---
- name: create mgr directory
  file:
    path: /var/lib/ceph/mgr/{{ cluster }}-{{ ansible_hostname }}
    state: directory
    owner: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
    group: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
    mode: "{{ ceph_directories_mode }}"

- name: fetch ceph mgr keyring
  ceph_key:
    name: "mgr.{{ ansible_hostname }}"
    state: present
    caps:
      mon: allow profile mgr
      osd: allow *
      mds: allow *
    cluster: "{{ cluster }}"
    secret: "{{ (mgr_secret != 'mgr_secret') | ternary(mgr_secret, omit) }}"
    owner: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
    group: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
    mode: "0400"
    dest: "/var/lib/ceph/mgr/{{ cluster }}-{{ ansible_hostname }}/keyring"
  environment:
    CEPH_CONTAINER_IMAGE: "{{ ceph_docker_registry + '/' + ceph_docker_image + ':' + ceph_docker_image_tag if containerized_deployment else None }}"
    CEPH_CONTAINER_BINARY: "{{ container_binary }}"
  when: groups.get(mgr_group_name, []) | length == 0 # the key is present already since one of the mons created it in "create ceph mgr keyring(s)"

- name: create and copy keyrings
  when: groups.get(mgr_group_name, []) | length > 0
  block:
    - name: create ceph mgr keyring(s) on a mon node
      ceph_key:
        name: "mgr.{{ hostvars[item]['ansible_hostname'] }}"
        state: present
        caps:
          mon: allow profile mgr
          osd: allow *
          mds: allow *
        cluster: "{{ cluster }}"
        secret: "{{ (mgr_secret != 'mgr_secret') | ternary(mgr_secret, omit) }}"
        owner: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
        group: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
        mode: "0400"
      environment:
        CEPH_CONTAINER_IMAGE: "{{ ceph_docker_registry + '/' + ceph_docker_image + ':' + ceph_docker_image_tag if containerized_deployment else None }}"
        CEPH_CONTAINER_BINARY: "{{ container_binary }}"
      with_items: "{{ groups.get(mgr_group_name, []) }}"
      run_once: True
      delegate_to: "{{ groups[mon_group_name][0] }}"

    - name: set_fact _mgr_keys
      set_fact:
        _mgr_keys:
          - { 'name': 'client.admin', 'path': "/etc/ceph/{{ cluster }}.client.admin.keyring", 'copy_key': copy_admin_key }
          - { 'name': "mgr.{{ ansible_hostname }}", 'path': "/var/lib/ceph/mgr/{{ cluster }}-{{ ansible_hostname }}/keyring", 'copy_key': true }

    - name: get keys from monitors
      command: "{{ _container_exec_cmd | default('') }} ceph --cluster {{ cluster }} auth get {{ item.name }}"
      register: _mgr_keys
      with_items: "{{ _mgr_keys }}"
      delegate_to: "{{ groups[mon_group_name][0] if running_mon is undefined else running_mon }}"
      when:
        - cephx | bool
        - item.copy_key | bool

    - name: copy ceph key(s) if needed
      copy:
        dest: "{{ item.item.path }}"
        content: "{{ item.stdout + '\n' }}"
        owner: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
        group: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
        mode: "{{ ceph_keyring_permissions }}"
      with_items: "{{ _mgr_keys.results }}"
      when:
        - cephx | bool
        - item.item.copy_key | bool

- name: set mgr key permissions
  file:
    path: /var/lib/ceph/mgr/{{ cluster }}-{{ ansible_hostname }}/keyring
    owner: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
    group: "{{ ceph_uid if containerized_deployment else 'ceph' }}"
    mode: "{{ ceph_keyring_permissions }}"
  when: cephx | bool