#
# An example of how you could set up a simple "detect invoking docker inspector" test environment in
# a Kubernetes cluster using the provided sample yaml files.
# Hopefully this is useful as an example of how to run detect + docker inspector in a Kubernetes cluster,
# and provides ideas on how you could deploy detect / docker inspector in your environment.
#
# This method deploys the three image inspector services, each in its own pod, each running on port 80.
# It then deploys an extremely simple "build machine" inside the cluster, and runs detect from that
# build machine.
#
# Because in this example the services reside in different pods, the shared volume is a hostPath.
# As an alternative, if the build machine and the three imageinspector services run
# in the same pod, you can use an emptyDir for the shared volume.
#

# You'll need a dir (/your/dir/shared) that will be mounted and
# shared across pods.
# Adjust the path in this command:
mkdir -p /your/dir/shared/target

curl -O https://raw.githubusercontent.com/blackducksoftware/blackduck-docker-inspector/master/deployment/kubernetes/kube-imageinspector-namespace.yml
curl -O https://raw.githubusercontent.com/blackducksoftware/blackduck-docker-inspector/master/deployment/kubernetes/kube-imageinspector-service.yml
curl -O https://raw.githubusercontent.com/blackducksoftware/blackduck-docker-inspector/master/deployment/kubernetes/kube-buildmachine.yml

# Build a simplified simulation of a build machine
mkdir image
cd image
curl -O https://raw.githubusercontent.com/blackducksoftware/blackduck-docker-inspector/master/deployment/kubernetes/Dockerfile
docker build --tag buildmachine:2.0.0 .
cd ..

# Edit kube-buildmachine.yml: adjust path to volume (search for hostPath)
# Edit kube-imageinspector-service.yml: adjust path to volume in 3 places (search for hostPath)

kubectl create -f kube-imageinspector-namespace.yml
kubectl create -f kube-imageinspector-service.yml
kubectl create -f kube-buildmachine.yml

curl -O https://detect.synopsys.com/detect.sh
chmod +x detect.sh

buildmachinepod=$(kubectl --namespace blackduck-imageinspector get pods|grep build-machine|cut -d' ' -f1)
kubectl --namespace blackduck-imageinspector cp ./detect.sh ${buildmachinepod}:/tmp -c build-machine

# adjust the path in the docker save command:
docker pull alpine:latest
docker save -o /your/dir/shared/target/alpine.tar alpine:latest

# At this point you can verify that the three imageinspector services are available using curl from the build machine.
# You should get a response (including "status": "UP") from these three curl commands that hit each service's healthcheck endpoint:
kubectl --namespace blackduck-imageinspector exec ${buildmachinepod} -c build-machine -- curl http://blackduck-imageinspector-alpine.blackduck-imageinspector/health
kubectl --namespace blackduck-imageinspector exec ${buildmachinepod} -c build-machine -- curl http://blackduck-imageinspector-centos.blackduck-imageinspector/health
kubectl --namespace blackduck-imageinspector exec ${buildmachinepod} -c build-machine -- curl http://blackduck-imageinspector-ubuntu.blackduck-imageinspector/health

# To test detect / docker inspector:
kubectl --namespace blackduck-imageinspector exec ${buildmachinepod} -c build-machine -- /tmp/detect.sh --blackduck.hub.offline.mode=true --detect.hub.signature.scanner.disabled=true --detect.docker.tar=/opt/blackduck/shared/target/alpine.tar --detect.docker.passthrough.imageinspector.service.url=http://blackduck-imageinspector-ubuntu.blackduck-imageinspector --detect.docker.passthrough.shared.dir.path.local=/opt/blackduck/shared/ --detect.docker.passthrough.shared.dir.path.imageinspector=/opt/blackduck/shared --detect.docker.passthrough.imageinspector.service.start=false

# Notes on the detect arguments used in the command above:
# --blackduck.hub.offline.mode=true # this disables communication with the Hub, to simplify the test
# --detect.hub.signature.scanner.disabled=true # this disables the signature scanner, to simplify the test
# --detect.docker.tar=/opt/blackduck/shared/target/alpine.tar # path to docker tarfile, in the shared volume
# --detect.docker.passthrough.imageinspector.service.url=http://blackduck-imageinspector-ubuntu.blackduck-imageinspector # image inspector service url (http://servicename.namespace)
# --detect.docker.passthrough.shared.dir.path.local=/opt/blackduck/shared/ # build machine's path to shared dir
# --detect.docker.passthrough.shared.dir.path.imageinspector=/opt/blackduck/shared # image inspector pods' path to shared dir

# You can direct requests to any the three image inspector services (blackduck-imageinspector-alpine, blackduck-imageinspector-centos, blackduck-imageinspector-ubuntu)
# by specifying that service in the --detect.docker.passthrough.imageinspector.service.url argument.
# For best performance, direct requests to the service that uses the same package manager database
# format as the images you inspect most frequently:
# alpine -> alpine
# centos, fedora, redhat -> centos
# ubuntu, debian -> ubuntu