#!/bin/bash
# Partie 1 - Installation du CNI Cilium + Hubble + Tetragon
# À exécuter sur le nœud MASTER
# Remplace Flannel : Cilium apporte NetworkPolicy L7, chiffrement WireGuard,
# observabilité Hubble et runtime security Tetragon.

set -e

CILIUM_VERSION="1.17.3"
CILIUM_CLI_VERSION="v0.18.4"
TETRAGON_VERSION="1.4.0"

APISERVER_IP=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}' | grep -oP '(?<=https://)[^:]+')

echo "=== Installation Cilium ${CILIUM_VERSION} + Hubble + Tetragon ${TETRAGON_VERSION} ==="
echo "API server : ${APISERVER_IP}:6443"
echo ""

# --- Cilium CLI ---
echo "Installation du CLI Cilium ${CILIUM_CLI_VERSION}..."
CILIUM_CLI_ARCH="amd64"
CILIUM_CLI_TAR="cilium-linux-${CILIUM_CLI_ARCH}.tar.gz"
CILIUM_CLI_URL="https://github.com/cilium/cilium-cli/releases/download/${CILIUM_CLI_VERSION}/${CILIUM_CLI_TAR}"
CILIUM_CLI_SHA_URL="${CILIUM_CLI_URL}.sha256sum"

curl -L --fail "$CILIUM_CLI_URL" -o "/tmp/${CILIUM_CLI_TAR}"
curl -L --fail "$CILIUM_CLI_SHA_URL" -o "/tmp/${CILIUM_CLI_TAR}.sha256sum"

cd /tmp
sha256sum --check "${CILIUM_CLI_TAR}.sha256sum" || {
    echo "ERREUR: checksum cilium-cli invalide. Abandon."
    exit 1
}
cd -

tar -xzf "/tmp/${CILIUM_CLI_TAR}" -C /tmp cilium
sudo mv /tmp/cilium /usr/local/bin/cilium
sudo chmod +x /usr/local/bin/cilium
rm -f "/tmp/${CILIUM_CLI_TAR}" "/tmp/${CILIUM_CLI_TAR}.sha256sum"
echo "  ✓ cilium CLI installé"

# --- Helm repos ---
echo "Ajout des repos Helm..."
helm repo add cilium https://helm.cilium.io/ 2>/dev/null || helm repo update cilium
helm repo update

# --- Cilium ---
echo ""
echo "Installation de Cilium ${CILIUM_VERSION}..."
echo "  Options : kubeProxyReplacement + WireGuard + Hubble + policyEnforcementMode=default"
echo ""

helm upgrade --install cilium cilium/cilium \
    --version "${CILIUM_VERSION}" \
    --namespace kube-system \
    --set kubeProxyReplacement=true \
    --set k8sServiceHost="${APISERVER_IP}" \
    --set k8sServicePort=6443 \
    --set encryption.enabled=true \
    --set encryption.type=wireguard \
    --set hubble.enabled=true \
    --set hubble.relay.enabled=true \
    --set hubble.ui.enabled=true \
    --set hubble.metrics.enabled="{dns,drop,tcp,flow,icmp,httpV2:exemplars=true;labelsContext=source_ip\,source_namespace\,source_workload\,destination_ip\,destination_namespace\,destination_workload\,traffic_direction}" \
    --set policyEnforcementMode=default \
    --set nodeinit.enabled=true \
    --set ipam.mode=kubernetes \
    --wait --timeout=10m

echo ""
echo "Attente que Cilium soit opérationnel..."
cilium status --wait --wait-duration=5m

echo ""
echo "✓ Cilium opérationnel"

# --- Tetragon ---
echo ""
echo "Installation de Tetragon ${TETRAGON_VERSION}..."
echo "  Tetragon = observabilité runtime eBPF profonde (syscalls, fichiers, réseau)"

helm upgrade --install tetragon cilium/tetragon \
    --version "${TETRAGON_VERSION}" \
    --namespace kube-system \
    --set tetragon.exportFilename="/var/log/tetragon/tetragon.log" \
    --wait --timeout=5m

echo ""
echo "Application des TracingPolicies de base..."

# Surveiller UNIQUEMENT les exécutions de shells et d'outils suspects.
# POURQUOI: tracer TOUS les execve cluster-wide génère plusieurs Mo/seconde de logs
#           (kubelet, scheduler, controller-manager, etc.). On filtre sur les binaires
#           qui sont les premiers utilisés par un attaquant après un foothold:
#           shells (reconnaissance), outils réseau (exfiltration), tools d'évasion.
#           Le filtrage `Postfix` matche aussi /bin/sh, /usr/bin/bash, etc.
kubectl apply -f - <<'EOF'
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
  name: monitor-suspicious-exec
spec:
  kprobes:
  - call: "sys_execve"
    syscall: true
    args:
    - index: 0
      type: "string"
    - index: 1
      type: "string_array"
    selectors:
    - matchArgs:
      - index: 0
        operator: "Postfix"
        values:
        - "/sh"
        - "/bash"
        - "/dash"
        - "/zsh"
        - "/ash"
        - "/nc"
        - "/ncat"
        - "/curl"
        - "/wget"
        - "/nmap"
        - "/tcpdump"
        - "/nsenter"
        - "/unshare"
        - "/capsh"
        - "/socat"
EOF

# Surveiller les accès aux fichiers sensibles du cluster et de l'hôte
kubectl apply -f - <<'EOF'
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
  name: monitor-sensitive-file-access
spec:
  kprobes:
  - call: "sys_openat"
    syscall: true
    args:
    - index: 1
      type: "string"
    selectors:
    - matchArgs:
      - index: 1
        operator: "Prefix"
        values:
        - "/etc/kubernetes"
        - "/var/lib/etcd"
        - "/run/secrets/kubernetes.io"
        - "/proc/1/"
EOF

echo "  ✓ TracingPolicies appliquées"

# --- NetworkPolicy deny-all par défaut ---
echo ""
echo "Application de la NetworkPolicy deny-all dans le namespace default..."

kubectl apply -f - <<'EOF'
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-all
  namespace: default
spec:
  podSelector: {}
  policyTypes:
    - Ingress
    - Egress
EOF

echo "  ✓ NetworkPolicy deny-all appliquée (namespace: default)"

# --- Vérifications ---
echo ""
echo "=== Vérifications ==="
echo ""
echo "1. Statut Cilium:"
cilium status
echo ""
echo "2. Pods Tetragon:"
kubectl get pods -n kube-system -l app.kubernetes.io/name=tetragon
echo ""
echo "3. TracingPolicies:"
kubectl get tracingpolicies 2>/dev/null || echo "  (CRD TracingPolicy en cours d'initialisation)"
echo ""
echo "4. Nœuds (doivent être Ready):"
kubectl get nodes
echo ""
echo "✓ Cilium + Hubble + Tetragon installés avec succès!"
echo ""
echo "Accès à Hubble UI (depuis le master) :"
echo "  kubectl port-forward -n kube-system svc/hubble-ui 8080:80 &"
echo "  Puis ouvrir http://localhost:8080"
echo ""
echo "Logs Tetragon en temps réel :"
echo "  kubectl logs -n kube-system -l app.kubernetes.io/name=tetragon -f | jq '.'"