---
- name: (local) create ssl crt/key files
  shell: |
    openssl req -newkey rsa:2048 -nodes -keyout /etc/ceph/iscsi-gateway.key -x509 -days 365 -out /etc/ceph/iscsi-gateway.crt -subj "/C=US/ST=./L=./O=RedHat/OU=Linux/CN={{ ansible_hostname }}"
  run_once: True

- name: (local) create pem
  shell: |
    cat /etc/ceph/iscsi-gateway.crt /etc/ceph/iscsi-gateway.key > /etc/ceph/iscsi-gateway.pem
  run_once: True
  register: pem

- name: (local) create public key from pem
  shell: |
    openssl x509 -inform pem -in /etc/ceph/iscsi-gateway.pem -pubkey -noout > /etc/ceph/iscsi-gateway-pub.key
  run_once: True
  when:
    - pem.changed

- name: lock ssl file access to root only
  file:
    path: "{{ item }}"
    mode: 0400
    owner: root
    group: root
  with_items: "{{ crt_files }}"

- name: copy crt(s) to the ansible server
  fetch:
    src: "{{ item }}"
    dest: "{{ fetch_directory }}/{{ fsid }}/{{ item }}"
    flat: yes
  with_items: "{{ crt_files }}"