---
# TODO: this currently has a bug where hostnames are required
- name: Creating Aggregator signer certs
  command: >
    oc adm ca create-signer-cert
    --cert=/etc/origin/master/front-proxy-ca.crt
    --key=/etc/origin/master/front-proxy-ca.key
    --serial=/etc/origin/master/ca.serial.txt
#  oc_adm_ca_server_cert:
#    cert: /etc/origin/master/front-proxy-ca.crt
#    key: /etc/origin/master/front-proxy-ca.key

- name: Create api-client config for Aggregator
  command: >
    oc adm create-api-client-config
    --certificate-authority=/etc/origin/master/front-proxy-ca.crt
    --signer-cert=/etc/origin/master/front-proxy-ca.crt
    --signer-key=/etc/origin/master/front-proxy-ca.key
    --user aggregator-front-proxy
    --client-dir=/etc/origin/master
    --signer-serial=/etc/origin/master/ca.serial.txt

- name: Update master config
  yedit:
    state: present
    src: /etc/origin/master/master-config.yaml
    edits:
    - key: aggregatorConfig.proxyClientInfo.certFile
      value: aggregator-front-proxy.crt
    - key: aggregatorConfig.proxyClientInfo.keyFile
      value: aggregator-front-proxy.key
    - key: authConfig.requestHeader.clientCA
      value: front-proxy-ca.crt
    - key: authConfig.requestHeader.clientCommonNames
      value: [aggregator-front-proxy]
    - key: authConfig.requestHeader.usernameHeaders
      value: [X-Remote-User]
    - key: authConfig.requestHeader.groupHeaders
      value: [X-Remote-Group]
    - key: authConfig.requestHeader.extraHeaderPrefixes
      value: [X-Remote-Extra-]
  register: yedit_output

#restart master serially here
- name: restart master
  systemd: name={{ openshift.common.service_type }}-master state=restarted
  when:
  - yedit_output.changed
  - openshift.master.ha is not defined or not openshift.master.ha | bool

- name: restart master api
  systemd: name={{ openshift.common.service_type }}-master-api state=restarted
  when:
  - yedit_output.changed
  - openshift.master.ha is defined and openshift.master.ha | bool
  - openshift.master.cluster_method == 'native'

- name: restart master controllers
  systemd: name={{ openshift.common.service_type }}-master-controllers state=restarted
  when:
  - yedit_output.changed
  - openshift.master.ha is defined and openshift.master.ha | bool
  - openshift.master.cluster_method == 'native'

- name: Verify API Server
  # Using curl here since the uri module requires python-httplib2 and
  # wait_for port doesn't provide health information.
  command: >
    curl --silent --tlsv1.2
    {% if openshift.common.version_gte_3_2_or_1_2 | bool %}
    --cacert {{ openshift.common.config_base }}/master/ca-bundle.crt
    {% else %}
    --cacert {{ openshift.common.config_base }}/master/ca.crt
    {% endif %}
    {{ openshift.master.api_url }}/healthz/ready
  args:
    # Disables the following warning:
    # Consider using get_url or uri module rather than running curl
    warn: no
  register: api_available_output
  until: api_available_output.stdout == 'ok'
  retries: 120
  delay: 1
  changed_when: false
  when:
  - yedit_output.changed