# MAKE SURE TO SET UP SECRETS.YAML BEFORE EXAMPLE:
#
# this sets up webhooks for github. you can also do this manually in web gui
#
#
#
# apiVersion: v1
# kind: Secret
# metadata:
#   name: webhook-secret
#   namespace: stage-tekton-pipeline
# stringData:
#   token: GITHUBTOKEN
#   secret: random-string-data
---
apiVersion: tekton.dev/v1alpha1
kind: Task
metadata:
  name: create-webhook
  namespace: stage-tekton-pipeline
spec:
  volumes:
  - name: github-secret
    secret:
      secretName: $(inputs.params.GitHubSecretName)
  inputs:
    params:
    - name: ExternalDomain
      description: "The external domain for the EventListener e.g. `$(inputs.params.EventListenerName).<PROXYIP>.nip.io`"
    - name: GitHubUser
      description: "The GitHub user"
    - name: GitHubRepo
      description: "The GitHub repo where the webhook will be created"
    - name: GitHubOrg
      description: "The GitHub organization where the webhook will be created"
    - name: GitHubSecretName
      description: "The Secret name for GitHub access token. This is always mounted and must exist"
    - name: GitHubAccessTokenKey
      description: "The GitHub access token key name"
    - name: GitHubSecretStringKey
      description: "The GitHub secret string key name"
    - name: GitHubDomain
      description: "The GitHub domain. Override for GitHub Enterprise"
      default: "github.com"
    - name: WebhookEvents
      description: "List of events the webhook will send notifications for"
      default: '[\"push\",\"pull_request\"]'
  steps:
  - name: create-webhook
    image: pstauffer/curl:latest
    volumeMounts:
    - name: github-secret
      mountPath: /var/secret
    command:
    - sh
    args:
    - -ce
    - |
      set -e
      echo "Create Webhook"
      if [ $(inputs.params.GitHubDomain) = "github.com" ];then
        curl -v -d "{\"name\": \"web\",\"active\": true,\"events\": $(inputs.params.WebhookEvents),\"config\": {\"url\": \"https://$(inputs.params.ExternalDomain)\",\"content_type\": \"json\",\"insecure_ssl\": \"1\" ,\"secret\": \"$(cat /var/secret/$(inputs.params.GitHubSecretStringKey))\"}}" -X POST -u $(inputs.params.GitHubUser):$(cat /var/secret/$(inputs.params.GitHubAccessTokenKey)) -L https://api.github.com/repos/$(inputs.params.GitHubOrg)/$(inputs.params.GitHubRepo)/hooks
      else
        curl -d "{\"name\": \"web\",\"active\": true,\"events\": $(inputs.params.WebhookEvents),\"config\": {\"url\": \"https://$(inputs.params.ExternalDomain)/\",\"content_type\": \"json\",\"insecure_ssl\": \"1\" ,\"secret\": \"$(cat /var/secret/$(inputs.params.GitHubSecretStringKey))\"}}" -X POST -u $(inputs.params.GitHubUser):$(cat /var/secret/$(inputs.params.GitHubAccessTokenKey)) -L https://$(inputs.params.GitHubDomain)/api/v3/repos/$(inputs.params.GitHubOrg)/$(inputs.params.GitHubRepo)/hooks
      fi
---
# https://medium.com/@nikhilthomas1/cloud-native-cicd-on-openshift-with-openshift-pipelines-tektoncd-pipelines-part-3-github-1db6dd8e8ca7
apiVersion: tekton.dev/v1alpha1
kind: TaskRun
metadata:
  name: create-repo-webhook
  namespace: stage-tekton-pipeline
spec:
  taskRef:
    name: create-webhook
  inputs:
    params:
    - name: GitHubOrg
      value: "beppevanrolleghem"
    - name: GitHubUser
      value: "beppevanrolleghem"
    - name: GitHubRepo
      value: "cicdTest"
    - name: GitHubSecretName
      value: webhook-secret
    - name: GitHubAccessTokenKey
      value: token
    - name: GitHubSecretStringKey
      value: secret
    - name: ExternalDomain
      value: 35.233.93.220
  timeout: 1000s
  serviceAccountName: service-acc

---
apiVersion: tekton.dev/v1alpha1
kind: Task
metadata:
  name: create-ingress
  namespace: stage-tekton-pipeline
spec:
  volumes:
  - name: work
    emptyDir: {}

  inputs:
    params:
    - name: CreateCertificate
      description: "Enables/disables the creation of a self-signed certificate for $(inputs.params.ExternalDomain)"
      default: "true"
    - name: CertificateKeyPassphrase
      description: "Phrase that protects private key. This must be provided when the self-signed certificate is created"
    - name: CertificateSecretName
      description: "Secret name for Ingress certificate. The Secret should not exist if the self-signed certificate creation is enabled"
    - name: ExternalDomain
      description: "The external domain for the EventListener e.g. `$(inputs.params.EventListenerName).PROXYIP.nip.io`"
    - name: Service
      description: "The name of the Service used in the Ingress. This will also be the name of the Ingress."
    - name: ServicePort
      description: "The service port that the ingress is being created on"
    - name: ServiceUID
      description: "The uid of the service. If set, this creates an owner reference on the service"
      default: ""

  steps:
  - name: generate-certificate
    image: frapsoft/openssl
    volumeMounts:
    - name: work
      mountPath: /var/tmp/work
    command:
    - sh
    args:
    - -ce
    - |
      set -e
      cat <<EOF | sh
      #!/bin/sh
      if [ $(inputs.params.CreateCertificate) = "false" ];then
        exit 0
      fi
      mkdir /var/tmp/work/ingress
      openssl genrsa -des3 -out /var/tmp/work/ingress/key.pem -passout pass:$(inputs.params.CertificateKeyPassphrase) 2048
      openssl req -x509 -new -nodes -key /var/tmp/work/ingress/key.pem -sha256 -days 1825 -out /var/tmp/work/ingress/certificate.pem -passin pass:$(inputs.params.CertificateKeyPassphrase) -subj /CN=$(inputs.params.ExternalDomain)
      openssl rsa -in /var/tmp/work/ingress/key.pem -out /var/tmp/work/ingress/key.pem -passin pass:$(inputs.params.CertificateKeyPassphrase)
      EOF
  - name: create-certificate-secret
    image: lachlanevenson/k8s-kubectl:latest
    volumeMounts:
    - name: work
      mountPath: /var/tmp/work
    command:
    - sh
    args:
    - -ce
    - |
      set -e
      cat <<EOF | sh
      #!/bin/sh
      if [ $(inputs.params.CreateCertificate) = "false" ];then
        exit 0
      fi
      kubectl create secret tls $(inputs.params.CertificateSecretName) --cert=/var/tmp/work/ingress/certificate.pem --key=/var/tmp/work/ingress/key.pem || true
      EOF
  - name: create-ingress
    image: lachlanevenson/k8s-kubectl:latest
    command:
    - sh
    args:
    - -ce
    - |
      set -e
      if [ -n "$(inputs.params.ServiceUID)" ];then
        cat <<EOF | kubectl create -f - || true
        apiVersion: extensions/v1beta1
        kind: Ingress
        metadata:
          name: $(inputs.params.Service)
          ownerReferences:
          - name: $(inputs.params.Service)
            apiVersion: v1
            kind: Service
            uid: $(inputs.params.ServiceUID)
        spec:
          tls:
          - secretName: $(inputs.params.CertificateSecretName)
            hosts:
            - $(inputs.params.ExternalDomain)
          rules:
          - host: $(inputs.params.ExternalDomain)
            http:
              paths:
              - backend:
                  serviceName: $(inputs.params.Service)
                  servicePort: $(inputs.params.ServicePort)
      EOF
      else
        cat <<EOF | kubectl create -f - || true
        apiVersion: extensions/v1beta1
        kind: Ingress
        metadata:
          name: $(inputs.params.Service)
        spec:
          tls:
          - secretName: $(inputs.params.CertificateSecretName)
            hosts:
            - $(inputs.params.ExternalDomain)
          rules:
          - host: $(inputs.params.ExternalDomain)
            http:
              paths:
              - backend:
                  serviceName: $(inputs.params.Service)
                  servicePort: $(inputs.params.ServicePort)
      EOF
      fi
---
apiVersion: tekton.dev/v1alpha1
kind: TaskRun
metadata:
  name: create-ingress-run
  namespace: stage-tekton-pipeline
spec:
  taskRef:
    name: create-ingress
  inputs:
    params:
    - name: CreateCertificate
      value: "true"
    - name: CertificateKeyPassphrase
      value: asecretphrase
    - name: CertificateSecretName
      value: ingresssecret
    - name: ExternalDomain
      value: 35.233.93.220
    - name: Service
      value: getting-started
    - name: ServicePort
      value: "443"
  timeout: 1000s
  serviceAccountName: service-acc