# Copyright 2018-2021 Splunk
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

ARG SPLUNK_BASE_IMAGE=registry.access.redhat.com/ubi8/ubi-minimal

#
# Download and unpack Splunk Enterprise
#
FROM ${SPLUNK_BASE_IMAGE}:latest as package
ARG SPLUNK_BUILD_URL=https://download.splunk.com/products/splunk/beta/9.2.2.20240415/linux/splunkbeta-9.2.2.20240415-51a9cf8e4d88-Linux-x86_64.tgz
ENV PYTHON_VERSION=3.10.13 
COPY splunk/common-files/make-minimal-exclude.py /tmp
COPY install.sh /install.sh
RUN chmod +x /install.sh \
    && /install.sh \
    && python /tmp/make-minimal-exclude.py ${SPLUNK_BUILD_URL} > /tmp/splunk-minimal-exclude.list \
    && echo "Downloading Splunk and validating the checksum at: ${SPLUNK_BUILD_URL}" \
    && wget -qO /tmp/`basename ${SPLUNK_BUILD_URL}` ${SPLUNK_BUILD_URL} \
    && wget -qO /tmp/splunk.tgz.sha512 ${SPLUNK_BUILD_URL}.sha512 \
    && cd /tmp \
    && echo "$(cat /tmp/splunk.tgz.sha512)" | sha512sum --check  --status \
    && rm /tmp/splunk.tgz.sha512 \
    && mkdir -p /minimal/splunk/var /extras/splunk/var \
    && tar -C /minimal/splunk --strip 1 --exclude-from=/tmp/splunk-minimal-exclude.list -zxf /tmp/`basename ${SPLUNK_BUILD_URL}` \
    && tar -C /extras/splunk --strip 1 --wildcards --files-from=/tmp/splunk-minimal-exclude.list -zxf /tmp/`basename ${SPLUNK_BUILD_URL}` \
    && mv /minimal/splunk/etc /minimal/splunk-etc \
    && mv /extras/splunk/etc /extras/splunk-etc \
    && mkdir -p /minimal/splunk/etc /minimal/splunk/share/splunk/search_mrsparkle/modules.new
COPY splunk/common-files/apps /extras/splunk-etc/apps/


#
# Minimal Splunk base image with many files excluded, intended for internal and experimental use
#
FROM ${SPLUNK_BASE_IMAGE}:latest as minimal
LABEL maintainer="Brett.Woodruff@kinneygroup.com"
ENV SPLUNK_HOME=/opt/splunk \
    SPLUNK_GROUP=splunk \
    SPLUNK_USER=splunk
ENV TMPSPLUNKDIR=${SPLUNK_HOME}/tmp 
ENV TMPETCDIR=${TMPSPLUNKDIR}/etc 
ENV PYTHON_VERSION=3.10.13 

# Currently kubernetes only accepts UID and not USER field to
# start a container as a particular user. So we create Splunk
# user with pre-determined UID.
ARG UID=41812
ARG GID=41812

# Simple script used to populate/upgrade splunk/etc directory
COPY [ "splunk/common-files/updateetc.sh", "/sbin/" ]
COPY install.sh /install.sh

# Setup users and groups
RUN chmod +x /install.sh \
    && /install.sh \
    && groupadd -r -g ${GID} ${SPLUNK_GROUP} \
    && useradd -r -m -u ${UID} -g ${GID} -s /bin/bash ${SPLUNK_USER} \
    && chmod 755 /sbin/updateetc.sh

COPY --from=package --chown=splunk:splunk /minimal /opt

USER ${SPLUNK_USER}
WORKDIR ${SPLUNK_HOME}
EXPOSE 8000/tcp 8089/tcp


#
# Bare Splunk Enterprise Image without Ansible (BYO entrypoint)
#
FROM minimal as bare
COPY --from=package --chown=splunk:splunk /extras /opt
EXPOSE 8000 8065 8088 8089 8191 9887 9997
VOLUME [ "/opt/splunk/etc", "/opt/splunk/var" ]



#
# Full Splunk Enterprise Image with Ansible
#
FROM bare

ARG SPLUNK_DEFAULTS_URL

ENV SPLUNK_ROLE=splunk_standalone \
    SPLUNK_DEFAULTS_URL=${SPLUNK_DEFAULTS_URL} \
    SPLUNK_ANSIBLE_HOME=/opt/ansible \
    ANSIBLE_USER=ansible \
    ANSIBLE_GROUP=ansible \
    CONTAINER_ARTIFACT_DIR=/opt/container_artifact

USER root

COPY [ "splunk/common-files/entrypoint.sh", "splunk/common-files/createdefaults.py", "splunk/common-files/checkstate.sh", "/sbin/" ]
COPY splunk-ansible ${SPLUNK_ANSIBLE_HOME} 


# Set sudo rights
RUN sed -i -e 's/%sudo\s\+ALL=(ALL\(:ALL\)\?)\s\+ALL/%sudo ALL=NOPASSWD:ALL\nansible ALL=(splunk)NOPASSWD:ALL/g' /etc/sudoers \
    && echo 'Create the ansible user/group' \
    && groupadd -r ${ANSIBLE_GROUP} \
    && useradd -r -m -g ${ANSIBLE_GROUP} -s /bin/bash ${ANSIBLE_USER} \
    && usermod -aG sudo ${ANSIBLE_USER} \
    && usermod -aG ${ANSIBLE_GROUP} ${SPLUNK_USER} \
    && echo 'Container Artifact Directory is a place for all artifacts and logs that are generated by the provisioning process. The directory is owned by the user "ansible".' \
    && mkdir ${CONTAINER_ARTIFACT_DIR} \
    && chown -R ${ANSIBLE_USER}:${ANSIBLE_GROUP} ${CONTAINER_ARTIFACT_DIR} \
    && chmod -R 775 ${CONTAINER_ARTIFACT_DIR} \
    && chmod -R 555 ${SPLUNK_ANSIBLE_HOME} \
    && chgrp ${ANSIBLE_GROUP} ${SPLUNK_ANSIBLE_HOME} ${SPLUNK_ANSIBLE_HOME}/ansible.cfg \
    && chmod 775 ${SPLUNK_ANSIBLE_HOME} \
    && chmod 664 ${SPLUNK_ANSIBLE_HOME}/ansible.cfg \
    && chmod 755 /sbin/entrypoint.sh /sbin/createdefaults.py /sbin/checkstate.sh

USER ${ANSIBLE_USER}
HEALTHCHECK --interval=30s --timeout=30s --start-period=3m --retries=5 CMD /sbin/checkstate.sh || exit 1
ENTRYPOINT [ "/sbin/entrypoint.sh" ]
CMD [ "start-service" ]