---
- name: register undercloud public endpoint
  shell: |
    source {{ undercloud_rc }}
    openstack catalog list | grep -Po 'https.*13000'
  register: keystone_endpoint

- name: register first controller ip address
  shell: |
    source {{ undercloud_rc }}
    openstack server list -f json | jq -r -c '.[] | select(.Name | contains("controller","ctrl")) | .Networks' | grep -oP '[0-9.]+' | head -1
  register: ctrl_ip

- name: test undercloud keystone reachability
  vars:
    oc_user: "{{ (overcloud_ssh_user == '') | ternary('heat-admin', overcloud_ssh_user) }}"
  shell: |
    ssh -q -o StrictHostKeyChecking=no {{ oc_user }}@{{ ctrl_ip.stdout }} curl --silent {{ keystone_endpoint.stdout }}
  register: uc_keystone_conn
  ignore_errors: true

- block:
    - name: register ssl certificate location
      shell: |
        grep 13000 /etc/haproxy/haproxy.cfg  | awk {'print $6'}
      become: true
      become_user: root
      register: undercloudcert

    - name: make a local copy of the certificate
      copy:
        src: "{{ undercloudcert.stdout }}"
        dest: "{{ working_dir }}/undercloud.pem"
        owner: stack
        remote_src: true
      become: true
      become_user: root

    - name: register overcloud nodes ip address
      shell: |
        source {{ undercloud_rc }}
        openstack server list -f json | jq -r -c '.[] | .Networks' | grep -oP '[0-9.]+'
      register: node_ip

    - name: copy certificate to the overcloud nodes and update the trusted store
      vars:
        oc_user: "{{ (overcloud_ssh_user == '') | ternary('heat-admin', overcloud_ssh_user) }}"
      shell: |
        scp -q -o StrictHostKeyChecking=no {{ working_dir }}/undercloud.pem {{ oc_user }}@{{ item }}:
        ssh -q -o StrictHostKeyChecking=no {{ oc_user }}@{{ item }} 'sudo cp undercloud.pem /etc/pki/ca-trust/source/anchors/; sudo update-ca-trust extract'
      with_items:
        - "{{ node_ip.stdout_lines }}"
  when: uc_keystone_conn|failed