{{/*
# Copyright © 2019 Bell Canada
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#       http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
*/}}

apiVersion: v1
kind: ConfigMap
metadata:
  name: {{ include "common.fullname" . }}-init-mgnt
  namespace: {{ include "common.namespace" . }}
data:
  entrypoint: |
    #/bin/sh

    awx-manage migrate --noinput
    if [[ `echo 'from django.contrib.auth.models import User; nsu = User.objects.filter(is_superuser=True).count(); exit(0 if nsu > 0 else 1)' | awx-manage shell` > 0 ]]
    then
      echo 'from django.contrib.auth.models import User; User.objects.create_superuser('{{ .Values.config.awxAdminUser }}', '{{ .Values.config.awxAdminEmail }}', '{{ .Values.config.awxAdminPassword }}')' | awx-manage shell
      awx-manage update_password --username='{{ .Values.config.awxAdminUser }}' --password='{{ .Values.config.awxAdminPassword }}'
    fi
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: {{ include "common.fullname" . }}-settings
  namespace: {{ include "common.namespace" . }}
data:
  awx_settings: |
    import os
    import socket
    ADMINS = ()

    AWX_PROOT_ENABLED = True

    # Automatically deprovision pods that go offline
    AWX_AUTO_DEPROVISION_INSTANCES = True

    SYSTEM_TASK_ABS_CPU = 6
    SYSTEM_TASK_ABS_MEM = 20

    INSIGHTS_URL_BASE = "https://example.org"

    #Autoprovisioning should replace this
    CLUSTER_HOST_ID = socket.gethostname()
    SYSTEM_UUID = '00000000-0000-0000-0000-000000000000'

    SESSION_COOKIE_SECURE = False
    CSRF_COOKIE_SECURE = False

    REMOTE_HOST_HEADERS = ['HTTP_X_FORWARDED_FOR']

    STATIC_ROOT = '/var/lib/awx/public/static'
    PROJECTS_ROOT = '/var/lib/awx/projects'
    JOBOUTPUT_ROOT = '/var/lib/awx/job_status'
    SECRET_KEY = open('/etc/tower/SECRET_KEY', 'rb').read().strip()
    ALLOWED_HOSTS = ['*']
    INTERNAL_API_URL = 'http://127.0.0.1:8052'
    SERVER_EMAIL = 'root@localhost'
    DEFAULT_FROM_EMAIL = 'webmaster@localhost'
    EMAIL_SUBJECT_PREFIX = '[AWX] '
    EMAIL_HOST = 'localhost'
    EMAIL_PORT = 25
    EMAIL_HOST_USER = ''
    EMAIL_HOST_PASSWORD = ''
    EMAIL_USE_TLS = False

    LOGGING['handlers']['console'] = {
        '()': 'logging.StreamHandler',
        'level': 'DEBUG',
        'formatter': 'simple',
    }

    LOGGING['loggers']['django.request']['handlers'] = ['console']
    LOGGING['loggers']['rest_framework.request']['handlers'] = ['console']
    LOGGING['loggers']['awx']['handlers'] = ['console']
    LOGGING['loggers']['awx.main.commands.run_callback_receiver']['handlers'] = ['console']
    LOGGING['loggers']['awx.main.commands.inventory_import']['handlers'] = ['console']
    LOGGING['loggers']['awx.main.tasks']['handlers'] = ['console']
    LOGGING['loggers']['awx.main.scheduler']['handlers'] = ['console']
    LOGGING['loggers']['django_auth_ldap']['handlers'] = ['console']
    LOGGING['loggers']['social']['handlers'] = ['console']
    LOGGING['loggers']['system_tracking_migrations']['handlers'] = ['console']
    LOGGING['loggers']['rbac_migrations']['handlers'] = ['console']
    LOGGING['loggers']['awx.isolated.manager.playbooks']['handlers'] = ['console']
    LOGGING['handlers']['callback_receiver'] = {'class': 'logging.NullHandler'}
    LOGGING['handlers']['task_system'] = {'class': 'logging.NullHandler'}
    LOGGING['handlers']['tower_warnings'] = {'class': 'logging.NullHandler'}
    LOGGING['handlers']['rbac_migrations'] = {'class': 'logging.NullHandler'}
    LOGGING['handlers']['system_tracking_migrations'] = {'class': 'logging.NullHandler'}
    LOGGING['handlers']['management_playbooks'] = {'class': 'logging.NullHandler'}

    CACHES = {
        'default': {
            'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache',
            'LOCATION': '{}:{}'.format("localhost", "11211")
        },
        'ephemeral': {
            'BACKEND': 'django.core.cache.backends.locmem.LocMemCache',
        },
    }

    USE_X_FORWARDED_PORT = True
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: {{ include "common.fullname" . }}-rabbitmq
  namespace: {{ include "common.namespace" . }}
data:
  enabled_plugins: |
    [rabbitmq_management,rabbitmq_peer_discovery_k8s].
  rabbitmq.conf: |
    ## Clustering
    management.load_definitions = /etc/rabbitmq/rabbitmq_definitions.json
    cluster_formation.peer_discovery_backend  = rabbit_peer_discovery_k8s
    cluster_formation.k8s.host = kubernetes.default.svc
    cluster_formation.k8s.address_type = ip
    cluster_formation.node_cleanup.interval = 10
    cluster_formation.node_cleanup.only_log_warning = false
    cluster_partition_handling = autoheal
    ## queue master locator
    queue_master_locator=min-masters
    ## enable guest user
    loopback_users.guest = false
  rabbitmq_definitions.json: |
    {
      "users":[{"name": "{{ .Values.config.rabbitmqUser }}", "password": "{{ .Values.config.rabbitmqPassword }}", "tags": ""}],
      "permissions":[
        {"user":"{{ .Values.config.rabbitmqUser }}","vhost":"{{ .Values.config.rabbitmqVhost }}","configure":".*","write":".*","read":".*"}
      ],
      "vhosts":[{"name":"{{ .Values.config.rabbitmqVhost }}"}],
      "policies":[
          {"vhost":"{{ .Values.config.rabbitmqVhost }}","name":"ha-all","pattern":".*","definition":{"ha-mode":"all","ha-sync-mode":"automatic"}}
      ]
    }
---

apiVersion: v1
kind: ConfigMap
metadata:
  name: {{ include "common.fullname" . }}-nginx-conf
  namespace: {{ include "common.namespace" . }}
  labels:
    app.kubernetes.io/name: {{ include "common.name" . }}
    helm.sh/chart: {{ include "common.chart" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
data:
  nginx.conf: |
    worker_processes  1;
    pid        /tmp/nginx.pid;
    events {
        worker_connections  1024;
    }
    http {
        include       /etc/nginx/mime.types;
        default_type  application/octet-stream;
        server_tokens off;
        log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                          '$status $body_bytes_sent "$http_referer" '
                          '"$http_user_agent" "$http_x_forwarded_for"';
        access_log /dev/stdout main;
        map $http_upgrade $connection_upgrade {
            default upgrade;
            ''      close;
        }
        sendfile        on;
        #tcp_nopush     on;
        #gzip  on;
        upstream uwsgi {
            server 127.0.0.1:8050;
            }
        upstream daphne {
            server 127.0.0.1:8051;
        }
        server {
            listen 8052 default_server;
            # If you have a domain name, this is where to add it
            server_name _;
            keepalive_timeout 65;
            # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
            add_header Strict-Transport-Security max-age=15768000;
            add_header Content-Security-Policy "default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.pendo.io; img-src 'self' *.pendo.io data:; report-uri /csp-violation/";
            add_header X-Content-Security-Policy "default-src 'self'; connect-src 'self' ws: wss:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' *.pendo.io; img-src 'self' *.pendo.io data:; report-uri /csp-violation/";
            # Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)
            add_header X-Frame-Options "DENY";
            location /nginx_status {
              stub_status on;
              access_log off;
              allow 127.0.0.1;
              deny all;
            }
            location /static/ {
                alias /var/lib/awx/public/static/;
            }
            location /favicon.ico { alias /var/lib/awx/public/static/favicon.ico; }
            location /websocket {
                # Pass request to the upstream alias
                proxy_pass http://daphne;
                # Require http version 1.1 to allow for upgrade requests
                proxy_http_version 1.1;
                # We want proxy_buffering off for proxying to websockets.
                proxy_buffering off;
                # http://en.wikipedia.org/wiki/X-Forwarded-For
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                # enable this if you use HTTPS:
                proxy_set_header X-Forwarded-Proto https;
                # pass the Host: header from the client for the sake of redirects
                proxy_set_header Host $http_host;
                # We've set the Host header, so we don't need Nginx to muddle
                # about with redirects
                proxy_redirect off;
                # Depending on the request value, set the Upgrade and
                # connection headers
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection $connection_upgrade;
            }
            location / {
                # Add trailing / if missing
                rewrite ^(.*)$http_host(.*[^/])$ $1$http_host$2/ permanent;
                uwsgi_read_timeout 120s;
                uwsgi_pass uwsgi;
                include /etc/nginx/uwsgi_params;
                proxy_set_header X-Forwarded-Port 443;
            }
        }
    }