ocp4-upi-util

#!/bin/bash

# Copyright 2019-2020 Robert Krawitz/Red Hat
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

declare config_file=${OCP4_CONFIG_FILE:-}
declare ocp4_pull_secret=${OCP4_PULL_SECRET:-$HOME/.docker/config.json}
declare ocp4_public_key=${OCP4_PUBLIC_KEY:-$HOME/.ssh/id_rsa.pub}
declare command=$0

# The following can be overridden in the config file if needed.
declare bootstrap_prefix=192.168.222
declare bootstrap_ipaddr
declare -i pxe_port=81
declare cluster_cidr=10.128.0.0/14
declare cluster_host_prefix=23
declare cluster_network_type=OpenShiftSDN
declare cluster_service_network=172.30.0.0/16
declare cluster_hyperthreading=Enabled
declare cluster_domain=test.myocp4.com
declare cluster_basedomain
declare cluster_name
declare cluster_network_bridge_name=baremetal
declare cluster_install_dir=${KUBECONFIG:+${KUBECONFIG/\/auth\/kubeconfig/}}
declare filesystem_json=
declare -i masters_schedulable=-1
declare -i infra_count=0
declare -i master_as_infra=-1
declare -r cachedir="$HOME/.cache/ocp4_upi_install"
declare bootstrap_mac=52:54:00:f9:8e:41
declare -a mgmt_masters=()
declare -a master_macs=()
declare -a worker_macs=()
declare -a mgmt_workers=()
declare -a exclude_ifs=()
declare public_interface=
declare bare_metal_interface=
declare -i do_install_kata=0
declare -i do_install_cnv=0
declare -i apply_kata_workaround=1
declare platform
declare installer_image=
declare client_image=
declare local_toolsdir=
declare install_device=sda
declare -i install_retries=2	# Many bare metal nodes take a long time to POST
declare -i require_config_file=1
declare kata_install_label=
declare kata_config_name=example-kataconfig
declare -i update_packages=1
declare -A install_disks=()
declare -i processed_cmdline_vars=0
declare -A known_macaddrs=()
declare -i checked_config=0
declare -A needs_config_file=()
platform=$(uname -i)
# shellcheck disable=SC2155
declare -i start=$(date +%s)
# shellcheck disable=SC2155
declare -r __cr=$(echo -ne '\r')
# shellcheck disable=SC2155
declare -r __nl=$(echo -ne '\n')

# shellcheck disable=SC2155
declare -r command_help=$(expand <<'EOF'
    A configuration file is required for all commands noted with `*'.
    Commands:
      * install <version>        Install a baremetal cluster using UPI
      * do_install <version>     (deprecated) Same as install
        install_cnv              Install sandboxed containers into cluster
        install_kata             Install sandboxed containers into cluster
        bootstrap_destroy        Destroy any (virtual) bootstrap node
      * setup_dnsmasq            Set up dnsmasq/haproxy configuration
      * setup_infra              Set up an infra node
        migrate_infra            Migrate infra components to set up infra node
        describe_operator <op>   Describe the specified operator
        list_operators           List available operators
        install_operator <op>    Install the specified operator
     The following commands all use IPMI:
      * reset_all                Reset all nodes
      * reset_masters            Reset all master nodes
      * reset_workers            Reset all worker nodes
      * bios_all                 Boot all nodes into BIOS
      * bios_masters             Boot master nodes into BIOS
      * bios_workers             Boot worker nodes into BIOS
      * bios_master <index>      Boot specified master (by index) into BIOS
      * bios_worker <index>      Boot specified worker (by index) into BIOS
      * pxe_all                  PXE boot all nodes
      * pxe_masters              PXE all master nodes
      * pxe_workers              PXE all worker nodes
      * pxe_master <index>       PXE specified master (by index)
      * pxe_worker <index>       PXE specified worker (by index)
      * poweroff_all             Power off all nodes
      * poweroff_masters         Power off all masters
      * poweroff_workers         Power off all workers
      * poweroff_master <index>  Power off specified master (by index)
      * poweroff_worker <index>  Power off specified woerker (by index)
      * start_workers            Start the worker nodes
EOF
	)

declare -a simple_commands=()

function __setup_commands() {
    local line
    while IFS= read -r line ; do
	if [[ $line = '      '* ]] ; then
	    local needs_config=${line:6:1}
	    line=${line:8}
	    line=${line%% *}
	    simple_commands+=("$line")
	    [[ ${needs_config:-} = '*' ]] && needs_config_file[$line]=1
	fi
    done <<< "$command_help"
}

function __fatal() {
    echo "Fatal Error: $*" 1>&2
    exit 1
}

function __doit() {
    echo "$*" 1>&2
    "$@"
}

function __warn() {
    echo "Warning: $*" 1>&2
}

function __usage() {
    cmdmsg=
    if [[ ${command##*/} = ocp4-upi-util ]] ; then
	cmdmsg=' command'
    fi
    cat 1>&2 <<EOF
Usage: $command [-c <configfile>] [options]$cmdmsg args...
$command_help

    Options:
        -k public key      Public key file (default $ocp4_public_key)
        -p pull secret     Pull secret (default $ocp4_pull_secret)
        -i installdir      Install into specified directory
        --var=val          Override setting from the config file
    The config file is bash syntax and is sourced by this installer.
    All nodes, including the bootstrap node on which this command is run,
    must have the same network topology.  There must be one public interface
    that is externally accessible (this is disabled on the master and worker
    nodes) and one interface on a shared (presumably fast) network that is
    isolated physically or virtually.  The latter is also known as the
    "bare metal interface".
    Non-array settings may be provided from the environment.
      Mandatory setttings:
        master_macs           Array of master MAC addresses (should be 1 or 3)
        mgmt_masters          Array of master management addresses (for IPMI)
        worker_macs           Array of worker MAC addresses
        mgmt_workers          Array of worker management addresses (for IPMI)
        public_interface      Name of external interface device on all nodes
        bare_metal_interface  Name of the bare metal interface
      Options:
        cluster_domain        Domain name of the cluster
                              (default $cluster_domain)
        pull_secret=<secret>  Name of file containing the pull secret to be
                              used (default $ocp4_pull_secret).
        public_key=<key>      Name of public key file to be used
                              (default $ocp4_public_key).
        IPMI_USER             IPMI username (no default)
        IPMI_PASSWORD         IPMI password (no default)
        exclude_ifs           List of additional interfaces that should be
                              disabled on all nodes
        infra_count           Number of dedicated infrastructure nodes
                              (default 0)
        master_as_infra<=node>
                              Use a master node as a dedicated infra node.
                              If no node is specified, the first master (0)
                              is used.  -1 (default) means no infra node
                              used.
        do_install_kata       Install OpenShift sandboxed containers
	apply_kata_workaround Apply 4.8 workaround for sandboxed containers
                              not adding additional CPUs correctly
        masters_schedulable   Allow user pods to be scheduled on master nodes
                              (default 1)
        bootstrap_mac         MAC address of bootstrap VM
                              (default 52:54:00:f9:8e:41)
        cluster_host_prefix   32 - desired bare metal network size (default 23)
	filesystem_json	      File containing code to modify the filesystem
			      layout
        install_device        Device (without /dev) to install to (default sda)
        install_retries       Number of times to retry waiting for bootstrap
                              to complete; needed for bare metal nodes that
                              take a long time to boot.  Default 2 (90 minutes)
        client_image          Path to local client image .tgz to be used for oc
        installer_image       Path to local installer image .tgz
        local_toolsdir        Location of client_image and installer_image.
                              Must match the version to be installed.
        update_packages       Update local packages (default 1)
EOF
    exit
}
# shellcheck disable=SC2206
declare -a default_exclude_ifs=(${EXCLUDE_IFS:-})
declare pub_if=${PUB_IF:-}
declare ip_base=192.168.222
declare -i host_base=20
declare -i max_host_count=71

function __bool() {
    local OPTIND=0
    local yes=1
    local no=0
    while getopts 'y:t:n:f:Y:T:' opt "$@" ; do
	case "$opt" in
	    y|t) yes="$OPTARG"	      ;;
	    n|f) no="$OPTARG"	      ;;
	    Y|T) yes="$OPTARG"; no='' ;;
	    *)               	      ;;
	esac
    done
    local value
    for value in "$@" ; do
	case "${value,,}" in
	    ''|1|y|yes|tru*) echo "$yes" ;;
	    *)               echo "$no"  ;;
	esac
    done
}

function __parse_size() {
    local size
    local echoarg=
    if [[ $1 = '-n' ]] ; then
	echoarg=-n
	shift
    fi
    local sizes=$*
    sizes=${sizes//,/ }
    for size in $sizes ; do
	if [[ $size =~ (-?[[:digit:]]+)([[:alpha:]]*) ]] ; then
	    local sizen=${BASH_REMATCH[1]}
	    local size_modifier=${BASH_REMATCH[2],,}
	    local -i size_multiplier=1
	    case "$size_modifier" in
		''|b)             size_multiplier=1              ;;
		k|kb|kilobytes)   size_multiplier=1000           ;;
		ki|kib|kibibytes) size_multiplier=1024           ;;
		m|mb|megabytes)   size_multiplier=1000000        ;;
		mi|mib|mebibytes) size_multiplier=1048576        ;;
		g|gb|gigabytes)   size_multiplier=1000000000     ;;
		gi|gib|gibibytes) size_multiplier=1073741824     ;;
		t|tb|terabytes)   size_multiplier=1000000000000  ;;
		ti|tib|tebibytes) size_multiplier=1099511627776  ;;
		*) __fatal "Cannot parse size $size"		 ;;
	    esac
	    echo $echoarg "$((sizen*size_multiplier)) "
	else
	    __fatal "Cannot parse size $size"
	fi
    done
}

function __parse_optvalues() {
    echoarg=
    if [[ $1 = '-n' ]] ; then
	echoarg=-n
	shift
    fi
    local args=$*
    args=${args//,/ }
    for arg in $args ; do
	echo $echoarg "$arg"
    done
}

function __parse_option() {
    local option=$1
    option=${option## }
    option=${option%% }
    if [[ $option =~ ^([^=]+)\ *=\ *([^\ ].*)? ]] ; then
	option="${BASH_REMATCH[1]}=${BASH_REMATCH[2]}"
    fi
    [[ -n "$option" ]] || return
    local optname
    local optvalue
    optname=${option%%=*}
    optname=${optname,,}
    optvalue=${option#*=}
    noptname=${optname//-/_}
    if [[ $option != *'='* ]] ; then
	if [[ $noptname = "no_"* || $optname = "dont_"* || $noptname = "no-"* || $optname = "dont-"* ]] ; then
	    noptname=${noptname#dont_}
	    noptname=${noptname#no_}
	    noptname=${noptname#dont-}
	    noptname=${noptname#no-}
	    optvalue=0
	else
	    optvalue=1
	fi
    fi
    local noptname1=${noptname//_/}
    echo "$noptname1 $noptname $optvalue"
}

function __process_option() {
    local noptname
    local noptname1
    local optvalue
    read -r noptname1 noptname optvalue <<< "$(__parse_option "$1")"
    # shellcheck disable=SC1822
    # shellcheck disable=SC2206
    case "$noptname1" in
	help*) __usage ;;
	clusterdomain)	cluster_domain=$optvalue ;;
	ipmiuser)	IPMI_USER=$optvalue ;;
	ipmipassword)	IPMI_PASSWORD=$optvalue ;;
	excludeifs)	exclude_ifs+=($optvalue) ;;
	infracount)	infra_count=$(__parse_size "$optvalue") ;;
	masterasinfra)  master_as_infra=$(__parse_size "$optvalue") ;;
	doinstallkata)	do_install_kata=$(__bool "$optvalue") ;;
	applykatawork*)	apply_kata_workaround=$(__bool "$optvalue") ;;
	masterssch*)	masters_schedulable=$(__bool "$optvalue") ;;
	bootstrapmac)	bootstrap_mac=$optvalue ;;
	clusterhost*)	cluster_host_prefix=$(__parse_size "$optvalue") ;;
	clusterinst*)	cluster_install_dir="$optvalue" ;;
	*pub*key)	ocp4_public_key="$optvalue" ;;
	*pullsecret)	ocp4_pull_secret="$optvalue" ;;
	filesystemj*)	filesystem_json=$optvalue ;;
	installdev*)	install_device=$optvalue ;;
	installret*)	install_retries=$(__parse_size "$optvalue") ;;
	clientim*)	client_image=$optvalue ;;
	installerim*)	installer_image=$optvalue ;;
	localtools*)	local_toolsdir=$optvalue ;;
	updatepac*)	update_packages=$(__bool "$optvalue") ;;
	*)		eval "$noptname=$optvalue" ;;
    esac
}

function __process_cmdline_vars() {
    if ((! processed_cmdline_vars)) ; then
	local var=
	for var in "${cmdline_vars[@]}" ; do
	    # Really should sanity check this, but this command is not
	    # intended to run with privilege higher than the command line
	    # that invoked it.
	    __process_option "$var"
	done
	processed_cmdline_vars=1
    fi
}

function __store_option() {
    local noptname
    local noptname1
    local optvalue
    read -r noptname1 noptname optvalue <<< "$(__parse_option "$1")"
    case "$noptname1" in
	configfile)	config_file="$optvalue" ;;
	*)		cmdline_vars+=("$1")	;;
    esac
    }

function __check_macaddr() {
    local addr
    for addr in "$@" ; do
	[[ -z "${known_macaddrs[$addr]}" ]] || __fatal "Duplicate macaddr $addr"
	[[ $addr =~ ^[0-9a-f]{2}(:[0-f]{2}){5} ]] || __fatal "Malformed address $addr"
    done
}

function __check_config_file() {
    ((checked_config)) && return
    local -i OPTIND=0
    local opt
    local -i do_check_config=1
    while getopts 'yn' opt "$@" ; do
	case "$opt" in
	    y) do_check_config=1 ;;
	    n) do_check_config=0 ;;
	    *)			 ;;
	esac
    done
    if [[ -n "${config_file:-}" ]] || ((do_check_config)) ; then
	if [[ -z "${config_file:-}" ]] ; then
	    # shellcheck disable=SC2016
	    if ((require_config_file)) ; then
		__fatal 'Config file must be specified, either with -c or $OCP4_CONFIG_FILE'
	    fi
	else
	    if [[ ! -r "$config_file" ]] ; then
		__fatal "Cannot read config file $config_file"
	    fi
	    # shellcheck disable=SC1090
	    . "$config_file" || __fatal "Unable to process config file $config_file"
	fi
	checked_config=1
    fi
    __process_cmdline_vars
    if ((do_check_config)) ; then
	# Check configuration validity
	(( ${#mgmt_masters[@]} == 1 || ${#mgmt_masters[@]} == 3 )) || __fatal "Configuration must have 1 or 3 masters, actual ${#mgmt_masters[@]}"
	(( ${#mgmt_masters[@]} == ${#master_macs[@]} )) || __fatal "Configuration must have same number of mgmt_masters as master_macs"
	(( infra_count == 0 || ${#worker_macs[@]} > infra_count )) || __fatal "Configuration must have at least 1 worker_macs in addition to infra nodes"
	(( ${#worker_macs[@]} == ${#mgmt_workers[@]} )) || __fatal "Configuration must have as many worker_macs as mgmt_workers, actual ${#worker_macs[@]} and ${#mgmt_workers[@]}"
	bootstrap_mac=${bootstrap_mac,,}
	master_macs=("${master_macs[@],,}")
	worker_macs=("${worker_macs[@],,}")
	__check_macaddr "$bootstrap_mac"
	__check_macaddr "${master_macs[@]}"
	__check_macaddr "${worker_macs[@]}"
	[[ -n "$public_interface" ]] || __fatal "public_interface must be specified"
	[[ -n "$bare_metal_interface" ]] || __fatal "bare_metal_interface must be specified"
	[[ -n "$cluster_domain" ]] || __fatal "cluster_domain must be specified"
	[[ -n "$IPMI_USER" ]] || __warn "IPMI_USER is not specified; IPMI may not work correctly."
	[[ -n "$IPMI_PASSWORD" ]] || __fatal "IPMI_PASSWORD is not specified; IPMI may not work correctly."

	[[ -r "$ocp4_pull_secret" ]] || __fatal "No pull secret!"
	[[ -r "$ocp4_public_key" ]] || __fatal "No public key!"

	cluster_basedomain=${cluster_basedomain:-${cluster_domain#*.}}
	cluster_name=${cluster_name:-${cluster_domain%%.*}}
	bootstrap_ipaddr=${bootstrap_prefix}.1
    fi
}

function __do_setup_dnsmasq_help() {
    cat <<EOF
Usage: $0 [options] domain bootstrap_mac master0_mac [master_macs...] [workers_macs]
    Options:
        -e exclude    Exclude the specified interface (may repeat)
	-p pub_if     Use the specified interface as the public IF
        -N base       Use the specified base network (default $ip_base)
        -b host_base  Start hosts at the specified number (default $host_base)
        -n max_hosts  Allow the specified maximum number of hosts (default $max_host_count)
	-m masters    Specify the number of masters (default $master_count)
	-i infras     Specify the number of infra nodes (default $infra_count)
     At least $master_count MAC addrs must be specified

EOF
    exit 1
}

function __generate_dnsmasq() {
    local -i master_count=$1; shift
    local -i worker_count=$1; shift
    local -i infra_count=$1; shift
    cat <<EOF
listen-address=${ip_base}.${prov_host}
bind-interfaces
strict-order
local=/${ocp4_domain}/
domain=${ocp4_domain}
expand-hosts
#except-interface=lo
#except-interface=virbr0
EOF
    for int in "$pub_if" "${exclude_list[@]}" ; do
	echo "#except-interface=$int"
    done
    cat <<EOF
#interface=${cluster_network_bridge_name}
#dhcp-range=${ip_base}.${host_base},${ip_base}.${host_max}
dhcp-range=192.168.222.0,static
dhcp-ignore=tag:!known
dhcp-no-override
dhcp-authoritative
dhcp-lease-max=41
dhcp-host=${bootstrap_mac},${ip_base}.${bootstrap_host},bootstrap
EOF
    for ((i = 0; i < master_count; i++)) ; do
	printf "dhcp-host=%s,${ip_base}.%d,master-%d\n" "$1" $((master_base+i)) "$i"
	shift
    done
    i=0
    for ((i = 0; i < infra_count; i++)) ; do
	printf "dhcp-host=%s,${ip_base}.%d,infra-%d\n" "$1" $((infra_base+i)) "$i"
	shift
    done
    i=0
    for arg in "$@" ; do
	printf "dhcp-host=%s,${ip_base}.%d,worker-%d\n" "$arg" $((worker_base+i)) "$i"
	i=$((i+1))
    done
    tftproot=/var/lib/tftpboot
    if [[ $platform = aarch64 ]] ; then
	bootfile=BOOTAA64.EFI
    else
	bootfile=lpxelinux.0
    fi
    cat <<EOF
enable-tftp
tftp-root=$tftproot
dhcp-boot=$bootfile
address=/api.${ocp4_domain}/${ip_base}.${prov_host}
address=/api-int.${ocp4_domain}/${ip_base}.${prov_host}
address=/.apps.${ocp4_domain}/${ip_base}.${prov_host}
EOF
}

function __generate_service() {
    local name=$1
    local -i port=$2
    local -i master_count=$3
    local -i worker_count=$4
    local -i infra_count=$5
    if [[ $name = worker && $worker_count -eq 0 ]] ; then
	name=master
    fi
    local -i i
    case "$name" in
	master)
	    cat <<EOF
    server           bootstrap ${ip_base}.$((bootstrap_host)):${port} check inter 1s backup
EOF
	    for ((i = 0; i < master_count; i++)) ; do
		cat <<EOF
    server           master-${i} ${ip_base}.$((master_base+i)):${port} check inter 1s
EOF
	    done
	    ;;
	worker)
	    for ((i = 0; i < infra_count; i++)) ; do
		cat <<EOF
    server           infra-${i} ${ip_base}.$((infra_base+i)):${port} check inter 1s
EOF
	    done
	    if ((masters_schedulable)) ; then
		for ((i = 0; i < master_count; i++)) ; do
		    cat <<EOF
    server           master-${i} ${ip_base}.$((master_base+i)):${port} check inter 1s
EOF
		done
	    fi
	    for ((i = 0; i < worker_count; i++)) ; do
		cat <<EOF
    server           worker-${i} ${ip_base}.$((worker_base+i)):${port} check inter 1s
EOF
	    done
	    ;;
	*)
	    echo "Unknown node type $name" 1>&2
	    exit 1
	    ;;
    esac
}

function __generate_haproxy_1() {
    local -i master_count=$1; shift
    local -i worker_count=$1; shift
    local -i infra_count=$1; shift
    local LINE
    while IFS= read -r 'LINE' ; do
	if [[ $LINE = '# --- BEGIN OCP4-UPI ---' ]] ; then
	    break
	fi
	echo "$LINE"
    done < /etc/haproxy/haproxy.cfg
    cat <<EOF
# --- BEGIN OCP4-UPI ---
#-----------------
# OCP4-UPI CONFIG
#-----------------
frontend kapi
    mode             tcp
    bind             *:6443
    default_backend  kapi

frontend mc
    mode             tcp
    bind             *:22623
    default_backend  mc

frontend https
    mode             tcp
    bind             *:443
    default_backend  https

frontend http
    mode             http
    bind             *:80
    default_backend  http

frontend ingress
    mode             http
    bind             *:1936
    default_backend  ingress

backend kapi
    mode             tcp
    balance          roundrobin
$(__generate_service master 6443 "$master_count" "$worker_count" "$infra_count")

backend mc
    mode             tcp
    balance          roundrobin
$(__generate_service master 22623 "$master_count" "$worker_count" "$infra_count")

backend https
    mode             tcp
    balance          roundrobin
$(__generate_service worker 443  "$master_count" "$worker_count" "$infra_count")

backend http
    mode             http
    balance          roundrobin
$(__generate_service worker 80 "$master_count" "$worker_count" "$infra_count")

backend ingress
    mode             http
    balance          roundrobin
$(__generate_service worker 1936 "$master_count" "$worker_count" "$infra_count")
EOF
}

function __generate_haproxy() {
    local output
    # If something fails during generation of the haproxy
    # configuration, we won't inadvertently wind up with a
    # broken file.
    output="$(__generate_haproxy_1 "$@")"
    echo "$output"
}

function __do_setup_dnsmasq() {
    local -i master_count=3
    local -i infra_count=0
    local -i worker_count=0
    local -a exclude_list=()
    OPTIND=0
    while getopts "e:p:N:b:n:m:i:" opt "$@"; do
	case "$opt" in
	    e) exclude_list+=("$OPTARG") ;;
	    p) pub_if=$OPTARG            ;;
	    N) ip_base=$OPTARG           ;;
	    b) host_base=$OPTARG         ;;
	    n) max_host_count=$OPTARG    ;;
	    m) master_count=$OPTARG      ;;
	    i) infra_count=$OPTARG       ;;
	    *) __do_setup_dnsmasq_help     ;;
	esac
    done

    (( ${#exclude_list[@]} )) || exclude_list=("${default_exclude_ifs[@]}")

    shift $((OPTIND-1))

    local ocp4_domain=$1
    shift

    [[ -z "$pub_if" ]] && __fatal "pub_if must be set to the public IP address on this node"
    (( $# < master_count + infra_count + 1 )) && __do_setup_dnsmasq_help
    [[ -f /etc/dnsmasq.conf ]] || __fatal "dnsmasq does not appear to be installed; please install!"
    [[ -n "$ocp4_domain" ]] || __fatal "domain must be specified"

    badaddr=0

    for addr in "$@" ; do
	if [[ ! $addr =~ ([0-9a-f]{2}:){5}[0-9a-f]{2} ]] ; then
	    echo "$addr is not a valid MAC"
	    badaddr=1
	fi
    done

    (( badaddr )) && exit 1
    local bootstrap_mac=$1
    shift

    [[ -d /etc/dnsmasq.d ]] && mkdir -p /etc/dnsmasq.d

    if grep -q '^conf-dir=.*/etc/dnsmasq.d' /etc/dnsmasq.conf ; then
	:
    else
	echo 'conf-dir=/etc/dnsmasq.d' >> /etc/dnsmasq.conf
    fi

    local prov_host=1
    host_max=$((host_base+max_host_count-1))
    bootstrap_host=$((host_base+max_host_count-1))
    master_base=$((host_base+0))
    infra_base=$((host_base+5))
    worker_base=$((master_base+10))
    worker_count=$(($# - master_count - infra_count))

    __generate_dnsmasq "$master_count" "$worker_count" "$infra_count" "$@" > /etc/dnsmasq.d/ocp &&
	__generate_haproxy "$master_count" "$worker_count" "$infra_count" "$@" > /etc/haproxy/haproxy.cfg.new &&
	mv -f /etc/haproxy/haproxy.cfg.new /etc/haproxy/haproxy.cfg &&
	rm -f /var/lib/dnsmasq/dnsmasq.leases &&
	systemctl restart dnsmasq haproxy
}

function __generate_install_config() {
    cat <<EOF
apiVersion: v1
baseDomain: ${cluster_basedomain}
compute:
- hyperthreading: ${cluster_hyperthreading}
  name: worker
  replicas: 0
controlPlane:
  hyperthreading: ${cluster_hyperthreading}
  name: master
  replicas: ${#master_macs[@]}
metadata:
  name: ${cluster_name}
networking:
  clusterNetwork:
  - cidr: ${cluster_cidr}
    hostPrefix: ${cluster_host_prefix}
  networkType: ${cluster_network_type}
  serviceNetwork:
  - ${cluster_service_network}
platform:
  none: {}
pullSecret: '$(jq -c . < "$ocp4_pull_secret")'
sshKey: '$(head -1 "$ocp4_public_key")'
EOF
}

function __generate_pxelinux_cfg() {
    local node_type=${1:-master}
    local installdev=${2:-$install_device}
    shift 2
    cat <<EOF
DEFAULT pxeboot
TIMEOUT 20
PROMPT 0
LABEL pxeboot
    KERNEL http://${bootstrap_ipaddr}:${pxe_port}/ocp4-upi/rhcos-installer-kernel
    APPEND rdblacklist=megaraid_sas ip=dhcp rd.neednet=1 initrd=http://${bootstrap_ipaddr}:${pxe_port}/ocp4-upi/rhcos-installer-initramfs.img console=tty0 console=ttyS0 coreos.inst=yes coreos.inst.install_dev=${installdev} coreos.inst.image_url=http://${bootstrap_ipaddr}:${pxe_port}/ocp4-upi/rhcos-metal-bios.raw.gz coreos.inst.ignition_url=http://${bootstrap_ipaddr}:${pxe_port}/ocp4-upi/${node_type}.ign $*
    SYSAPPEND 2
EOF
}

function __generate_grub_cfg() {
    local node_type=${1:-master}
    local installdev=${2:-$install_device}
    shift 2
    cat <<EOF
set timeout=10
menuentry 'Install CoreOS' {
  linux rhcos-installer-kernel rdblacklist=megaraid_sas ip=dhcp coreos.inst.install_dev=${installdev} nomodeset rd.neednet=1 coreos.inst=yes coreos.inst.image_url=http://${bootstrap_ipaddr}:${pxe_port}/ocp4-upi/rhcos-metal-bios.raw.gz coreos.inst.ignition_url=http://${bootstrap_ipaddr}:${pxe_port}/ocp4-upi/${node_type}.ign $*
  initrd rhcos-installer-initramfs.img
}
EOF
}

function __get_installdev() {
    local node_type=${1:-master}
    local mac=${2:-}
    if [[ $node_type = bootstrap ]] ; then
	installdev=sda
    else
	installdev=${install_disks[${mac,,}]:-$install_device}
    fi
    if [[ ${installdev:0:1} != '/' ]] ; then
	installdev="/dev/$installdev"
    fi
    echo "$installdev"
}

function __setup_tftpboot() {
    local ntype=${1:-master}
    shift 1
    local -a macs=()
    while [[ "$*" ]] ; do
	local arg=$1
	shift
	if [[ $arg = '--' ]] ; then break; fi
	macs+=("$arg")
    done
    local m
    local installdev
    if [[ $platform = aarch64 ]] ; then
	for m in "${macs[@]}" ; do
	    local file="/var/lib/tftpboot/grub.cfg-01-${m//:/-}"
	    echo "Configuring $m as $ntype: $file"
	    installdev=$(__get_installdev "$ntype" "$m")
	    __generate_grub_cfg "$ntype" "$installdev" "$@" > "$file"
	done
	cp /boot/efi/EFI/BOOT/BOOTAA64.EFI /var/lib/tftpboot
	cp /boot/efi/EFI/redhat/grubaa64.efi /var/lib/tftpboot
	chmod 644 /var/lib/tftpboot/BOOTAA64.EFI /var/lib/tftpboot/grubaa64.efi
	chmod 644 "$tftproot/$bootfile" "$tftproot/grubaa64.efi"
    else
	for m in "${macs[@]}" ; do
	    local file="/var/lib/tftpboot/pxelinux.cfg/01-${m//:/-}"
	    echo "Configuring $m as $ntype: $file"
	    installdev=$(__get_installdev "$ntype" "$m")
	    __generate_pxelinux_cfg "$ntype" "$installdev" "$@" > "$file"
	done
	cp -p /tftpboot/lpxelinux.0 /var/lib/tftpboot
	cp -p /tftpboot/ldlinux.c32 /var/lib/tftpboot
    fi
}

function __setup_bm_if() {
    [[ -n "$bare_metal_interface" ]] || __fatal "No bare metal interface defined in bare_metal_interface"
    local line
    # Purge any other masters for our bare metal interface
    while read -r line ; do
    	if [[ $line =~ ^[[:digit:]]+:\ +([^:]+):.*master ]] ; then
	    nmcli con del "${BASH_REMATCH[1]}"
    	fi
    done <<< "$(ip addr show master "$cluster_network_bridge_name" 2>/dev/null || true)"
    # Purge any stale instances of our bare metal interface
    local name
    local uuid
    local type
    local device
    local rest
    # shellcheck disable=SC2034
    while read -r name uuid type device rest ; do
    	if [[ $name = "$cluster_network_bridge_name" ]] ; then
    	    nmcli con del "$uuid"
    	fi
    done <<< "$(nmcli con)"
    nmcli con add type bridge ifname "${cluster_network_bridge_name}" con-name "${cluster_network_bridge_name}" ipv4.method manual ipv4.addr "${bootstrap_ipaddr}"/24 ipv4.dns "${bootstrap_ipaddr}" ipv4.dns-priority 10 autoconnect yes bridge.stp no
    nmcli con add type bridge-slave autoconnect yes con-name "$bare_metal_interface" ifname "$bare_metal_interface" master "${cluster_network_bridge_name}"
    nmcli con reload "$bare_metal_interface"
    nmcli con reload "${cluster_network_bridge_name}"
    nmcli con up "${cluster_network_bridge_name}"
    nmcli con up "$bare_metal_interface"
}

function __setup_virt_net() {
    if ! virsh net-info ocp4-upi >/dev/null 2>&1 ; then
	tnetfile=$(mktemp net-ocp4-upi.XXXXXXXX)
	cat > "$tnetfile" <<EOF
<network>
  <name>ocp4-upi</name>
  <forward mode='bridge'/>
  <bridge name='$cluster_network_bridge_name'/>
</network>
EOF
	virsh net-define "$tnetfile"
	rm -f "$tnetfile"
	virsh net-start ocp4-upi
	virsh net-autostart ocp4-upi
    fi
}

function __setup_iptables() {
    # shellcheck disable=SC2155
    local now=$(date)
    echo "*** Disabling firewall"
    systemctl stop firewalld
    systemctl disable firewalld
    cat > /etc/sysconfig/iptables <<EOF
# Generated by iptables-save v1.8.4 on ${now}
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on ${now}
# Generated by iptables-save ${now}
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -s 192.168.222.0/24 -d 224.0.0.0/24 -j RETURN
-A POSTROUTING -s 192.168.222.0/24 -d 255.255.255.255/32 -j RETURN
-A POSTROUTING -s 192.168.222.0/24 ! -d 192.168.222.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.222.0/24 ! -d 192.168.222.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 192.168.222.0/24 ! -d 192.168.222.0/24 -j MASQUERADE
-A POSTROUTING -s 192.168.222.0/24 ! -d 192.168.222.0/24 -o enp2s0f0 -j MASQUERADE
COMMIT
# Completed on ${now}
# Generated by iptables-save v1.8.4 on ${now}
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on ${now}
EOF
    iptables-restore < /etc/sysconfig/iptables
}

function __check_packages() {
    if (( update_packages )) ; then
	echo '*** Updating packages'
	dnf -y groupinstall 'Virtualization Host' || yum module install virt
	local -a required_rpms=()
	local rpm
	if [[ $platform = aarch64 ]] ; then
	    platform_packages=(shim-aa64 grub2-efi-aa64)
	else
	    platform_packages=()
	fi
	for rpm in wget virt-install jq podman git python3-pyyaml qemu-kvm virt-manager virt-viewer xorg-x11-xauth xinetd syslinux-tftpboot haproxy httpd perl perl-JSON ipmitool python3-magic "${platform_packages[@]}" ; do
	    rpm --quiet -q "$rpm" || required_rpms+=("$rpm")
	done
	if [[ -n "${!required_rpms[*]}" ]] ; then
	    echo "Installing ${required_rpms[*]}"
	    dnf -y install "${required_rpms[@]}"
	fi
    fi
    systemctl enable libvirtd
    systemctl start libvirtd
}

function __pre_setup() {
    cd ~
    [[ -d "$cachedir" ]] || mkdir -p "$cachedir"
    setenforce 0 || true
    grep -q SELINUX=disabled /etc/selinux/config || sed -i s/^SELINUX=.*/SELINUX=disabled/ /etc/selinux/config
    __check_packages
    sed -i s/Listen\ 80/Listen\ ${pxe_port}/ /etc/httpd/conf/httpd.conf
    [[ -f "$ocp4_public_key" ]] || ssh-keygen -t rsa -b 4096 -f "${ocp4_public_key%.pub}" -N "" -q
    __setup_bm_if
    __setup_iptables
    local bootstrap_ipaddr_quoted=${bootstrap_ipaddr//./\\.}
    grep -q "nameserver *${bootstrap_ipaddr_quoted}" /etc/resolv.conf ||
	sed -i "/^search/a nameserver\ ${bootstrap_ipaddr}" /etc/resolv.conf
}

function __get_key() {
    local data="$1"
    shift
    local key
    for key in "$@" ; do
	# shellcheck disable=SC2155
	local answer="$(jq -r "($key)" <<< "$data")"
	if [[ -n "$answer" && $answer != 'null' ]] ; then
	    echo "$answer"
	    return
	fi
    done
}

function __try_to_download() {
    local -a registry_hosts=(openshift-release.apps.ci.l2s4.p1.openshiftapps.com openshift-release-artifacts.apps.ci.l2s4.p1.openshiftapps.com)
    local target=$1; shift
    local host
    for host in "${registry_hosts[@]}" ; do
	wget -P "$cachedir" "$@" "https://${host}/${target}" && return 0
    done
    return 1
}

function __fetch_tools_if_needed() {
    local client_filename=openshift-client-linux${arch_infix}-${VERSION}.tar.gz
    local installer_filename=openshift-install-linux${arch_infix}-${VERSION}.tar.gz
    if [[ -d "$local_toolsdir" ]] ; then
	if [[ -z "$installer_image" ]] ; then
	    installer_image="${local_toolsdir}/$installer_filename"
	fi
	if [[ -z "$client_image" ]] ; then
	    client_image="${local_toolsdir}/$client_filename"
	fi
    fi
    if [[ -n "$installer_image" && -f "$installer_image" ]] ; then
	cp -p "$installer_image" "$cachedir/$installer_filename"
    fi
    if [[ -n "$client_image" && -f "$client_image" ]] ; then
	cp -p "$client_image" "$cachedir/$client_filename"
    fi
    if [[ -f "$cachedir/$client_filename" &&
	      -f "$cachedir/$installer_filename" ]] ; then
	return 0
    elif [[ -n "$(type -p oc)" ]] && (cd "$cachedir" && oc adm release extract --tools "$VERSION") ; then
	return 0
    else
	[[ -f "$cachedir/$client_filename" ]] || __try_to_download "${VERSION}/$client_filename" -nv -N || {
		echo "Can't download client for $VERSION"
		return 1
	    }
	[[ -f "$cachedir/$installer_filename" ]] || __try_to_download "${VERSION}/$installer_filename" -nv -N || {
		echo "Can't download installer for $VERSION"
		return 1
	    }
    fi
}

function __do_setup_install() {
    [[ -n "$1" ]] && VERSION=$1
    if [[ -z "$VERSION" ]] ; then
	__fatal "VERSION is not set!"
    fi
    cd "$HOME"
    __pre_setup
    [[ $VERSION =~ ([0-9]\.[0-9]+).* ]] && export RELEASE=${BASH_REMATCH[1]}
    [[ -d "$cluster_install_dir" ]] && rm -rf "$cluster_install_dir"
    mkdir "$cluster_install_dir"
    if ((masters_schedulable < 0)) ; then
	if ((${#worker_macs[@]} >= 1)) ; then
	    masters_schedulable=0
	else
	    masters_schedulable=1
	fi
    fi
    setup_dnsmasq
    __setup_virt_net
    local arch_infix=
    if [[ $platform = aarch64 ]] ; then
	arch_infix=-arm64
    fi
    __fetch_tools_if_needed || return 1
    cd "$cluster_install_dir"
    if [[ ! -f "$cluster_install_dir/filetranspile" ]] ; then
	wget -q -P "$cluster_install_dir" https://raw.githubusercontent.com/ashcrow/filetranspiler/1.1.3/filetranspile
	chmod +x "$cluster_install_dir/filetranspile"
    fi
    tar -C "$cluster_install_dir" -xzf "$cachedir/openshift-client-linux${arch_infix}-${VERSION}.tar.gz"
    tar -C "$cluster_install_dir" -xzf "$cachedir/openshift-install-linux${arch_infix}-${VERSION}.tar.gz"
    PATH="${cluster_install_dir}:$PATH"
    local -A paths
    local -A fn
    local baseURI

    # Should we even use this at all?
    local installerURL="https://raw.githubusercontent.com/openshift/installer/release-$RELEASE/data/data/rhcos.json"
    echo "Trying to fetch installer data from $installerURL"
    if curl -f -s "$installerURL" ; then
	local installer_data
	installer_data="$(curl -s -S "$installerURL")"
	baseURI=$(__get_key "$installer_data" .baseURI)
	paths[bios]=$(__get_key "$installer_data" .images.metal.path)
	paths[kernel]=$(__get_key "$installer_data" .images.kernel.path '.images."live-kernel".path')
	paths[initramfs]=$(__get_key "$installer_data" .images.initramfs.path '.images."live-initramfs".path')
	paths[rootfs]=$(__get_key "$installer_data" '.images."live-rootfs".path')
    else
	baseURI=https://mirror.openshift.com/pub/openshift-v4/${platform}/dependencies/rhcos/$RELEASE/latest
	echo "Trying fallback $baseURI"
	if ! curl -f -s "$baseURI" ; then
	    baseURI=https://mirror.openshift.com/pub/openshift-v4/${platform}/dependencies/rhcos/pre-release/latest-$RELEASE
	    echo "Trying fallback $baseURI"
	fi
	paths[bios]=rhcos-metal."${platform}".raw.gz
	paths[kernel]=rhcos-live-kernel-"${platform}"
	paths[initramfs]=rhcos-live-initramfs."${platform}".img
	paths[rootfs]=rhcos-live-rootfs."${platform}".img
    fi

    fn[bios]="rhcos-metal-bios.raw.gz"
    fn[kernel]="rhcos-installer-kernel"
    fn[initramfs]="rhcos-installer-initramfs.img"
    fn[rootfs]="rhcos-installer-rootfs"

    if [[ -d /var/www/html/ocp4-upi ]] ; then
	rm -f /var/www/html/ocp4-upi/bootstrap.ign \
	   /var/www/html/ocp4-upi/master.ign \
	   /var/www/html/ocp4-upi/worker.ign
    else
	mkdir /var/www/html/ocp4-upi
    fi

    for f in "${!fn[@]}" ; do
	echo "Looking for $f (${fn[$f]}) (${paths[$f]:-})" 1>&2
	if [[ -L "/var/www/html/ocp4-upi/${fn[$f]}" ]] ; then
	    __doit rm -f "$(readlink "/var/www/html/ocp4-upi/${fn[$f]}")"
	fi
	__doit rm -f "/var/www/html/ocp4-upi/${fn[$f]}" "/var/lib/tftpboot/${fn[$f]}"
	if [[ -n "${paths[$f]:-}" ]] ; then
	    dest="/var/www/html/ocp4-upi/${paths[$f]}"
	    if [[ ! -f "/var/www/html/ocp4-upi/${paths[$f]}" ]] ; then
		if __doit wget -nv -O "${dest}.tmp" "$baseURI/${paths[$f]}" ; then
		    mv "${dest}.tmp" "$dest"
		else
		    __fatal "Cannot download $baseURI/${paths[$f]}"
		fi
	    fi
	    ln -s "$dest" "/var/www/html/ocp4-upi/${fn[$f]}"
	    cp -p "$dest" "/var/lib/tftpboot/${fn[$f]}"
	fi
    done
    systemctl restart httpd
    mkdir -p lab/etc/sysconfig/network-scripts/
    for pubif in "$public_interface" "${exclude_ifs[@]}" ; do
	cat << EOF > "lab/etc/sysconfig/network-scripts/ifcfg-$pubif"
DEVICE=$pubif
BOOTPROTO=none
ONBOOT=no
EOF
    done
    __generate_install_config > "$cluster_install_dir/install-config.yaml"
    cp -p "$cluster_install_dir/install-config.yaml" "$cluster_install_dir/install-config-save.yaml"
    ./openshift-install create manifests
    if (( !masters_schedulable && ${#mgmt_workers[@]} > 0 )) ; then
	sed -i '/mastersSchedulable/s/true/false/' manifests/cluster-scheduler-02-config.yml
    else
	sed -i '/mastersSchedulable/s/false/true/' manifests/cluster-scheduler-02-config.yml
    fi
    ./openshift-install create ignition-configs
    for i in master worker; do
	cp -p "${i}.ign" "${i}.ign.orig"
	filetranspile -i "${i}.ign.orig" -f ./lab -o "${i}.ign"
    done
    if [[ -n "$filesystem_json" ]] ; then
	if [[ -r "$filesystem_json" && -f "$filesystem_json" ]] ; then
	    jq -c . < "$filesystem_json" >/dev/null 2>&1 || __fatal "Cannot parse filesystem JSON in $filesystem_json"
	    jq -c .storage < "$filesystem_json" >/dev/null 2>&1 || __fatal "Cannot find storage JSON in $filesystem_json"
	    jq -c .systemd < "$filesystem_json" >/dev/null 2>&1 || __fatal "Cannot find systemd JSON in $filesystem_json"
	    for i in master worker; do
		jq -c ".systemd? += $(jq .systemd < "$filesystem_json") | .storage? += $(jq .storage < "$filesystem_json")" < "${i}.ign" > "${i}.ign.tmp" && mv -f "${i}.ign.tmp" "${i}.ign"
	    done
	else
	    __fatal "Cannot read $filesystem_json"
	fi
    fi
    for i in master worker bootstrap ; do
	cp "$cluster_install_dir/$i.ign" /var/www/html/ocp4-upi
	chmod 644 /var/www/html/ocp4-upi/"$i.ign"
    done
    if [[ $platform = aarch64 ]] ; then
	for m in "${master_macs[@]}" "${worker_macs[@]}" ; do
	    m=${m//:/-}
	    rm -f "/var/lib/tftpboot/grub.cfg-01-$m"
	done
    else
	mkdir -p /var/lib/tftpboot/pxelinux.cfg
	for m in "${master_macs[@]}" "${worker_macs[@]}" ; do
	    m=${m//:/-}
	    rm -f "/var/lib/tftpboot/pxelinux.cfg/01-$m"
	done
    fi
    rootfs_arg=${paths[rootfs]:+"coreos.inst.insecure coreos.live.rootfs_url=http://${bootstrap_ipaddr}:${pxe_port}/ocp4-upi/rhcos-installer-rootfs"}
    __setup_tftpboot master "${master_macs[@]}" -- "$rootfs_arg"
    __setup_tftpboot worker "${worker_macs[@]}" -- "$rootfs_arg"
    __setup_tftpboot bootstrap "$bootstrap_mac" -- "$rootfs_arg"
    # Clear out old known_hosts entries so ssh doesn't choke on host
    # identification changing.
    sed -i -E -e '/^((master|worker|infra)-[[:digit:]]+|bootstrap)[, ]/d' ~/.ssh/known_hosts
}

function __ipmi_cmd() {
    echo -n "$1: "
    ipmitool ${IPMI_USER:+-U "$IPMI_USER"} ${IPMI_PASSWORD:+-P "$IPMI_PASSWORD"} -H "$@"
}

function __ipmi_master() {
    local m="$1"
    shift
    if [[ -n "${mgmt_masters[$m]}" ]] ; then
	__ipmi_cmd "${mgmt_masters[$m]}" "$@"
    fi
}

function __ipmi_worker() {
    local m="$1"
    shift
    if [[ -n "${mgmt_workers[$m]}" ]] ; then
	__ipmi_cmd "${mgmt_workers[$m]}" "$@"
    fi
}

function __ipmi_masters() {
    for node in "${mgmt_masters[@]}" ; do
	__ipmi_cmd "$node" "$@"
    done
}

function __ipmi_workers() {
    for node in "${mgmt_workers[@]}" ; do
	__ipmi_cmd "$node" "$@"
    done
}

function __ipmi_all() {
    __ipmi_masters "$@"
    __ipmi_workers "$@"
}

function __setup_install() {
    (__do_setup_install "$@")
}

function __bootstrap_install() {
    bootstrap_destroy
    if [[ $platform = aarch64 ]] ; then
	__doit virt-install -n ocp4-upi-bootstrap --pxe --os-type=Linux --os-variant=rhel8.1 --cpu=host-passthrough --ram=8192 --vcpus=4 --network network=ocp4-upi,mac="$bootstrap_mac" --disk size=120,bus=scsi,sparse=yes --check disk_size=off --noautoconsole --wait -1 </dev/null
    else
	__doit virt-install -n ocp4-upi-bootstrap --pxe --os-type=Linux --os-variant=rhel8.1 --cpu=host-passthrough --ram=8192 --vcpus=4 --network network=ocp4-upi,mac="$bootstrap_mac" --disk size=120,bus=scsi,sparse=yes --check disk_size=off --noautoconsole --wait -1 </dev/null
    fi
}

function __do_master_install() {
    cd "$cluster_install_dir"
    while ((install_retries-- >= 0)) ; do
	if ./openshift-install wait-for bootstrap-complete ; then
	    return 0
	fi
	echo "**** Installer failed, retrying $install_retries time(s)"
    done
    echo "***** Wait for bootstrap complete failed!" 1>&2
    return 1
}

function __master_install() {
    (__do_master_install)
}

function __approve_csrs() {
    oc get csr -ojson | jq -r '.items[] | select(.status == {}) | .metadata.name'| xargs --no-run-if-empty oc adm certificate approve
}

function __get_infra_nodes() {
    if ((master_as_infra >= 0)) ; then
	oc get node --no-headers -oname |grep 'node/master' | head -n $((master_as_infra+1)) |tail -1
    else
	oc get node --no-headers -oname |grep 'node/infra'
    fi
}

function __make_infra_config() {
    local item
    for item in "$@" ; do
	cat <<EOF
    ${item}:
      tolerations:
      - key: "node-role.kubernetes.io/master"
        operator: "Exists"
        effect: "NoSchedule"
      nodeSelector:
        node-role.kubernetes.io/infra: ""
EOF
    done
}

function __generate_infra() {
    cat <<EOF
apiVersion: v1
kind: ConfigMap
metadata:
  name: cluster-monitoring-config
  namespace: openshift-monitoring
data:
  config.yaml: |+
$(__make_infra_config alertmanagerMain prometheusK8s prometheusOperator grafana k8sPrometheusAdapter kubeStateMetrics telemeterClient openshiftStateMetrics thanosQuerier)
EOF
}

function __get_ns_csv_name() {
    local ns=$1
    oc get csv -n "$ns" -ojsonpath='{.items[0].metadata.name}'
}

function __get_ns_version() {
    local ns=$1
    oc get csv -n "$ns" -ojsonpath='{.items[0].spec.version}'
}

function __get_operator_channel() {
    local operator=$1
    oc get packagemanifest -n openshift-marketplace "$operator" -ojsonpath='{.status.defaultChannel}'
}

function __get_operator_field() {
    local operator=$1
    local field=$2
    local channel
    channel="${3:-$(__get_operator_channel "$operator")}"
    oc get packagemanifest -n openshift-marketplace "$operator" -ojson | jq -r '[foreach .status.channels[] as $channel ([[],[]];0; (if ($channel.name == "'"$channel"'") then $channel.'"$field"' else null end))] | flatten | map (select (. != null))[]'
}

function __get_operator_csv() {
    __get_operator_field "$1" "currentCSV" "$2"
}

function __get_operator_catalog_source() {
    local operator=$1
    oc get packagemanifest -n openshift-marketplace "$operator" -ojsonpath='{.status.catalogSource}'
}

function __get_operator_namespace() {
    local operator=$1
    local namespace
    namespace="$(__get_operator_field "$operator" 'currentCSVDesc.annotations."operatorframework.io/suggested-namespace"')"
    if [[ -z "$namespace" ]] ; then
	namespace="$(jq -r '.[0].metadata.namespace' <<< "$(__get_operator_field "$operator" 'currentCSVDesc.annotations."alm-examples"')" 2>/dev/null)"
    fi
    echo "${namespace:-$operator}"
}

function __generate_operator_yaml() {
    local OPTIND=0
    local opt
    local namespace=
    local channel=
    local csv=
    local catalog_source=
    while getopts 'c:C:s:n:' opt "$@" ; do
	case "$opt" in
	    c) channel="$OPTARG" ;;
	    C) csv="$OPTARG" ;;
	    s) catalog_source="$OPTARG" ;;
	    n) namespace="$OPTARG" ;;
	    *) ;;
	esac
    done
    shift "$((OPTIND-1))"
    local operator=$1
    local sourcetype=${2:-}
    local image=${3:-}
    channel=${channel:-$(__get_operator_channel "$operator")}
    csv=${csv:-$(__get_operator_csv "$operator" "$channel")}
    catalog_source=${catalog_source:-$(__get_operator_catalog_source "$operator")}
    namespace=${namespace:-$(__get_operator_namespace "$operator" "$channel")}
    cat <<EOF
---
apiVersion: v1
kind: Namespace
metadata:
  name: "$namespace"
---
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: "$namespace"
  namespace: "$namespace"
spec:
  targetNamespaces:
  - $namespace
---
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: $operator
  namespace: $namespace
EOF
    if [[ -n "$image" ]] ; then
	cat <<EOF
spec:
  sourceType: "${sourcetype:-grpc}"
  image: "$image"
EOF
    else
	cat <<EOF
spec:
  channel: "$channel"
  installPlanApproval: Automatic
  name: $operator
  source: $catalog_source
  sourceNamespace: openshift-marketplace
  startingCSV: $csv
EOF
    fi
}

function __generate_kata_yaml() {
    cat <<EOF
apiVersion: kataconfiguration.openshift.io/v1
kind: KataConfig
metadata:
  name: $kata_config_name
EOF
    if [[ -n "$kata_install_label" ]] ; then
	local label=$kata_install_label
	if [[ $label = *'='* ]] ; then
	    :
	elif [[ $label = *'/'* ]] ; then
	    label="${label}="
	else
	    label="node-role.kubernetes.io/${label}="
	fi
	local value=${label#*=}
	label=${label%%=*}
	cat << EOF
spec:
  kataConfigPoolSelector:
    matchLabels:
      $label: '$value'
EOF
    fi
}

function __do_install_kata() {
    (( do_install_kata <= 0 )) && return
    if oc get kataconfig "$kata_config_name" >/dev/null 2>&1 ; then
	echo '*** Kata already installed'
    fi
    echo '*** Installing Kata'
    install_operator sandboxed-containers-operator
    # Wait for kataconfig to exist as a CRD.
    # Probably should have a timeout here.
    until oc get kataconfig -A >/dev/null 2>&1 ; do sleep 1; done
    until oc apply -f - < <(__generate_kata_yaml)
    do
	sleep 5
    done
    local readyCount
    local totalCount
    local -i lastCount=-1
    # Wait for the kataconfig to exist
    until oc get kataconfig example-kataconfig >/dev/null 2>&1 ; do
	sleep 5
    done
    while [[ -z "$totalCount" ]] ; do
	totalCount=$(oc get kataconfig example-kataconfig -ojsonpath='{.status.totalNodesCount}') || true
	[[ -n "$totalCount" ]] || sleep 5
    done
    until [[ $(oc get kataconfig example-kataconfig -ojsonpath='{.status.installationStatus.IsInProgress}') = False ]] ; do
	readyCount=$(oc get kataconfig example-kataconfig -ojsonpath='{.status.installationStatus.completed.completedNodesCount}') || {
	    sleep 5
	    continue
	}
	totalCount=$(oc get kataconfig example-kataconfig -ojsonpath='{.status.totalNodesCount}') || true
	__timestamp_str "$start" "Waiting for all nodes to become ready (${readyCount:-0} / $totalCount)...${__cr}" 1>&3
	if [[ -n "$readyCount" && $readyCount -ne "$lastCount" && $readyCount -ne "$totalCount" ]] ; then
	    lastCount=$readyCount
	fi
	sleep 5
    done
    readyCount=$(oc get kataconfig example-kataconfig -ojsonpath='{.status.installationStatus.completed.completedNodesCount}')
    __timestamp_str "$start" "Waiting for all nodes to become ready (${readyCount:-0} / $totalCount)..." 1>&3
    echo 1>&3
    echo "*** Kata installed successfully"
    if (( apply_kata_workaround )) ; then
	# shellcheck disable=SC2155
	local cmdfile=$(cat <<'EOF'
#!/bin/bash
set -e
if [[ -f /usr/libexec/kata-containers/osbuilder/kata-osbuilder.sh ]] ; then
    sudo mount -o rw,remount /usr
    grep cpu /usr/lib/udev/rules.d/40-redhat.rules
    sudo sed -i  's/^SUBSYSTEM=="cpu"/#SUBSYSTEM=="cpu"/' /usr/lib/udev/rules.d/40-redhat.rules
    grep cpu /usr/lib/udev/rules.d/40-redhat.rules
    sudo /usr/libexec/kata-containers/osbuilder/kata-osbuilder.sh
    sudo mount -o ro,remount /usr
    grep cpu /usr/lib/udev/rules.d/40-redhat.rules
else
    echo "Kata does not appear to be installed on $(hostname)"
fi
EOF
	       )
	local -a oc_version
	IFS=. read -r -a oc_version <<< "$(oc version -ojson |jq -r .openshiftVersion)"

	if ((oc_version[0] > 4 || (oc_version[0] == 4 && oc_version[1] != 8) )) ; then
	    echo "Openshift version ${oc_version[0]}.${oc_version[1]}.${oc_version[2]} does not need Kata workaround" 1>&2
	else
	    echo "Applying sandboxed containers workaround for OCP 4.8"
	    local -i failed=0
	    for node in $(oc get node -lnode-role.kubernetes.io/worker= -oname --no-headers); do
		echo -n "  $node: "
		if oc debug -T "$node" -- chroot /host sh -c 'cat > /tmp/fix-kata; chmod +x /tmp/fix-kata; /tmp/fix-kata' <<< "$cmdfile" ; then
		    echo "done"
		else
		    failed=$((failed+1))
		    echo "failed!"
		fi
	    done
	fi
    fi
}

function __do_install_cnv() {
    (( do_install_cnv <= 0 )) && return
    if oc get hyperconverged kubevirt-hyperconverged >/dev/null 2>&1 ; then
	echo '*** CNV already installed'
    fi
    echo '*** Installing CNV'
    install_operator kubevirt-hyperconverged
    # Wait for kataconfig to exist as a CRD.
    # Probably should have a timeout here.
    until oc get hyperconverged -A >/dev/null 2>&1 ; do sleep 1; done
    until oc apply -f - <<'EOF'
apiVersion: hco.kubevirt.io/v1beta1
kind: HyperConverged
metadata:
  name: kubevirt-hyperconverged
  namespace: openshift-cnv
Spec:
  BareMetalPlatform: true
EOF
    do
	sleep 5
    done
    until oc get deployment -n openshift-cnv virt-operator >/dev/null 2>&1 ; do
	sleep 5
    done
    oc -n openshift-cnv wait deployment/virt-operator --for=condition=Available --timeout="300s"
}

# If this is called from the command line it will get passed any arguments.
# When we call it directly, it doesn't.
# shellcheck disable=SC2120
function __setup_chrony() {
    [[ -n "$1" ]] && chrony_server=$1
    [[ -z "${chrony_server}" ]] && return
    echo "*** Setting up chrony"
    # shellcheck disable=SC2155
    local chronydata=$(base64 -w 0 << EOF
server "$chrony_server" iburst
stratumweight 0
driftfile /var/lib/chrony/drift
rtcsync
makestep 1 -1
bindcmdaddress 127.0.0.1
bindcmdaddress ::1
keyfile /etc/chrony.keys
noclientlog
logchange 0.5
EOF
)
    local role
    for role in master worker infra ; do
	[[ -z "$(oc get nodes -l "node-role.kubernetes.io/${role}=" 2>/dev/null)" ]] && continue
	oc apply -f - <<EOF
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  labels:
    machineconfiguration.openshift.io/role: $role
  name: 99-${role}s-chrony-configuration
spec:
  config:
    ignition:
      config: {}
      security:
        tls: {}
      timeouts: {}
      version: 3.2.0
    networkd: {}
    passwd: {}
    storage:
      files:
      - contents:
          source: data:text/plain;charset=utf-8;base64,$chronydata
        mode: 420
        overwrite: true
        path: /etc/chrony.conf
  osImageURL: ""
EOF
    done
}

function __do_install_2() {
    set -e
    cd "$HOME"
    trap 'exit 125' INT TERM
    echo "*** Configuring installation"
    __setup_install "$@"
    echo "*** Powering down all nodes"
    poweroff_all
    echo "*** Installing bootstrap"
    __bootstrap_install
    echo "*** Starting master(s)"
    pxe_masters
    echo "*** Installing master(s)"
    __do_master_install
    echo "*** Destroying bootstrap"
    sed -i -e "/bootstrap ${bootstrap_prefix}/d" /etc/haproxy/haproxy.cfg
    systemctl restart haproxy
    bootstrap_destroy
    echo "*** Starting worker(s)"
    start_workers
    setup_infra
    __do_install_kata
    __do_install_cnv
    # We don't invoke __setup_chrony with arguments,
    # but command line use might.
    # shellcheck disable=SC2119
    __setup_chrony
}

function __elapsed_time() {
    local -i start=$1
    local -i end=$2
    local -i et=$((end-start))
    if (( et < 0 )) ; then et=$((-et)) ; fi
    if ((1 == 1)) ; then
	printf "%2d:%0.2d:%0.2d" "$((et / 3600))" "$(( (et % 3600) / 60))" "$((et % 60))"
    elif (( et >= 3600 )) ; then
	printf "%dh %2dm %2ds" "$((et / 3600))" "$(( (et % 3600) / 60))" "$((et % 60))"
    elif (( et >= 60 )) ; then
	printf "%dm %2ds" "$((et / 60))" "$((et % 60))"
    else
	printf "%ds" "$et"
    fi
}

function __do_install_1() {
    echo "*** Starting installation at $(date +%Y-%m-%dT%H:%M:%S%z)"
    (__do_install_2 "$@")
    local -i status=$?
    # shellcheck disable=SC2155
    local et=$(__elapsed_time "$start" "$(date +%s)")
    case "$status" in
	0)   echo "*** Install completed in $et at $(date +%Y-%m-%dT%H:%M:%S%z)"  ;;
	125) echo "*** Install aborted after $et at $(date +%Y-%m-%dT%H:%M:%S%z)" ;;
	*)   echo "*** Install FAILED in $et at $(date +%Y-%m-%dT%H:%M:%S%z)"     ;;
    esac
}

function __timestamp_str() {
    local start=$1; shift
    printf "%s %s" "$(__elapsed_time "$start" "$(date +%s)")" "$*"
}

function __timestamp() {
    local start=$1
    while IFS='' read -r line ; do
	printf "%s %s\n" "$(__elapsed_time "$start" "$(date +%s)")" "$line"
    done
}

function __validate_commands() {
    local cmd
    local -i functions_missing=0
    for cmd in "${simple_commands[@]}" ; do
	if [[ $(type -t "$cmd") != function ]] ; then
	    echo "$cmd missing!"
	    functions_missing=1
	fi
    done
    exit $functions_missing
}


function setup_dnsmasq() {
    echo '*** Configuring dnsmasq'
    # We need "-e" prepended as a separate argument for each member
    # shellcheck disable=SC2068
    __do_setup_dnsmasq -m "${#master_macs[@]}" -i "$infra_count" -p "$public_interface" ${exclude_ifs[@]/#/-e } "$cluster_domain" "${bootstrap_mac}" "${master_macs[@]}" "${worker_macs[@]}"
}

function pxe_master() {
    local h
    for h in "$@" ; do
	__ipmi_master "$h" chassis bootdev pxe
	__ipmi_master "$h" chassis power on
	__ipmi_master "$h" chassis power reset
    done
}

function pxe_worker() {
    local h
    for h in "$@" ; do
	__ipmi_worker "$h" chassis bootdev pxe
	__ipmi_worker "$h" chassis power on
	__ipmi_worker "$h" chassis power reset
    done
}

function pxe_all() {
    pxe_masters
    pxe_workers
}

function bios_worker() {
    local h
    for h in "$@" ; do
	__ipmi_worker "$h" chassis bootdev bios
	__ipmi_worker "$h" chassis power on
	__ipmi_worker "$h" chassis power reset
    done
}

function bios_master() {
    local h
    for h in "$@" ; do
	__ipmi_master "$h" chassis bootdev bios
	__ipmi_master "$h" chassis power on
	__ipmi_master "$h" chassis power reset
    done
}

function bios_masters() {
    __ipmi_masters chassis bootdev bios
    __ipmi_masters chassis power on
    __ipmi_masters chassis power reset
}

function bios_workers() {
    __ipmi_workers chassis bootdev bios
    __ipmi_workers chassis power on
    __ipmi_workers chassis power reset
}

function bios_all() {
    bios_masters
    bios_workers
}

function reset_masters() {
    __ipmi_masters chassis power on
    __ipmi_masters chassis power reset
}

function reset_workers() {
    __ipmi_workers chassis power on
    __ipmi_workers chassis power reset
}

function reset_all() {
    reset_masters
    reset_workers
}

### The following service routines will need to be ported to support virtual nodes:

function poweroff_masters() {
    __ipmi_masters chassis power off
}

function poweroff_workers() {
    __ipmi_workers chassis power off
}

function poweroff_master() {
    local h
    for h in "$@" ; do
	__ipmi_master "$h" chassis power off
    done
}

function poweroff_worker() {
    local h
    for h in "$@" ; do
	__ipmi_worker "$h" chassis power off
    done
}

function poweroff_all() {
    __ipmi_all chassis power off
}

function pxe_masters() {
    __ipmi_masters chassis bootdev pxe
    __ipmi_masters chassis power on
    __ipmi_masters chassis power reset
}

function pxe_workers() {
    __ipmi_workers chassis bootdev pxe
    __ipmi_workers chassis power on
    __ipmi_workers chassis power reset
}

### End of service routines

function bootstrap_destroy() {
    echo "Please ignore any errors below this line."
    echo "========================================="
    virsh destroy ocp4-upi-bootstrap || echo "(ignoring)"
    virsh undefine --nvram ocp4-upi-bootstrap || echo "(ignoring)"
    virsh vol-delete --pool default ocp4-upi-bootstrap.qcow2 || echo "(ignoring)"
    echo "========================================="
    echo "Please ignore any errors above this line."
}

function migrate_infra() {
    if [[ -n "$*" ]] ; then
	echo "*** Labeling infra nodes"
	local node
	for node in "$@" ; do
	    oc label node "$node" node-role.kubernetes.io/infra= node-role.kubernetes.io/worker- |grep -v 'label .* not found'
	done
    fi
    echo "*** Moving monitoring to infra nodes"
    __generate_infra | oc apply -f -
}

function setup_infra() {
    (( infra_count <= 0 && master_as_infra < 0 )) && return
    local -a infra_nodes
    readarray -t infra_nodes <<< "$(__get_infra_nodes)"
    migrate_infra "${infra_nodes[@]}"
}

function install_operator() {
    local -i doit=1
    local OPTIND=0
    while getopts "n" opt "$@" ; do
	case "$opt" in
	    n) doit=0 ;;
	    *) ;;
	esac
    done
    shift "$((OPTIND-1))"
    local operator
    for operator in "$@" ; do
	if ((doit)) ; then
	    oc apply -f <(__generate_operator_yaml "$operator")
	else
	    __generate_operator_yaml "$operator"
	fi
    done
}

function list_operators() {
    oc get packagemanifests -n openshift-marketplace -no-headers | awk '{print $1}' | sort
}

function describe_operator() {
    __get_operator_field "$1" 'currentCSVDesc.description'
}

function install_kata() {
    do_install_kata=1 __do_install_kata 2>&1 3>&1
}

function install_cnv() {
    do_install_cnv=1 __do_install_cnv
}

function start_workers() {
    if (( ${#mgmt_workers[@]} > 0)) ; then
	local readyNodes
	echo "*** Starting workers"
	pxe_workers
	echo "*** Waiting for workers to become ready"
	while : ; do
	    readyNodes=$(oc get nodes --no-headers -lnode-role.kubernetes.io/worker= -lnode-role.kubernetes.io/master!= 2>/dev/null |grep -v -c NotReady; true)
	    if ((readyNodes == ${#mgmt_workers[@]})) ; then return; fi
	    __approve_csrs
	    sleep 1
	done
    fi
}

function do_install() {
    (__do_install_1 "$@") 3>&2 2>&1 |__timestamp "$(date +%s)" 2>&1
}

function install() {
    do_install "$@"
}

#################################################################
declare -a cmdline_vars=()
__setup_commands

while getopts 'Cc:i:k:p:e:t:-:' opt ; do
    case "$opt" in
	C) __validate_commands		 ;;
	c) config_file="$OPTARG"	 ;;
	i) cluster_install_dir="$OPTARG" ;;
	k) ocp4_public_key="$OPTARG"     ;;
	p) ocp4_pull_secret="$OPTARG"    ;;
	e) __store_option "$OPTARG"	 ;;
	-) __store_option "$OPTARG"	 ;;
	t) local_toolsdir="$OPTARG"	 ;;
	*) __usage                       ;;
    esac
done

shift $((OPTIND-1))

if [[ -z "${KUBECONFIG:-}" ]] ; then
    echo "KUBECONFIG must be set (recommend $HOME/ocp4-upi-install-1/auth/kubeconfig)"
    exit 1
fi

if [[ ${command##*/} = ocp4-upi-util ]] ; then
    (( $# >= 1 )) || __usage
    command=${1##*/}
    shift
fi
command=${command//-/_}

declare lcommand=${command//-/_}
for cmd in "${simple_commands[@]}" ; do
    if [[ $lcommand = "$cmd" ]] ; then
	__check_config_file "${needs_config_file[$lcommand]:--n}"
	"$lcommand" "$@"
	exit $?
    fi
done
__fatal "Unknown command $command!"