microk8s/snap/hooks/configure

#!/usr/bin/env bash

set -eu

source $SNAP/actions/common/utils.sh

# This is a one-off patch. It will allow us to refresh the beta snap without breaking the user's deployment.
# We make sure the certificates used by the deployment from beta do not change. We copy them to SNAP_DATA
# and make sure the respective services use them.
# Without this patch the user would have to remove and reainstall microk8s.
# This patch can be removed at a later stage.
if [ ! -d ${SNAP_DATA}/certs ] && grep -e "\-\-client-ca-file=\${SNAP}/certs/ca.crt" ${SNAP_DATA}/args/kube-apiserver
then
  echo "Patching certificates location"
  mkdir -p ${SNAP_DATA}/certs
  cp -r ${SNAP}/certs-beta/* ${SNAP_DATA}/certs/
  "$SNAP/bin/sed" -i 's@\${SNAP}/certs/ca.crt@\${SNAP_DATA}/certs/ca.crt@g' ${SNAP_DATA}/args/kube-apiserver
  "$SNAP/bin/sed" -i 's@\${SNAP}/certs/server.key@\${SNAP_DATA}/certs/server.key@g' ${SNAP_DATA}/args/kube-apiserver
  "$SNAP/bin/sed" -i 's@\${SNAP}/certs/server.crt@\${SNAP_DATA}/certs/server.crt@g' ${SNAP_DATA}/args/kube-apiserver
  "$SNAP/bin/sed" -i 's@\${SNAP}/certs/serviceaccount.key@\${SNAP_DATA}/certs/serviceaccount.key@g' ${SNAP_DATA}/args/kube-apiserver
  "$SNAP/bin/sed" -i 's@\${SNAP}/certs/ca.crt@\${SNAP_DATA}/certs/ca.crt@g' ${SNAP_DATA}/args/kube-controller-manager
  "$SNAP/bin/sed" -i 's@\${SNAP}/certs/serviceaccount.key@\${SNAP_DATA}/certs/serviceaccount.key@g' ${SNAP_DATA}/args/kube-controller-manager
  systemctl restart snap.${SNAP_NAME}.daemon-apiserver
  systemctl restart snap.${SNAP_NAME}.daemon-controller-manager
fi

if ! grep "requestheader-client-ca-file" ${SNAP_DATA}/args/kube-apiserver
then
  echo "Patching requestheader-client-ca-file argument"
  # Add a new line at the end
  echo "" >> ${SNAP_DATA}/args/kube-apiserver
  echo "--requestheader-client-ca-file=\${SNAP_DATA}/certs/ca.crt" >> ${SNAP_DATA}/args/kube-apiserver
  systemctl restart snap.${SNAP_NAME}.daemon-apiserver
fi

# Patch for issue: https://github.com/ubuntu/microk8s/issues/121
if grep -e  "requestheader-client-ca-file=/var/snap/microk8s/.../certs/ca.crt"  ${SNAP_DATA}/args/kube-apiserver
then
  "$SNAP/bin/sed" -i 's@requestheader-client-ca-file=/var/snap/microk8s/.../certs/ca.crt@requestheader-client-ca-file=\${SNAP_DATA}/certs/ca.crt@g' ${SNAP_DATA}/args/kube-apiserver
fi

# Create the locks directory
mkdir -p ${SNAP_DATA}/var/lock/

# Upgrading to containerd
if [ ! -e ${SNAP_DATA}/args/containerd ]
then
  echo "Making sure we have containerd file"
  cp ${SNAP}/default-args/containerd ${SNAP_DATA}/args/containerd
  cp ${SNAP}/default-args/containerd-template.toml ${SNAP_DATA}/args/containerd-template.toml
  cp ${SNAP}/default-args/containerd-env ${SNAP_DATA}/args/containerd-env

  cp -r ${SNAP}/default-args/cni-network ${SNAP_DATA}/args/

  cp ${SNAP}/default-args/ctr ${SNAP_DATA}/args/ctr

  refresh_opt_in_config container-runtime remote kubelet
  refresh_opt_in_config container-runtime-endpoint \${SNAP_COMMON}/run/containerd.sock kubelet

  skip_opt_in_config docker-root kubelet
  skip_opt_in_config docker kubelet
  skip_opt_in_config docker-endpoint kubelet

  systemctl restart snap.${SNAP_NAME}.daemon-containerd
  systemctl restart snap.${SNAP_NAME}.daemon-kubelet

  if [ -e ${SNAP_DATA}/args/dockerd ] && grep -e "default-runtime=nvidia" ${SNAP_DATA}/args/dockerd
  then
    # Deployment used to run docker with nvidia enabled we need to enable nvidia on containerd
    # Allow for kubelet and containerd to restart
    sleep 10
    ${SNAP}/microk8s-enable.wrapper gpu
  fi

fi

# This will allow us to refresh the snap to the more secure version.
# We need to make sure the client certificate used in microk8s.kubectl is available under $SNAP_DATA
if [ ! -f ${SNAP_DATA}/credentials/client.config ]
then
  echo "Patching client config location"
  mkdir -p ${SNAP_DATA}/credentials/
  cp ${SNAP}/client.config ${SNAP_DATA}/credentials/
fi