#!/usr/bin/env bash

# Copyright 2014 The Kubernetes Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# This command checks that the built commands can function together for
# simple scenarios.  It does not require Docker.

set -o errexit
set -o nounset
set -o pipefail

# start the cache mutation detector by default so that cache mutators will be found
KUBE_CACHE_MUTATION_DETECTOR="${KUBE_CACHE_MUTATION_DETECTOR:-true}"
export KUBE_CACHE_MUTATION_DETECTOR

# panic the server on watch decode errors since they are considered coder mistakes
KUBE_PANIC_WATCH_DECODE_ERROR="${KUBE_PANIC_WATCH_DECODE_ERROR:-true}"
export KUBE_PANIC_WATCH_DECODE_ERROR

KUBE_ROOT=$(dirname "${BASH_SOURCE[0]}")/../..
source "${KUBE_ROOT}/hack/lib/init.sh"
source "${KUBE_ROOT}/hack/lib/test.sh"
source "${KUBE_ROOT}/test/cmd/legacy-script.sh"

# setup envs for TokenRequest required flags
SERVICE_ACCOUNT_LOOKUP=${SERVICE_ACCOUNT_LOOKUP:-true}
SERVICE_ACCOUNT_KEY=${SERVICE_ACCOUNT_KEY:-/tmp/kube-serviceaccount.key}
# Generate ServiceAccount key if needed
if [[ ! -f "${SERVICE_ACCOUNT_KEY}" ]]; then
  mkdir -p "$(dirname "${SERVICE_ACCOUNT_KEY}")"
  openssl genrsa -out "${SERVICE_ACCOUNT_KEY}" 2048 2>/dev/null
fi

# Runs kube-apiserver
#
# Exports:
#   APISERVER_PID
function run_kube_apiserver() {
  kube::log::status "Building kube-apiserver"
  make -C "${KUBE_ROOT}" WHAT="cmd/kube-apiserver"

  # Start kube-apiserver
  kube::log::status "Starting kube-apiserver"

  # Admission Controllers to invoke prior to persisting objects in cluster
  ENABLE_ADMISSION_PLUGINS="LimitRanger,ResourceQuota"
  DISABLE_ADMISSION_PLUGINS="ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,StorageObjectInUseProtection"

  # Include RBAC (to exercise bootstrapping), and AlwaysAllow to allow all actions
  AUTHORIZATION_MODE="RBAC,AlwaysAllow"

  # Enable features
  ENABLE_FEATURE_GATES=""

  "${KUBE_OUTPUT_HOSTBIN}/kube-apiserver" \
    --bind-address="127.0.0.1" \
    --authorization-mode="${AUTHORIZATION_MODE}" \
    --secure-port="${SECURE_API_PORT}" \
    --feature-gates="${ENABLE_FEATURE_GATES}" \
    --enable-admission-plugins="${ENABLE_ADMISSION_PLUGINS}" \
    --disable-admission-plugins="${DISABLE_ADMISSION_PLUGINS}" \
    --etcd-servers="http://${ETCD_HOST}:${ETCD_PORT}" \
    --runtime-config=api/v1 \
    --service-account-key-file="${SERVICE_ACCOUNT_KEY}" \
    --service-account-lookup="${SERVICE_ACCOUNT_LOOKUP}" \
    --service-account-issuer="https://kubernetes.default.svc" \
    --service-account-signing-key-file="${SERVICE_ACCOUNT_KEY}" \
    --storage-media-type="${KUBE_TEST_API_STORAGE_TYPE-}" \
    --cert-dir="${TMPDIR:-/tmp/}" \
    --service-cluster-ip-range="10.0.0.0/24" \
    --client-ca-file=hack/testdata/ca/ca.crt \
    --token-auth-file=hack/testdata/auth-tokens.csv 1>&2 &
  export APISERVER_PID=$!

  kube::util::wait_for_url_with_bearer_token "https://127.0.0.1:${SECURE_API_PORT}/healthz" "admin-token" "apiserver"
}

# Runs run_kube_controller_manager
#
# Exports:
#   CTLRMGR_PID
function run_kube_controller_manager() {
  kube::log::status "Building kube-controller-manager"
  make -C "${KUBE_ROOT}" WHAT="cmd/kube-controller-manager"

  # Start controller manager
  kube::log::status 'Generate kubeconfig for controller-manager'
  local config
  config="$(mktemp controller-manager.kubeconfig.XXXXX)"
  cat <<EOF > "$config"
kind: Config
users:
- name: controller-manager
  user:
    token: admin-token
clusters:
- cluster:
    server: https://127.0.0.1:${SECURE_API_PORT}
    insecure-skip-tls-verify: true
  name: local
contexts:
- context:
    cluster: local
    user: controller-manager
  name: local-context
current-context: local-context
EOF

  kube::log::status "Starting controller-manager"
  "${KUBE_OUTPUT_HOSTBIN}/kube-controller-manager" \
    --kube-api-content-type="${KUBE_TEST_API_TYPE-}" \
    --cluster-signing-cert-file=hack/testdata/ca/ca.crt \
    --cluster-signing-key-file=hack/testdata/ca/ca.key \
    --kubeconfig="${config}" 1>&2 &
  export CTLRMGR_PID=$!

  kube::util::wait_for_url "https://127.0.0.1:${SECURE_CTLRMGR_PORT}/healthz" "controller-manager"
}

# Creates a node object with name 127.0.0.1. This is required because we do not
# run kubelet.
#
# An arbitrary annotation is needed to ensure field managers are saved on the
# object. Without it, we would be creating an empty object and because status
# and name get wiped, there were be no field managers tracking any fields.
#
# Exports:
#   SUPPORTED_RESOURCES(Array of all resources supported by the apiserver).
function create_node() {
  kubectl create -f - << __EOF__
{
  "kind": "Node",
  "apiVersion": "v1",
  "metadata": {
    "name": "127.0.0.1",
    "annotations": {
      "save-managers": "true"
    }
  },
  "status": {
    "capacity": {
      "memory": "1Gi"
    }
  }
}
__EOF__
}

# Run it if:
# 1) $WHAT is empty
# 2) $WHAT is not empty and kubeadm is part of $WHAT
WHAT=${WHAT:-}
if [[ ${WHAT} == "" || ${WHAT} =~ .*kubeadm.* ]] ; then
  kube::log::status "Running kubeadm tests"

  # build kubeadm
  make all -C "${KUBE_ROOT}" WHAT=cmd/kubeadm
  # unless the user sets KUBEADM_PATH, assume that "make all..." just built it
  export KUBEADM_PATH="${KUBEADM_PATH:=$(kube::realpath "${KUBE_ROOT}")/_output/local/go/bin/kubeadm}"
  # invoke the tests
  make -C "${KUBE_ROOT}" test \
    WHAT=k8s.io/kubernetes/cmd/kubeadm/test/cmd \
    KUBE_TIMEOUT=--timeout=240s \
    KUBE_RACE=""

  # if we ONLY want to run kubeadm, then exit here.
  if [[ ${WHAT} == "kubeadm" ]]; then
    kube::log::status "TESTS PASSED"
    exit 0
  fi
fi

kube::log::status "Running kubectl tests for kube-apiserver"

setup
run_kube_apiserver
run_kube_controller_manager
create_node
export SUPPORTED_RESOURCES=("*")
# WARNING: Do not wrap this call in a subshell to capture output, e.g. output=$(runTests)
# Doing so will suppress errexit behavior inside runTests
runTests

kube::log::status "TESTS PASSED"