---
# Copyright 2020 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.

# TODO(gthiemon) remove service_pem when we support per-controller/per-process
# client certificates.
- name: gather all of the CAs
  set_fact:
    ca_certs: "{{ groups['octavia_nodes'] | map('extract', hostvars, 'ca_cert') | select('defined') | list }}"
    private_keys: "{{ groups['octavia_nodes'] | map('extract', hostvars, 'ca_private_key') | select('defined') | list }}"
    service_pems: "{{ groups['octavia_nodes'] | map('extract', hostvars, 'service_pem_content') | select('defined') | list }}"
    generate_ca: true
    update_certs: true

- name: grab first values as long as they are unique
  block:
    - name: count unique CAs and keys
      set_fact:
        unique_ca_count: "{{ ca_certs | unique | length }}"
        unique_pkey_count: "{{ private_keys | unique | length }}"
        octavia_node_count: "{{ groups['octavia_nodes'] | list | length }}"

    - name: fail if CA or private key do not match in all Octavia nodes
      fail:
        msg: |
          Inconsistent Octavia configuration detected:
          Existing CAs and/or private keys do not match between all Octavia
          nodes. To avoid further harm, the deployment will exit with error
          now.
      when:
        - (unique_ca_count | int) > 1 or (unique_pkey_count | int) > 1

    - name: fail if the number of CA and private key doesn't match
      fail:
        msg: |
          Inconsistent Octavia configuration detected:
          Mismatched count for CAs and private keys on controllers.
      when:
        - (unique_ca_count | int) != (unique_pkey_count | int)

    - name: record cert so others can use it
      set_fact:
        ca_cert_content: "{{ ca_certs | first }}"
        private_key_content: "{{ private_keys | first }}"
        service_pem_content: "{{ service_pems | first }}"

    - name: disable CA generation
      set_fact:
        generate_ca: false

    - name: don't update certificates if CA is present on all octavia nodes
      set_fact:
        update_certs: false
      when:
        - (octavia_node_count | int) == (ca_certs | length)
        - not (force_certs_update | default(false))
  when:
    - (ca_certs | length) > 0