#!/bin/bash
# 
# kubernetes_install.sh
# 
# This script is used to install the contents of "package" directory into the 
# destination machine.
# 
#
# Verifies if images have been prepulled
# Verifies if the user set up certificates for that registry
# Verifies if the installed node is to be a control/worker node

dir=$HOME/package
admin_ip="192.168.1.5"
node_net="192.168.1.0/24"
certs_dir=$dir/certs/registry.certs.d
images=(
"registry.k8s.io/kube-apiserver:v1.32.3"
"registry.k8s.io/kube-controller-manager:v1.32.3"
"registry.k8s.io/kube-scheduler:v1.32.3"
"registry.k8s.io/kube-proxy:v1.32.3"
"registry.k8s.io/coredns/coredns:v1.11.3"
"registry.k8s.io/pause:3.10"
"registry.k8s.io/etcd:3.5.16-0"
"flannel/flannel-cni-plugin:v1.6.2-flannel1"
"flannel/flannel:v0.26.5"
)

echo "Have the images already been pre-pulled into a private registry? (y/n)"
read prepulled
prepulled=$(echo $prepulled | awk '{ print tolower($0) }')

echo "Is SSL certificates installed in the current machine? (y/n)"
read user_input

user_input=$(echo $user_input | awk '{ print tolower($0) }')

if [[ "$user_input" == "y" || "$user_input" == "yes" ]]; then
        echo "Certificates confirmed..."
else
        echo "Go install certificates in /usr/local/share/ca-certificates then update."
        exit 0
fi

echo "Have apt sources been disabled? (y/n)"
read user_input

user_input=$(echo $user_input | awk '{ print tolower($0) }')

if [[ "$user_input" == "y" || "$user_input" == "yes" ]]; then
        echo "Sources confirmed..."
else
        echo "Go to /etc/apt/sources.list and comment the sources."
        exit 0
fi


while true; do
        echo "Will this be a control node or worker node? (control/worker)"
        read user_input

        user_input=$(echo $user_input | awk '{ print tolower($0) }')

        if [[ "$user_input" == "worker" ]]; then
                echo "Worker node confirmed..."
                break
        elif [[ "$user_input" == "control" ]]; then
                echo "Control plane confirmed..."
                break
        else
                echo "Please enter etiher 'worker' or 'control'."
        fi
done

##################

sudo apt -q install $dir/kube_packages/* $dir/docker_packages/*

sudo mkdir -p /opt/cni/bin
sudo tar -C /opt/cni/bin -xzf $dir/configs/cni-plugins-linux-*
sudo tar -C /usr/local/bin -vxzf $dir/configs/crictl-*

# If not prepulled then insert the images into the priavte registry
# Assumes that the private registry is within the current machine
if [[ "$prepulled" == "n" || "$prepulled" == "no" ]]; then
        cd $dir/images
        dir_images=($(ls))
        for image in "${dir_images[@]}"; do
                sudo docker load -i $image
        done

        sudo docker run -d --restart=always \
                --name=registry \
                -v "$certs_dir"/:/certs \
                -e REGISTRY_HTTP_ADDR=0.0.0.0:443 \
                -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/registry.crt \
                -e REGISTRY_HTTP_TLS_KEY=/certs/registry.key \
                -p 443:443 \
                registry 

        # Retag images with the correct repository and push
        for image in "${images[@]}"; do
                name=$image
                if [[ $image == registry.k8s.io* ]] ; then
                        name=$(echo $image | sed 's|registry.k8s.io/||')  
                        if [[ $name == coredns/coredns* ]] ; then
                                name=$(echo $name | sed 's|coredns/||')
                        fi
                fi

                sudo docker tag $image localhost:443/$name
                sudo docker rmi $image
                sudo docker push localhost:443/$name
        done

fi

# Configs
cd $dir/configs
sudo mkdir -p /etc/containerd/ /etc/docker/
sudo cp containerd.toml /etc/containerd/config.toml
sudo cp daemon.json /etc/docker/
sudo cp k8s.conf /etc/sysctl.d/ 
sudo cp crictl.yaml /etc/crictl.yaml

sudo sysctl --system
sudo systemctl restart containerd
sudo systemctl restart docker

# Basic firewall rules and protections
sudo iptables -A INPUT -s $admin_ip -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -P INPUT DROP 
sudo iptables -P FORWARD DROP

# Enable for node
sudo iptables -A INPUT -s $node_net -p tcp --dport 443 -j ACCEPT
sudo iptables -A INPUT -s $node_net -p udp --dport 8472 -j ACCEPT
sudo iptables -A INPUT -s $node_net -p tcp --dport 10250 -j ACCEPT
sudo iptables -A INPUT -s 10.244.0.0/16 -j ACCEPT
sudo iptables -A FORWARD -s 10.244.0.0/16 -j ACCEPT
sudo iptables -A FORWARD -d 10.244.0.0/16 -j ACCEPT

# Enable based on control or worker node
if [[ "$user_input" == "control" ]]; then
	sudo iptables -A INPUT -s $node_net -p tcp --dport 6443 -j ACCEPT
	sudo iptables -A INPUT -s $node_net -p tcp --dport 2379:2380 -j ACCEPT
	sudo iptables -A INPUT -s $node_net -p tcp --dport 10259 -j ACCEPT
	sudo iptables -A INPUT -s $node_net -p tcp --dport 10257 -j ACCEPT
elif [[ "$user_input" == "worker" ]]; then
	sudo iptables -A INPUT -s $node_net -p tcp --dport 10256 -j ACCEPT
	sudo iptables -A INPUT -s $node_net -p tcp --dport 30000:32767 -j ACCEPT
fi

# ip route set default eth0
sudo ip route add default via 192.168.1.1 dev eth0

# Disable swap - specified by Rasberry Pi 5
sudo dphys-swapfile swapoff

# Add modules for flannel to work
sudo modprobe vxlan 
sudo modprobe br_netfilter

echo "Finished installation!"

#--