---
# Copyright 2019 Nokia
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

- name: template node.conf
  template:
    src: "node.conf.j2"
    dest: /etc/openssl/node.conf
    mode: 0000

- name: check instance cert directory
  stat:
    path: "{{ cert_path }}/ca.pem"
  register: cert_path_register

- name: create cert directory
  file:
    name: "{{ cert_path }}"
    state: directory
  when: not cert_path_register.stat.exists

# The 'create cert directory' and 'changing permissions of cert directory' tasks cannot merged together!
# Since 'state: directory' creates the directory recursively.
# So, if cert_path is e.g: /etc/kubernetes/ssl, then /etc/kubernetes would get 700 as it's permisson.
# And in that case the admin user would get access denied for the /etc/kubernetes folder.
- name: changing permissions of cert directory
  file:
    path: "{{ cert_path }}"
    mode: 0700
  when: not cert_path_register.stat.exists

- name: adding default acl read to {{ users.admin_user_name }} to {{ cert_path }}
  acl:
    default: yes
    name:  "{{ cert_path }}"
    entity: "{{ users.admin_user_name }}"
    etype: user
    permissions: rx
    recursive: yes
    state: present

- name: adding acl read to {{ users.admin_user_name }} to {{ cert_path }}
  acl:
    name:  "{{ cert_path }}"
    entity: "{{ users.admin_user_name }}"
    etype: user
    permissions: rx
    recursive: yes
    state: present

- name: check instance cert
  stat:
    path: "{{ cert_path }}/{{ _cert }}"
  register: cert

- name: copy CA to {{ cert_path }}
  copy:
    src: "/etc/openssl/ca.pem"
    dest: "{{ cert_path }}/ca.pem"
  when: not cert_path_register.stat.exists

- name: generate instance certificate
  command: "{{ item }}"
  with_items:
    - "/usr/bin/openssl genrsa -out {{ _key }} 2048"
    - "/usr/bin/openssl req -new -key {{ _key }} -out {{ instance }}.csr -subj '{{ _subject }}' {% if _common_key is sameas false %} -config /etc/openssl/{{ _conf_file }} {% endif %} -sha256"
    - "/usr/bin/openssl x509 -req -in {{ instance }}.csr -CA ca.pem -CAserial {{ instance }}.slr -CAkey /etc/openssl/ca-key.pem -CAcreateserial -out {{ _cert }} -days {{ _expiry }} -extensions v3_req -extfile /etc/openssl/{{ _conf_file }} -sha256"
  args:
    chdir: "{{ cert_path }}"
  when: not cert.stat.exists

- name: reducing permission of key file and cert file
  file:
    path: "{{ cert_path }}/{{ item }}"
    mode: 0000
  with_items:
    - "{{ _key }}"
    - "{{ _cert }}"
  when: not cert.stat.exists

- name: remove cert request and serial file
  file:
    path: "{{ cert_path }}/{{ item }}"
    state: absent
  with_items:
    - "{{ instance }}.csr"
    - "{{ instance }}.slr"
  when: not cert.stat.exists

- name: setting ca.pem permission
  file:
    path: "{{ cert_path }}/ca.pem"
    mode: 0000
  when: not cert_path_register.stat.exists

- name: adding default acl read to {{ users.admin_user_name }} to {{ cert_path }}/ca.epm
  acl:
    name:  "{{ cert_path }}/ca.pem"
    entity: "{{ users.admin_user_name }}"
    etype: user
    permissions: rx
    state: present

- name: allowing users to access keys
  acl:
    name: "{{ item[0] }}"
    entity: "{{ item[1] }}"
    etype: user
    permissions: "r"
    state: present
  with_nested:
    - [ "{{ cert_path }}/{{ _key }}", "{{ cert_path }}/{{ _cert }}", "{{ cert_path }}/ca.pem" ]
    - "{{ add_users | default([]) }}"

- name: adding exec flag to {{ cert_path }} directory for users
  acl:
    name: "{{ cert_path }}"
    entity: "{{ item }}"
    etype: user
    permissions: "rx"
    state: present
  with_items: "{{ add_users | default([]) }}"

- name: create kubeconfig from cert
  include_role:
    name: kubeconfig
  vars:
    config:
      path: "{{ item.path }}"
      owner: "{{ item.owner | default('root') }}"
      group: "{{ item.group | default('root') }}"
      restricted: "{{ item.restricted | default(true) }}"
      user: "{{ _cn }}"
      cert: "{{ cert_path }}/{{ _cert }}"
      key: "{{ cert_path }}/{{ _key }}"
      apiserver: "{{ item.apiserver }}"
      apiserver_port: "{{ item.apiserver_port }}"
      add_users: "{{ add_users | default([]) }}"
  with_items: "{{ kube_conf | default([]) }}"

- name: force IO to write data to disk
  shell: "sync"