#cloud-config
write_files:
  - path: /etc/systemd/system/make-cert.service
    owner: "root:root"
    permissions: "0644"
    content: |
      [Unit]
      Description=Make TLS certificates

      [Service]
      Type=oneshot
      ExecStart=/etc/sysconfig/make-cert.sh

      [Install]
      WantedBy=multi-user.target

  - path: /etc/sysconfig/make-cert.sh
    owner: "root:root"
    permissions: "0755"
    content: |
      #!/bin/bash

      # Parse the JSON response that contains the TLS certificate, and print
      # out the certificate content.
      function parse_json_response {
        json_response=$1
        # {..,"pem": "ABCD",..} -> ABCD
        key=$(echo "$json_response" | sed 's/^.*"pem": "\([^"]*\)".*$/\1/')
        # decode newline characters
        key=$(echo "$key" | sed 's/\\n/\n/g')
        echo "$key"
      }

      . /etc/sysconfig/heat-params

      set -o errexit
      set -o nounset
      set -o pipefail

      if [ "$TLS_DISABLED" == "True" ]; then
        exit 0
      fi

      cert_dir=/etc/kubernetes/ssl
      cert_conf_dir=${cert_dir}/conf

      mkdir -p "$cert_dir"
      mkdir -p "$cert_conf_dir"

      CA_CERT=$cert_dir/ca.pem
      CLIENT_CERT=$cert_dir/worker.pem
      CLIENT_CSR=$cert_dir/worker.csr
      CLIENT_KEY=$cert_dir/worker-key.pem

      #Get a token by user credentials and trust
      cat > auth.json << EOF
      {
          "auth": {
              "identity": {
                  "methods": [
                      "password"
                  ],
                  "password": {
                      "user": {
                          "id": "$TRUSTEE_USER_ID",
                          "password": "$TRUSTEE_PASSWORD"
                      }
                  }
              },
              "scope": {
                  "OS-TRUST:trust": {
                      "id": "$TRUST_ID"
                  }
              }
          }
      }
      EOF

      #trust is introduced in Keystone v3 version
      AUTH_URL=${AUTH_URL/v2.0/v3}
      USER_TOKEN=`curl -k -s -i -X POST -H "Content-Type: application/json" -d @auth.json \
                       $AUTH_URL/auth/tokens | grep X-Subject-Token | awk '{print $2}'`

      rm -rf auth.json

      ca_cert_json=$(curl -k -X GET \
        -H "X-Auth-Token: $USER_TOKEN" \
        -H "OpenStack-API-Version: container-infra latest" \
        $MAGNUM_URL/certificates/$CLUSTER_UUID)
      parse_json_response "${ca_cert_json}" > ${CA_CERT}

      # Create config for client's csr
      cat > ${cert_conf_dir}/worker-openssl.conf <<EOF
      [req]
      distinguished_name = req_distinguished_name
      req_extensions     = req_ext
      prompt = no
      [req_distinguished_name]
      CN = kubernetes.invalid
      [req_ext]
      keyUsage=critical,digitalSignature,keyEncipherment
      extendedKeyUsage=clientAuth
      subjectAltName=dirName:kubelet,dirName:kubeproxy
      [kubelet]
      CN=kubelet
      [kubeproxy]
      CN=kube-proxy
      EOF

      # Generate client's private key and csr
      openssl genrsa -out "${CLIENT_KEY}" 4096
      chmod 400 "${CLIENT_KEY}"
      openssl req -new -days 1000 \
              -key "${CLIENT_KEY}" \
              -out "${CLIENT_CSR}" \
              -reqexts req_ext \
              -config "${cert_conf_dir}/worker-openssl.conf"

      # encode newline (\n) characters
      csr=$(cat $CLIENT_CSR | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/\\n/g')
      csr_req="{\"cluster_uuid\": \"$CLUSTER_UUID\", \"csr\": \"$csr\"}"
      # Send csr to Magnum to have it signed
      client_cert_json=$(curl -k -X POST \
          -H "X-Auth-Token: $USER_TOKEN" \
          -H "OpenStack-API-Version: container-infra latest" \
          -H "Content-Type: application/json" \
          -d "$csr_req" \
          $MAGNUM_URL/certificates)
      parse_json_response "${client_cert_json}" > ${CLIENT_CERT}

      chmod 600 ${cert_dir}/*-key.pem
      chown root:root ${cert_dir}/*-key.pem