---
- name: Update router certificates
  hosts: oo_first_master
  vars:
  roles:
  - lib_openshift
  tasks:
  - name: Create temp directory for kubeconfig
    command: mktemp -d /tmp/openshift-ansible-XXXXXX
    register: mktemp
    changed_when: false
  - name: Copy admin client config(s)
    command: >
      cp {{ openshift.common.config_base }}/master//admin.kubeconfig {{ mktemp.stdout }}/admin.kubeconfig
    changed_when: false

  - name: Determine if router exists
    command: >
      {{ openshift.common.client_binary }} get dc/router -o json
      --config={{ mktemp.stdout }}/admin.kubeconfig
      -n default
    register: l_router_dc
    failed_when: false
    changed_when: false

  - set_fact:
      router_env_vars: "{{ ((l_router_dc.stdout | from_json)['spec']['template']['spec']['containers'][0]['env']
                             | oo_collect('name'))
                             | default([]) }}"
      router_secrets: "{{ ((l_router_dc.stdout | from_json)['spec']['template']['spec']['volumes']
                            | oo_collect('secret')
                            | oo_collect('secretName'))
                            | default([]) }}"
    changed_when: false
    when: l_router_dc.rc == 0

  - name: Update router environment variables
    shell: >
      {{ openshift.common.client_binary }} env dc/router
      OPENSHIFT_CA_DATA="$(cat /etc/origin/master/ca.crt)"
      OPENSHIFT_CERT_DATA="$(cat /etc/origin/master/openshift-router.crt)"
      OPENSHIFT_KEY_DATA="$(cat /etc/origin/master/openshift-router.key)"
      --config={{ mktemp.stdout }}/admin.kubeconfig
      -n default
    when: l_router_dc.rc == 0 and 'OPENSHIFT_CA_DATA' in router_env_vars and 'OPENSHIFT_CERT_DATA' in router_env_vars and 'OPENSHIFT_KEY_DATA' in router_env_vars

  - block:
    - name: Delete existing router certificate secret
      oc_secret:
        kubeconfig: "{{ mktemp.stdout }}/admin.kubeconfig"
        name: router-certs
        namespace: default
        state: absent
      run_once: true

    - name: Remove router service annotations
      command: >
        {{ openshift.common.client_binary }} annotate service/router
        service.alpha.openshift.io/serving-cert-secret-name-
        service.alpha.openshift.io/serving-cert-signed-by-
        --config={{ mktemp.stdout }}/admin.kubeconfig
        -n default

    - name: Add serving-cert-secret annotation to router service
      command: >
        {{ openshift.common.client_binary }} annotate service/router
        service.alpha.openshift.io/serving-cert-secret-name=router-certs
        --config={{ mktemp.stdout }}/admin.kubeconfig
        -n default
    when: l_router_dc.rc == 0 and 'router-certs' in router_secrets and openshift_hosted_router_certificate is undefined

  - block:
    - assert:
        that:
        - "'certfile' in openshift_hosted_router_certificate"
        - "'keyfile' in openshift_hosted_router_certificate"
        - "'cafile' in openshift_hosted_router_certificate"
        msg: |-
          openshift_hosted_router_certificate has been set in the inventory but is
          missing one or more required keys. Ensure that 'certfile', 'keyfile',
          and 'cafile' keys have been specified for the openshift_hosted_router_certificate
          inventory variable.

    - name: Read router certificate and key
      become: no
      local_action:
        module: slurp
        src: "{{ item }}"
      register: openshift_router_certificate_output
      # Defaulting dictionary keys to none to avoid deprecation warnings
      # (future fatal errors) during template evaluation. Dictionary keys
      # won't be accessed unless openshift_hosted_router_certificate is
      # defined and has all keys (certfile, keyfile, cafile) which we
      # check above.
      with_items:
      - "{{ (openshift_hosted_router_certificate | default({'certfile':none})).certfile }}"
      - "{{ (openshift_hosted_router_certificate | default({'keyfile':none})).keyfile }}"
      - "{{ (openshift_hosted_router_certificate | default({'cafile':none})).cafile }}"

    - name: Write temporary router certificate file
      copy:
        content: "{% for certificate in openshift_router_certificate_output.results -%}{{ certificate.content | b64decode }}{% endfor -%}"
        dest: "{{ mktemp.stdout }}/openshift-hosted-router-certificate.pem"
        mode: 0600

    - name: Write temporary router key file
      copy:
        content: "{{ (openshift_router_certificate_output.results
                         | oo_collect('content', {'source':(openshift_hosted_router_certificate | default({'keyfile':none})).keyfile}))[0] | b64decode }}"
        dest: "{{ mktemp.stdout }}/openshift-hosted-router-certificate.key"
        mode: 0600

    - name: Replace router-certs secret
      shell: >
        {{ openshift.common.client_binary }} secrets new router-certs
        tls.crt="{{ mktemp.stdout }}/openshift-hosted-router-certificate.pem"
        tls.key="{{ mktemp.stdout }}/openshift-hosted-router-certificate.key"
        --type=kubernetes.io/tls
        --confirm
        -o json | {{ openshift.common.client_binary }} replace -f -

    - name: Remove temporary router certificate and key files
      file:
        path: "{{ item }}"
        state: absent
      with_items:
      - "{{ mktemp.stdout }}/openshift-hosted-router-certificate.pem"
      - "{{ mktemp.stdout }}/openshift-hosted-router-certificate.key"
    when: l_router_dc.rc == 0 and 'router-certs' in router_secrets and openshift_hosted_router_certificate is defined

  - name: Redeploy router
    command: >
      {{ openshift.common.client_binary }} deploy dc/router
      --latest
      --config={{ mktemp.stdout }}/admin.kubeconfig
      -n default

  - name: Delete temp directory
    file:
      name: "{{ mktemp.stdout }}"
      state: absent
    changed_when: False