---
- name: Set facts for undercloud handlers to clean up
  set_fact:
    novajoin_temp_krb_caches: []

### verify that the keytab and principal are usable ###
- name: Set the novajoin keytab path
  set_fact:
    novajoin_keytab_path: '/etc/novajoin/krb5.keytab'

- name: Verify the novajoin keytab is usable (non-containerized)
  become: true
  block:
    - name: Set fact for novajoin user principal
      set_fact:
        novajoin_principal: "nova/{{ host_entry }}"

    - name: Check for novajoin kerberos host keytab
      stat:
        path: "{{ novajoin_keytab_path }}"
      register: non_containerized_novajoin_krb5_keytab_stat

    - name: Test if novajoin principal in novajoin keytab is usable
      command: kinit -kt "{{ novajoin_keytab_path }}" -c /tmp/my_novajoin_krb5_ccache "{{ novajoin_principal }}"
      become: true
      register: non_containerized_novajoin_principal_usable_result
      ignore_errors: true
      when: non_containerized_novajoin_krb5_keytab_stat.stat.exists

    - name: Set facts for novajoin principal is usable skipped
      set_fact:
        principal_usable_status: "{{ helper_status_skipped }}"
        principal_usable_reason: "skipped checking if the novajoin principal is usable for host {{ ansible_host }} because there is no keytab file"
        principal_usable_recommendations: null
      when: not non_containerized_novajoin_krb5_keytab_stat.stat.exists

    - name: Set facts for novajoin principal is usable success
      set_fact:
        principal_usable_status: "{{ helper_status_ok }}"
        principal_usable_reason: "The principal {{ novajoin_principal }} is able to obtain a kerberos ticket"
        principal_usable_recommendations: null
        temp_krb_caches: "{{ novajoin_temp_krb_caches + [ '/tmp/my_novajoin_krb5_ccache' ] }}"
      changed_when: true
      when:
        - non_containerized_novajoin_krb5_keytab_stat.stat.exists
        - non_containerized_novajoin_principal_usable_result is succeeded
      notify:  # (hrybacki): novajoin server running on the undercloud -- it's okay to use this handler
        - clean_up_temp_krb_caches

    - name: Set facts for principal is usable failure
      set_fact:
        principal_usable_status: "{{ helper_status_error }}"
        principal_usable_reason: "Tho principal {{ novajoin_principal }} is unable to obtain a kerberos ticket"
        principal_usable_recommendations: null
      when:
        - non_containerized_novajoin_krb5_keytab_stat.stat.exists
        - non_containerized_novajoin_principal_usable_result is failed

    - name: Report on Kerberos principal in novajoin keytab is usable check
      reportentry:
        report_status: "{{ principal_usable_status }}"
        report_reason: "{{ principal_usable_reason }}"
        report_recommendations: "{{ principal_usable_recommendations }}"