#!/bin/bash
##
## Further set of tests to ensure that Kubernetes is working as expected
##
. .gce_kubernetes.config

echo "######################################"
echo "Set the gcloud compute region and zone"
echo "######################################"
gcloud config set compute/region $GCE_REGION
gcloud config set compute/zone $GCE_ZONE
gcloud config set project $GCE_PROJECT
echo "Compute region and zone set"
echo ""

echo "Testing the encryption of data at rest via the key created earlier"
kubectl create secret generic super-secret --from-literal="mykey=mydata" --kubeconfig=certs-dir/admin.kubeconfig

gcloud compute ssh controller-0 \
--command "sudo ETCDCTL_API=3 etcdctl get \
--endpoints=https://127.0.0.1:2379 \
--cacert=/etc/etcd/ca.pem \
--cert=/etc/etcd/kubernetes.pem \
--key=/etc/etcd/kubernetes-key.pem \
/registry/secrets/default/super-secret | hexdump -C"

echo "Output should be prefixed with k8s:enc:aescbc:v1:key1

Testing application (nginx) deployments"
kubectl run nginx --image=nginx --kubeconfig=certs-dir/admin.kubeconfig
echo "Waiting 10 seconds for the pod to start ..."
sleep 10
kubectl get pods -l run=nginx -o wide --kubeconfig=certs-dir/admin.kubeconfig

echo "nginx should be listed as running"
POD_NAME=$(kubectl get pods -l run=nginx --kubeconfig=certs-dir/admin.kubeconfig -o jsonpath="{.items[0].metadata.name}")
echo "You'll need to switch to another terminal and test with 'curl --head http://127.0.0.1:8080' Press Ctrl+C once completed"
kubectl port-forward $POD_NAME 8080:80 --kubeconfig=certs-dir/admin.kubeconfig

echo "Displaying the logs from the nginx container"
kubectl logs $POD_NAME --kubeconfig=certs-dir/admin.kubeconfig

echo "Executing a command inside a container"
kubectl exec -it $POD_NAME --kubeconfig=certs-dir/admin.kubeconfig -- nginx -v

echo "Exposing a container as a service (in this example NodePort)"
kubectl expose deployment nginx --port 80 --type NodePort --kubeconfig=certs-dir/admin.kubeconfig
NODE_PORT=$(kubectl get svc nginx --kubeconfig=certs-dir/admin.kubeconfig --output=jsonpath='{range .spec.ports[0]}{.nodePort}')
echo "Creating a firewall rule to allow access to the exposed node"
gcloud compute firewall-rules create kubernetes-centos-allow-nginx-service --allow=tcp:${NODE_PORT} --network $KUBE_NETWORK
echo "Retrieving the external IP"
EXTERNAL_IP=$(gcloud compute instances describe worker-0 --format 'value(networkInterfaces[0].accessConfigs[0].natIP)')
curl -I http://${EXTERNAL_IP}:${NODE_PORT}

echo "Running an untrusted pod under gVisor for inspection - only run this test if you are using containerd and have runsc present"
alias ckctl='kubectl --kubeconfig=certs-dir/admin.kubeconfig'
cat <<EOF | ckctl apply -f -
apiVersion: v1
kind: Pod
metadata:
  name: untrusted
  annotations:
    io.kubernetes.cri.untrusted-workload: "true"
spec:
  containers:
    - name: webserver
      image: gcr.io/hightowerlabs/helloworld:2.0.0
EOF

ckctl get pods -o wide
INSTANCE_NAME=$(ckctl get pod untrusted --output=jsonpath='{.spec.nodeName}')
gcloud compute scp gvisor_tests.sh ${INSTANCE_NAME}:
gcloud compute ssh ${INSTANCE_NAME} -- sudo ~/gvisor_test.sh

echo "Functional tests should now be completed successfully"