---
- name: create a temporary directory
  tempfile:
    state: directory
  register: iscsi_ssl_tmp_dir
  delegate_to: localhost
  run_once: true

- name: set_fact crt_files
  set_fact:
    crt_files:
      - "iscsi-gateway.crt"
      - "iscsi-gateway.key"
      - "iscsi-gateway.pem"
      - "iscsi-gateway-pub.key"

- name: check for existing crt file(s) in monitor key/value store
  command: "{{ container_exec_cmd }} ceph --cluster {{ cluster }} config get iscsi/ssl/{{ item }}"
  with_items: "{{ crt_files }}"
  changed_when: false
  failed_when: false
  run_once: true
  delegate_to: "{{ groups.get(mon_group_name)[0] }}"
  register: crt_files_exist

- name: set_fact crt_files_missing
  set_fact:
    crt_files_missing: "{{ crt_files_exist.results | selectattr('rc', 'equalto', 0) | map(attribute='rc') | list | length != crt_files | length }}"

- name: generate ssl crt/key files
  block:
    - name: create ssl crt/key files
      command: >
        openssl req -newkey rsa:2048 -nodes -keyout {{ iscsi_ssl_tmp_dir.path }}/iscsi-gateway.key
         -x509 -days 365 -out {{ iscsi_ssl_tmp_dir.path }}/iscsi-gateway.crt
         -subj "/C=US/ST=./L=./O=RedHat/OU=Linux/CN={{ ansible_facts['hostname'] }}"
      delegate_to: localhost
      run_once: True
      with_items: "{{ crt_files_exist.results }}"

    - name: create pem
      shell: >
        cat {{ iscsi_ssl_tmp_dir.path }}/iscsi-gateway.crt
        {{ iscsi_ssl_tmp_dir.path }}/iscsi-gateway.key > {{ iscsi_ssl_tmp_dir.path }}/iscsi-gateway.pem
      delegate_to: localhost
      run_once: True
      register: pem
      with_items: "{{ crt_files_exist.results }}"

    - name: create public key from pem
      shell: >
        openssl x509 -inform pem -in {{ iscsi_ssl_tmp_dir.path }}/iscsi-gateway.pem
        -pubkey -noout > {{ iscsi_ssl_tmp_dir.path }}/iscsi-gateway-pub.key
      delegate_to: localhost
      run_once: True
      when: pem.changed
      tags: skip_ansible_lint

    - name: slurp ssl crt/key files
      slurp:
        src: "{{ iscsi_ssl_tmp_dir.path }}/{{ item }}"
      register: iscsi_ssl_files_content
      with_items: "{{ crt_files }}"
      run_once: true
      delegate_to: localhost

    - name: store ssl crt/key files
      command: "{{ container_exec_cmd }} ceph --cluster {{ cluster }} config-key put iscsi/ssl/{{ item.item }} {{ item.content }}"
      run_once: true
      delegate_to: "{{ groups.get(mon_group_name)[0] }}"
      with_items: "{{ iscsi_ssl_files_content.results }}"
  when: crt_files_missing

- name: copy crt file(s) to gateway nodes
  copy:
    content: "{{ item.stdout | b64decode }}"
    dest: "/etc/ceph/{{ item.item }}"
    owner: root
    group: root
    mode: 0400
  changed_when: false
  with_items: "{{ crt_files_exist.results if not crt_files_missing else iscsi_ssl_files_content.results }}"
  when: not crt_files_missing

- name: clean temporary directory
  file:
    path: "{{ iscsi_ssl_tmp_dir.path }}"
    state: absent