#!/usr/bin/env python3
#
# Copyright 2018 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

import copy
import os
import sys
import yaml
import log_util as log

from argparse import ArgumentParser
from resources import find_application_resource
from resources import set_app_resource_ownership
from resources import set_namespace_resource_ownership
from resources import set_service_account_resource_ownership
from yaml_util import load_resources_yaml
from yaml_util import parse_resources_yaml

_PROG_HELP = """
Scans the manifest folder kubernetes resources and set the Application to own
the ones defined in its list of components kinds.
"""
# From `kubectl api-resources --namespaced=false` with kubectl client and
# server version of 1.13
_CLUSTER_SCOPED_KINDS = [
    "ComponentStatus",
    "Namespace",
    "Node",
    "PersistentVolume",
    "MutatingWebhookConfiguration",
    "ValidatingWebhookConfiguration",
    "CustomResourceDefinition",
    "APIService",
    "TokenReview",
    "SelfSubjectAccessReview",
    "SelfSubjectRulesReview",
    "SubjectAccessReview",
    "CertificateSigningRequest",
    "PodSecurityPolicy",
    "NodeMetrics",
    "PodSecurityPolicy",
    "ClusterRoleBinding",
    "ClusterRole",
    "PriorityClass",
    "StorageClass",
    "VolumeAttachment",
]
_DEPLOYER_OWNED_KINDS = ["Role", "RoleBinding"]


def main():
  parser = ArgumentParser(description=_PROG_HELP)
  parser.add_argument(
      "--app_name", help="The name of the application instance", required=True)
  parser.add_argument(
      "--app_uid", help="The uid of the application instance", required=True)
  parser.add_argument(
      "--app_api_version",
      help="The apiVersion of the Application CRD",
      required=True)
  parser.add_argument(
      "--deployer_name",
      help="The name of the deployer service account instance. "
      "If deployer_uid is also set, the deployer service account is set "
      "as the owner of namespaced deployer components.")
  parser.add_argument(
      "--deployer_uid",
      help="The uid of the deployer service account instance. "
      "If deployer_name is also set, the deployer service account is set "
      "as the owner of namespaced deployer components.")
  parser.add_argument(
      "--namespace",
      help="The namespace containing the application. "
      "If namespace_uid is also set, the namespace is set as the owner"
      "of cluster-scoped resources (otherwise unowned).")
  parser.add_argument(
      "--namespace_uid",
      help="The namespace containing the application. "
      "If namespace is also set, the namespace is set as the owner"
      "of cluster-scoped resources (otherwise unowned).")
  parser.add_argument(
      "--manifests",
      help="The folder containing the manifest templates, "
      "or - to read from stdin",
      required=True)
  parser.add_argument(
      "--dest",
      help="The output file for the resulting manifest, "
      "or - to write to stdout",
      required=True)
  parser.add_argument(
      "--noapp",
      action="store_true",
      help="Do not look for Application resource to determine "
      "what kinds to include. I.e. set owner references for "
      "all of the (namespaced) resources in the manifests")
  args = parser.parse_args()

  resources = []
  if args.manifests == "-":
    resources = parse_resources_yaml(sys.stdin.read())
  elif os.path.isfile(args.manifests):
    resources = load_resources_yaml(args.manifests)
  else:
    resources = []
    for filename in os.listdir(args.manifests):
      resources += load_resources_yaml(os.path.join(args.manifests, filename))

  if not args.noapp:
    app = find_application_resource(resources)
    kinds = set([x["kind"] for x in app["spec"].get("componentKinds", [])])

    excluded_kinds = ["PersistentVolumeClaim", "Application"]
    included_kinds = [kind for kind in kinds if kind not in excluded_kinds]
  else:
    included_kinds = None

  if args.dest == "-":
    dump(
        sys.stdout,
        resources,
        included_kinds,
        namespace=args.namespace,
        namespace_uid=args.namespace_uid,
        app_name=args.app_name,
        app_uid=args.app_uid,
        app_api_version=args.app_api_version,
        deployer_name=args.deployer_name,
        deployer_uid=args.deployer_uid)
    sys.stdout.flush()
  else:
    with open(args.dest, "w", encoding='utf-8') as outfile:
      dump(
          outfile,
          resources,
          included_kinds,
          namespace=args.namespace,
          namespace_uid=args.namespace_uid,
          app_name=args.app_name,
          app_uid=args.app_uid,
          app_api_version=args.app_api_version,
          deployer_name=args.deployer_name,
          deployer_uid=args.deployer_uid)


def dump(outfile, resources, included_kinds, namespace, namespace_uid, app_name,
         app_uid, app_api_version, deployer_name, deployer_uid):

  def maybe_assign_ownership(resource):
    if resource["kind"] in _CLUSTER_SCOPED_KINDS:
      # Cluster-scoped resources cannot be owned by a namespaced resource:
      # https://kubernetes.io/docs/concepts/workloads/controllers/garbage-collection/#owners-and-dependents
      # Set the namespace as owner if provided, otherwise leave unowned.
      if namespace and namespace_uid:
        log.info("Namespace '{:s}' owns '{:s}/{:s}'", namespace,
                 resource["kind"], resource["metadata"]["name"])
        set_namespace_resource_ownership(
            namespace_uid=namespace_uid,
            namespace_name=namespace,
            resource=resource)
      else:
        log.info("Application '{:s}' does not own cluster-scoped '{:s}/{:s}'",
                 app_name, resource["kind"], resource["metadata"]["name"])

    # Deployer-owned resources should not be owned by the Application, as
    # they should be deleted with the deployer service account (not the app).
    elif deployer_name and deployer_uid and should_be_deployer_owned(resource):
      log.info("ServiceAccount '{:s}' owns '{:s}/{:s}'", deployer_name,
               resource["kind"], resource["metadata"]["name"])
      resource = copy.deepcopy(resource)
      set_service_account_resource_ownership(
          account_uid=deployer_uid,
          account_name=deployer_name,
          resource=resource)
    elif included_kinds is None or resource["kind"] in included_kinds:
      log.info("Application '{:s}' owns '{:s}/{:s}'", app_name,
               resource["kind"], resource["metadata"]["name"])
      resource = copy.deepcopy(resource)
      set_app_resource_ownership(
          app_uid=app_uid,
          app_name=app_name,
          app_api_version=app_api_version,
          resource=resource)

    return resource

  to_be_dumped = [maybe_assign_ownership(resource) for resource in resources]
  yaml.safe_dump_all(to_be_dumped, outfile, default_flow_style=False, indent=2)


def should_be_deployer_owned(resource):
  if not resource["kind"] in _DEPLOYER_OWNED_KINDS:
    return False
  if resource.get("metadata", {}).get("labels", {}).get(
      "app.kubernetes.io/component") != "deployer.marketplace.cloud.google.com":
    return False
  return True


if __name__ == "__main__":
  main()