#!/command/with-contenv /bin/bash
# shellcheck shell=bash
# shellcheck disable=SC1091,SC1090,SC2035

SCRIPT_ROOT=/etc/s6-overlay/scripts
source "$SCRIPT_ROOT/base.sh"
source "$GPUSTACK_GATEWAY_CONFIG"
source "$SCRIPT_ROOT/default-variables.sh"

export REVISION="default"
export JWT_POLICY="none"
export POD_NAME="higress-pilot"
export POD_NAMESPACE="higress-system"
export ROOT_CA_DIR="/etc/certs"
export PILOT_CERT_PROVIDER="istiod"
export PILOT_ENABLE_LDS_CACHE="false"
export PILOT_ENABLE_CROSS_CLUSTER_WORKLOAD_ENTRY="false"
export PILOT_ENABLE_METADATA_EXCHANGE="false"
export PILOT_SCOPE_GATEWAY_TO_NAMESPACE="true"
export VALIDATION_ENABLED="false"
export PILOT_TRACE_SAMPLING="1"
export PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_OUTBOUND="true"
export PILOT_ENABLE_PROTOCOL_SNIFFING_FOR_INBOUND="true"
export PILOT_ENABLE_ANALYSIS="false"
export PILOT_ENABLE_GATEWAY_API="false"
export PILOT_ENABLE_ALPHA_GATEWAY_API="false"
export PILOT_ENABLE_GATEWAY_API_STATUS="false"
export PILOT_ENABLE_GATEWAY_API_DEPLOYMENT_CONTROLLER="false"
export PILOT_ENABLE_ALPN_FILTER="true"
export VALIDATION_WEBHOOK_CONFIG_NAME=""
export ISTIO_DUAL_STACK="false"
export ENABLE_OPTIMIZED_CONFIG_REBUILD="false"
export PILOT_ENABLE_K8S_SELECT_WORKLOAD_ENTRIES="false"
export DEFAULT_UPSTREAM_CONCURRENCY_THRESHOLD="10000"
export ISTIO_GPRC_MAXRECVMSGSIZE="104857600"
export ENBALE_SCOPED_RDS="true"
export ON_DEMAND_RDS="false"
export HOST_RDS_MERGE_SUBSET="false"
export ENABLE_LEADER_ELECTION="false"
export PRIORITIZED_LEADER_ELECTION="false"
export INJECT_ENABLED="false"
export CLUSTER_ID="Kubernetes"
export CUSTOM_CA_CERT_NAME="higress-ca-root-cert"
export DEBUG_AUTH="false"

function initCerts() {
    RSA_KEY_LENGTH=4096

    createDir /etc/certs
    cd /etc/certs

    openssl req -newkey rsa:$RSA_KEY_LENGTH -nodes -keyout root-key.pem -x509 -days 36500 -out root-cert.pem >/dev/null 2>&1 <<EOF
CN
Shanghai
Shanghai
Higress
Gateway
Root CA
rootca@higress.io


EOF

    cat <<EOF >ca.cfg
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no

[req_distinguished_name]
C = CN
ST = Shanghai
L = Shanghai
O = Higress
CN = Higress CA

[v3_req]
keyUsage = keyCertSign
basicConstraints = CA:TRUE
subjectAltName = @alt_names

[alt_names]
DNS.1 = ca.higress.io
EOF
    openssl genrsa -out ca-key.pem $RSA_KEY_LENGTH >/dev/null &&
        openssl req -new -key ca-key.pem -out ca-cert.csr -config ca.cfg -batch -sha256 >/dev/null 2>&1 &&
        openssl x509 -req -days 36500 -in ca-cert.csr -sha256 -CA root-cert.pem -CAkey root-key.pem -CAcreateserial -out ca-cert.pem -extensions v3_req -extfile ca.cfg >/dev/null 2>&1
    cp ca-cert.pem cert-chain.pem >/dev/null
    chmod a+r ca-key.pem

    cat <<EOF >gateway.cfg
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no

[req_distinguished_name]
C = CN
ST = Shanghai
L = Shanghai
O = Higress
CN = Higress Gateway

[v3_req]
keyUsage = digitalSignature, keyEncipherment
subjectAltName = URI:spiffe://cluster.local/ns/higress-system/sa/higress-gateway
EOF
    openssl genrsa -out gateway-key.pem $RSA_KEY_LENGTH > /dev/null \
      && openssl req -new -key gateway-key.pem -out gateway-cert.csr -config gateway.cfg -batch -sha256 > /dev/null 2>&1 \
      && openssl x509 -req -days 36500 -in gateway-cert.csr -sha256 -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out gateway-cert.pem -extensions v3_req -extfile gateway.cfg > /dev/null 2>&1
    chmod a+r gateway-key.pem

    cat ca-cert.pem >> gateway-cert.pem
    mv gateway-cert.pem cert-chain.pem
    mv gateway-key.pem key.pem

    rm *.csr >/dev/null
    rm *.cfg >/dev/null

    cd -
}

set -e

exec 2>&1

initCerts

export PILOT_FILTER_GATEWAY_CLUSTER_CONFIG="true"
exec s6-notifyoncheck \
    -d -w 5000 -n 10 -s 3000 \
    -- \
    /usr/local/bin/pilot-discovery \
    discovery \
    --kubeconfig="${EMBEDDED_KUBECONFIG_PATH}" \
    --grpcAddr= \
    --secureGRPCAddr=localhost:15012 \
    --httpAddr=localhost:15010 \
    --httpsAddr= \
    --monitoringAddr= \
    --log_output_level=default:info \
    --domain=cluster.local \
    --keepaliveMaxServerConnectionAge=30m \
    --caCertFile=/etc/certs/ca-cert.pem \
    --meshConfig=/etc/istio/config/mesh \
    --networksConfig=/etc/istio/config/meshNetworks
