#!/bin/bash

echo "... ] BUILDING THE CRYPTOPACK.B64 FILE [ ..."

HOME=$( cd "$(dirname "$0")" && pwd )
source $HOME/config

apt update -q
apt install -y sharutils openssl

SSL_REPO=/tmp/k8x-cryptogen
mkdir -p ${SSL_REPO}
mkdir -p ${CONF_DIR}/{kube-controller-manager,kubelet,kube-proxy,kube-scheduler}
mkdir -p /var/lib/{kube-controller-manager,kubelet,kube-proxy,kube-scheduler}

#checks if we have the cryptopack file
if [ -f $HOME/cryptopack.b64 ]; then
    echo "] cryptopack.b64 already generated. rebuilding..."
    TSTAMP=`date +%s`
    mv -v ${HOME}/cryptopack.b64 ${HOME}/cryptopack.b64.${TSTAMP}
fi

if [ -f ${CA_DIR}/ca-openssl.cnf ]; then
    cp -v ${CA_DIR}/ca-openssl.cnf ${SSL_REPO}/ca-openssl.cnf
else
cat <<EOF | tee ${SSL_REPO}/ca-openssl.cnf
[req]
distinguished_name = req_distinguished_name

[req_distinguished_name]

[ v3_ca ]
basicConstraints = critical, CA:TRUE
keyUsage = critical, digitalSignature, keyEncipherment, keyCertSign

[ v3_req_helm ]
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth

[ v3_req_etcd ]
basicConstraints = CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names_etcd

[ alt_names_etcd ]
DNS.1 = ${MASTER_1_NAME}
DNS.2 = ${MASTER_2_NAME}
DNS.3 = ${MASTER_3_NAME}
DNS.4 = ${CLUSTER_NAME}.${CLUSTER_DOMAIN}
DNS.5 = ${MASTER_1_NAME}.${CLUSTER_NAME}.${CLUSTER_DOMAIN}
DNS.6 = ${MASTER_2_NAME}.${CLUSTER_NAME}.${CLUSTER_DOMAIN}
DNS.7 = ${MASTER_3_NAME}.${CLUSTER_NAME}.${CLUSTER_DOMAIN}
IP.1 = ${ETCD_1_IP}
IP.2 = ${ETCD_2_IP}
IP.3 = ${ETCD_3_IP}
EOF
fi

#generate tokens
for object in admin kubelet kube-proxy kube-controller-manager kube-scheduler
do
    if [ -f ${CA_DIR}/${object}.token ]; then
        cp -v ${CA_DIR}/${object}.token ${SSL_REPO}/${object}.token
    else
        dd if=/dev/urandom bs=128 count=1 2>/dev/null | base64 -w 0 | tr -d "=+/" | dd bs=256 count=1 2>/dev/null > ${SSL_REPO}/${object}.token
    fi
done

printf "\n] generating certificate authorities..."
#generate kube certificate authority
if [ -f ${CA_DIR}/ca.key ] && [ -f ${CA_DIR}/ca.crt ]; then
    cp -v ${CA_DIR}/ca.key ${SSL_REPO}/ca.key
    cp -v ${CA_DIR}/ca.crt ${SSL_REPO}/ca.crt
else
    openssl ecparam -name secp521r1 -genkey -noout -out ${SSL_REPO}/ca.key
    chmod 0600 ${SSL_REPO}/ca.key
    openssl req -x509 -new -nodes -key ${SSL_REPO}/ca.key -days 20000 -out ${SSL_REPO}/ca.crt -subj "/CN=kubernetes-ca" -extensions v3_ca -config ${SSL_REPO}/ca-openssl.cnf
fi

#generate helm certificate authority
if [ -f ${CA_DIR}/helm-ca.key ] && [ -f ${CA_DIR}/helm-ca.crt ]; then
    cp -v ${CA_DIR}/helm-ca.key ${SSL_REPO}/helm-ca.key
    cp -v ${CA_DIR}/helm-ca.crt ${SSL_REPO}/helm-ca.crt
else
    openssl ecparam -name secp521r1 -genkey -noout -out ${SSL_REPO}/helm-ca.key
    chmod 0600 ${SSL_REPO}/helm-ca.key
    openssl req -x509 -new -nodes -key ${SSL_REPO}/helm-ca.key -days 20000 -out ${SSL_REPO}/helm-ca.crt -subj "/CN=helm-ca" -extensions v3_ca -config ${SSL_REPO}/ca-openssl.cnf
fi

#generate etcd certificate authority
if [ -f ${CA_DIR}/etcd-ca.key ] && [ -f ${CA_DIR}/etcd-ca.crt ]; then
    cp -v ${CA_DIR}/etcd-ca.key ${SSL_REPO}/etcd-ca.key
    cp -v ${CA_DIR}/etcd-ca.crt ${SSL_REPO}/etcd-ca.crt
else
    openssl ecparam -name secp521r1 -genkey -noout -out ${SSL_REPO}/etcd-ca.key 
    chmod 0600 ${SSL_REPO}/etcd-ca.key
    openssl req -x509 -new -nodes -key ${SSL_REPO}/etcd-ca.key -days 20000 -out ${SSL_REPO}/etcd-ca.crt -subj "/CN=etcd-ca" -extensions v3_ca -config ${SSL_REPO}/ca-openssl.cnf
fi

#generate aggregator certificate authority
if [ -f ${CA_DIR}/aggregator-ca.key ] && [ -f ${CA_DIR}/aggregator-ca.crt ]; then
    cp -v ${CA_DIR}/aggregator-ca.key ${SSL_REPO}/aggregator-ca.key
    cp -v ${CA_DIR}/aggregator-ca.crt ${SSL_REPO}/aggregator-ca.crt
else
    openssl ecparam -name secp521r1 -genkey -noout -out ${SSL_REPO}/aggregator-ca.key 
    chmod 0600 ${SSL_REPO}/aggregator-ca.key
    openssl req -x509 -new -nodes -key ${SSL_REPO}/aggregator-ca.key -days 20000 -out ${SSL_REPO}/aggregator-ca.crt -subj "/CN=aggregator-ca" -extensions v3_ca -config ${SSL_REPO}/ca-openssl.cnf
fi

printf "\n] generating certificates..."
#create etcd certificate
if [ -f ${CA_DIR}/etcd.key ] && [ -f ${CA_DIR}/etcd.crt ]; then
    cp -v ${CA_DIR}/etcd.key ${SSL_REPO}/etcd.key
    cp -v ${CA_DIR}/etcd.crt ${SSL_REPO}/etcd.crt
    cp -v ${CA_DIR}/etcd.csr ${SSL_REPO}/etcd.csr
else
    openssl ecparam -name secp521r1 -genkey -noout -out ${SSL_REPO}/etcd.key
    chmod 0600 ${SSL_REPO}/etcd.key
    openssl req -new -key ${SSL_REPO}/etcd.key -subj "/CN=etcd" -out ${SSL_REPO}/etcd.csr
    openssl x509 -req -in ${SSL_REPO}/etcd.csr -CA ${SSL_REPO}/etcd-ca.crt -CAkey ${SSL_REPO}/etcd-ca.key -CAcreateserial -out ${SSL_REPO}/etcd.crt -days 20000 -extensions v3_req_etcd -extfile ${SSL_REPO}/ca-openssl.cnf
fi

#create etcd peer certificate
if [ -f ${CA_DIR}/etcd-peer.key ] && [ -f ${CA_DIR}/etcd-peer.crt ]; then
    cp -v ${CA_DIR}/etcd-peer.key ${SSL_REPO}/etcd-peer.key
    cp -v ${CA_DIR}/etcd-peer.crt ${SSL_REPO}/etcd-peer.crt
    cp -v ${CA_DIR}/etcd-peer.csr ${SSL_REPO}/etcd-peer.csr
else
    openssl ecparam -name secp521r1 -genkey -noout -out ${SSL_REPO}/etcd-peer.key
    chmod 0600 ${SSL_REPO}/etcd-peer.key
    openssl req -new -key ${SSL_REPO}/etcd-peer.key -subj "/CN=etcd-peer" -out ${SSL_REPO}/etcd-peer.csr
    openssl x509 -req -in ${SSL_REPO}/etcd-peer.csr -CA ${SSL_REPO}/etcd-ca.crt -CAkey ${SSL_REPO}/etcd-ca.key -CAcreateserial -out ${SSL_REPO}/etcd-peer.crt -days 20000 -extensions v3_req_etcd -extfile ${SSL_REPO}/ca-openssl.cnf
fi

#create helm server (tiller) certificate
if [ -f ${CA_DIR}/tiller.key ] && [ -f ${CA_DIR}/tiller.crt ]; then
    cp -v ${CA_DIR}/tiller.key ${SSL_REPO}/tiller.key
    cp -v ${CA_DIR}/tiller.crt ${SSL_REPO}/tiller.crt
    cp -v ${CA_DIR}/tiller.csr ${SSL_REPO}/tiller.csr
else
    openssl ecparam -name secp521r1 -genkey -noout -out ${SSL_REPO}/tiller.key
    chmod 0600 ${SSL_REPO}/tiller.key
    openssl req -new -key ${SSL_REPO}/tiller.key -subj "/CN=tiller" -out ${SSL_REPO}/tiller.csr
    openssl x509 -req -in ${SSL_REPO}/tiller.csr -CA ${SSL_REPO}/helm-ca.crt -CAkey ${SSL_REPO}/helm-ca.key -CAcreateserial -out ${SSL_REPO}/tiller.crt -days 20000 -extensions v3_req_helm -extfile ${SSL_REPO}/ca-openssl.cnf
fi

#create helm client certificate
if [ -f ${CA_DIR}/helm.key ] && [ -f ${CA_DIR}/helm.crt ]; then
    cp -v ${CA_DIR}/helm.key ${SSL_REPO}/helm.key
    cp -v ${CA_DIR}/helm.crt ${SSL_REPO}/helm.crt
    cp -v ${CA_DIR}/helm.csr ${SSL_REPO}/helm.csr
else
    openssl ecparam -name secp521r1 -genkey -noout -out ${SSL_REPO}/helm.key
    chmod 0600 ${SSL_REPO}/helm.key
    openssl req -new -key ${SSL_REPO}/helm.key -subj "/CN=helm" -out ${SSL_REPO}/helm.csr
    openssl x509 -req -in ${SSL_REPO}/helm.csr -CA ${SSL_REPO}/helm-ca.crt -CAkey ${SSL_REPO}/helm-ca.key -CAcreateserial -out ${SSL_REPO}/helm.crt -days 20000 -extensions v3_req_helm -extfile ${SSL_REPO}/ca-openssl.cnf
fi

#create aggregator proxy certificate
if [ -f ${CA_DIR}/aggregator.key ] && [ -f ${CA_DIR}/aggregator.crt ]; then
    cp -v ${CA_DIR}/aggregator.key ${SSL_REPO}/aggregator.key
    cp -v ${CA_DIR}/aggregator.crt ${SSL_REPO}/aggregator.crt
    cp -v ${CA_DIR}/aggregator.csr ${SSL_REPO}/aggregator.csr
else
    openssl ecparam -name secp521r1 -genkey -noout -out ${SSL_REPO}/aggregator.key
    chmod 0600 ${SSL_REPO}/aggregator.key
    openssl req -new -key ${SSL_REPO}/aggregator.key -subj "/CN=aggregator" -out ${SSL_REPO}/aggregator.csr
    openssl x509 -req -in ${SSL_REPO}/aggregator.csr -CA ${SSL_REPO}/aggregator-ca.crt -CAkey ${SSL_REPO}/aggregator-ca.key -CAcreateserial -out ${SSL_REPO}/aggregator.crt -days 20000 -extensions v3_req_helm -extfile ${SSL_REPO}/ca-openssl.cnf
fi


printf "\n] generating root service account keypair..."
#generate root ServiceAccount public and private key
if [ -f ${CA_DIR}/sa.key ] && [ -f ${CA_DIR}/sa.pub ]; then
    cp -v ${CA_DIR}/sa.key ${SSL_REPO}/sa.key
    cp -v ${CA_DIR}/sa.pub ${SSL_REPO}/sa.pub
else
    openssl ecparam -name secp521r1 -genkey -noout -out ${SSL_REPO}/sa.key
    openssl ec -in ${SSL_REPO}/sa.key -outform PEM -pubout -out ${SSL_REPO}/sa.pub
    chmod 0600 ${SSL_REPO}/sa.key
fi

printf "\n] packing the crypto files..."
tar cvf $HOME/cryptopack.tar ${SSL_REPO}/*
gzip -9 $HOME/cryptopack.tar
cat $HOME/cryptopack.tar.gz | base64 -w 0 > $HOME/cryptopack.b64
rm $HOME/cryptopack.tar.gz
rm -fr ${SSL_REPO}
clear
echo "exec the following command on the rest of the nodes to distribute the keys"
echo ;
packdata=`cat ${HOME}/cryptopack.b64`
echo "echo \"${packdata}\" > cryptopack.b64"