- name: Check if gearman tls cert is already created
  set_fact:
    gearman_certs: "{{ lookup('k8s', api_version='v1', kind='Secret', namespace=namespace, resource_name=zuul_name + '-gearman-tls') }}"

- name: Generate and store certs
  when:
    - not cert_manager
    - gearman_certs.data is not defined
  block:
    - name: Generate certs
      command: "{{ item }}"
      loop:
        # CA
        - "openssl req -new -newkey rsa:2048 -nodes -keyout ca-{{ zuul_name }}.key -x509 -days 3650 -out ca-{{ zuul_name }}.pem -subj '/C=US/ST=Texas/L=Austin/O=Zuul/CN=gearman-ca'"
        # Client
        - "openssl req -new -newkey rsa:2048 -nodes -keyout client-{{ zuul_name }}.key -out client-{{ zuul_name }}.csr -subj '/C=US/ST=Texas/L=Austin/O=Zuul/CN=client-{{ zuul_name }}'"
        - "openssl x509 -req -days 3650 -in client-{{ zuul_name }}.csr -out client-{{ zuul_name }}.pem -CA ca-{{ zuul_name }}.pem -CAkey ca-{{ zuul_name }}.key -CAcreateserial"

    - name: Create k8s secret
      community.kubernetes.k8s:
        state: "{{ state }}"
        namespace: "{{ namespace }}"
        definition:
          apiVersion: v1
          kind: Secret
          metadata:
            name: "{{ zuul_name }}-gearman-tls"
          stringData:
            ca.crt: "{{ lookup('file', 'ca-' + zuul_name + '.pem') }}"
            tls.key: "{{ lookup('file', 'client-' + zuul_name + '.key') }}"
            tls.crt: "{{ lookup('file', 'client-' + zuul_name + '.pem') }}"

- name: Write client certs locally
  when: gearman_certs.data is defined
  copy:
    content: "{{ gearman_certs.data[item] | b64decode }}"
    dest: "{{ item }}"
  loop:
    - ca.crt
    - tls.key
    - tls.crt