-pullthrough-registry"

## K3d cluster
##

## The cluster's name must be limited to 'Aa-Zz', '0-9' or '-' characters
##
k3d_cluster_name="hands-on-devops-class"
k3d_server_count="1"
k3d_agent_count="1"
#k3s_airgap_images_url="https://github.com/k3s-io/k3s/releases/download/v1.21.2%2Bk3s1/k3s-airgap-images-amd64.tar.gz"
#k3s_canonical_image="rancher/k3s:v1.21.2-k3s1"
#k3s_airgap_images_url="https://github.com/k3s-io/k3s/releases/download/v1.19.15%2Bk3s2/k3s-airgap-images-amd64.tar"
#k3s_canonical_image="rancher/k3s:v1.19.15-k3s2"
k3s_airgap_images_url="https://github.com/k3s-io/k3s/releases/download/v1.20.11%2Bk3s1/k3s-airgap-images-amd64.tar"
k3s_canonical_image="rancher/k3s:v1.20.11-k3s1"
declare -A k3d_images=( \
   ["k3s"]="$(echo $k3s_canonical_image | sed 's/rancher/nemonik/g')" \
   ["proxy"]="rancher/k3d-proxy:5.0.1")


## Traefik
##
traefik_version="2.2.8"
traefik_namespace="traefik"
# traefik_tls_crt is in ./vault
# traefik_tls_key is in ./vault
declare -A traefik_images=( \
  ["traefik"]="traefik:${traefik_version}")


## Used for testing
##
test_namespace="test"
test_fdqn="test.${domain}"
test_protocol="https"
declare -A test_images=( \
  ["nginx"]="nginx:1.19-alpine")


## Taiga
##
taiga_version="latest"
taiga_namespace="taiga"
taiga_fdqn="taiga.${domain}"
taiga_protocol="https"
taiga_port=443
taiga_user=root
taiga_password=password
declare -A taiga_images=( \
  ["rabbitmq"]="rabbitmq:3.7-management-alpine" \
  ["taiga_back"]="taigaio/taiga-back:${taiga_version}" \
  ["postgres"]="postgres:12.3" \
  ["taiga_events"]="taigaio/taiga-events:${taiga_version}" \
  ["taiga_front"]="taigaio/taiga-front:${taiga_version}" \
  ["nginx"]="nginx:1.19-alpine" \
  ["taiga_protected"]="taigaio/taiga-protected:${taiga_version}")


## GitLab
##
gitlab_version="14.2.1"
gitlab_namespace="gitlab"
gitlab_fdqn="gitlab.${domain}"
gitlab_protocol="https"
gitlab_port=443
gitlab_root_password="password"
gitlab_settings="signup_enabled=false&allow_local_requests_from_hooks_and_services=true&auto_devops_enabled=false&send_user_confirmation_email=false&allow_local_requests_from_hooks_and_services=true"

declare -A gitlab_images=( \
  ["redis"]="redis:5.0.9" \
  ["postgresql"]="sameersbn/postgresql:12-20200524" \
  ["gitlab"]="sameersbn/gitlab:${gitlab_version}")


## Drone
##
drone_namespace="drone"
drone_fdqn="drone.${domain}"
drone_protocol="https"
drone_runner_replica_count=1
declare -A drone_images=( \
  ["postgresql"]="sameersbn/postgresql:11-20200524" \
  ["drone"]="nemonik/drone:latest" \
  ["drone_runner_kube"]="drone/drone-runner-kube:latest" \
  ["kubernetes_secrets"]="drone/kubernetes-secrets:latest")


## PlantUML Server
##
plantuml_server_namespace="plantuml"
plantuml_server_fdqn="plantuml.${domain}"
plantuml_server_protocol="https"
declare -A plantuml_server_images=( \
  ["plantuml_server"]="plantuml/plantuml-server:latest")


## SonarQube
##
sonarqube_namespace="sonarqube"
sonarqube_fdqn="sonar.${domain}"
sonarqube_protocol="https"
sonarqube_port="443"
declare -A sonarqube_images=( \
  ["sonarqube"]="sonarqube:8.5.1-community" \
  ["busybox"]="busybox:1.32" \
  ["postgresql"]="bitnami/postgresql:11.7.0-debian-10-r26")


## Heimdall2
##
heimdall_namespace="heimdall2"
heimdall_fdqn="heimdall.${domain}"
heimdall_protocol="https"
heimdall_port="443"
heimdall_database_password=`openssl rand -hex 33`
heimdall_jwt_secret=`openssl rand -hex 64`
declare -A heimdall_images=( \
  ["postgres"]="postgres:13" \
  ["heimdall"]="mitre/heimdall2:2.4.8")


declare -A class_images=( \
  ["docker"]="plugins/docker:latest" \
  ["golang"]="golang:1.16.5" \
  ["bitnami_kubectl"]="bitnami/kubectl:1.21.1" \
  ["selenium_standalone_chrome"]="selenium/standalone-chrome:3.141" \
  ["python"]="python:3.9.6" \
  ["owasp_zap2docker"]="owasp/zap2docker-stable:2.8.0")


## CoreDNS entries
##
coredns_entries=( "${gitlab_fdqn}" "${drone_fdqn}" "${taiga_fdqn}" "${sonarqube_fdqn}" "${plantuml_server_fdqn}" "${heimdall_fdqn}" "${registry_name}" "helloworld.${domain}")