#!/bin/bash
#
# Copyright IBM Corp All Rights Reserved
#
# SPDX-License-Identifier: Apache-2.0
#

function launch_CA() {
  local yaml=$1
  cat ${yaml} \
    | sed 's,{{FABRIC_CONTAINER_REGISTRY}},'${FABRIC_CONTAINER_REGISTRY}',g' \
    | sed 's,{{FABRIC_CA_VERSION}},'${FABRIC_CA_VERSION}',g' \
    | kubectl -n $NS apply -f -
}

function launch_ECert_CAs() {
  push_fn "Launching ECert CAs"

  launch_CA kube/org0/org0-ca.yaml
  launch_CA kube/org1/org1-ca.yaml
  launch_CA kube/org2/org2-ca.yaml

  kubectl -n $NS rollout status deploy/org0-ca
  kubectl -n $NS rollout status deploy/org1-ca
  kubectl -n $NS rollout status deploy/org2-ca

  # todo: this papers over a nasty bug whereby the CAs are ready, but sporadically refuse connections after a down / up
  sleep 10

  pop_fn
}

# experimental: create TLS CA issuers using cert-manager for each org.
function init_tls_cert_issuers() {
  push_fn "Initializing TLS certificate issuers"

  # todo: secret needs to be created before the issuer - the lag will cause an error on the first init for the issuer.
  kubectl -n $NS delete -f kube/org0/org0-tls-cert-issuer-secret.yaml || true
  kubectl -n $NS delete -f kube/org1/org1-tls-cert-issuer-secret.yaml || true
  kubectl -n $NS delete -f kube/org2/org2-tls-cert-issuer-secret.yaml || true

  kubectl -n $NS create -f kube/org0/org0-tls-cert-issuer-secret.yaml
  kubectl -n $NS create -f kube/org1/org1-tls-cert-issuer-secret.yaml
  kubectl -n $NS create -f kube/org2/org2-tls-cert-issuer-secret.yaml

  # todo: find a better way to wait for the secret to be created.
  # sleep 10

  kubectl -n $NS apply -f kube/org0/org0-tls-cert-issuer.yaml
  kubectl -n $NS apply -f kube/org1/org1-tls-cert-issuer.yaml
  kubectl -n $NS apply -f kube/org2/org2-tls-cert-issuer.yaml

  kubectl -n $NS wait --timeout=30s --for=condition=Ready issuer/org0-tls-cert-issuer
  kubectl -n $NS wait --timeout=30s --for=condition=Ready issuer/org1-tls-cert-issuer
  kubectl -n $NS wait --timeout=30s --for=condition=Ready issuer/org2-tls-cert-issuer

  pop_fn
}

# use cert-manager to issue ECDSA TLS certificates for the ecert CA.  Replaces the bootstrap ecert user enrollment in the TLS CA
function issue_ECert_CA_tls_certs() {

  kubectl -n $NS apply -f kube/org0/org0-ca-tls-cert.yaml
  kubectl -n $NS apply -f kube/org1/org1-ca-tls-cert.yaml
  kubectl -n $NS apply -f kube/org2/org2-ca-tls-cert.yaml

  kubectl -n $NS wait --timeout=30s --for=condition=Ready cert/org0-ca-tls-cert
  kubectl -n $NS wait --timeout=30s --for=condition=Ready cert/org1-ca-tls-cert
  kubectl -n $NS wait --timeout=30s --for=condition=Ready cert/org2-ca-tls-cert
}

function enroll_bootstrap_ECert_CA_user() {
  local org=$1
  local auth=$2
  local ecert_ca=${org}-ca

  echo 'set -x

  fabric-ca-client enroll \
    --url https://'${auth}'@'${ecert_ca}' \
    --tls.certfiles /var/hyperledger/fabric-ca-server/tls/ca.crt \
    --mspdir $FABRIC_CA_CLIENT_HOME/'${ecert_ca}'/rcaadmin/msp

  ' | exec kubectl -n $NS exec deploy/${ecert_ca} -i -- /bin/sh
}

function enroll_bootstrap_ECert_CA_users() {
  push_fn "Enrolling bootstrap ECert CA users"

  enroll_bootstrap_ECert_CA_user org0 $RCAADMIN_AUTH
  enroll_bootstrap_ECert_CA_user org1 $RCAADMIN_AUTH
  enroll_bootstrap_ECert_CA_user org2 $RCAADMIN_AUTH

  pop_fn
}