---
- hosts: all
  any_errors_fatal: true
  tasks:
    # NOTE(yoctozepto): setting vars as facts for all to have them around in all the plays
    - name: set facts for commonly used variables
      set_fact:
        kolla_ansible_src_dir: "{{ ansible_env.PWD }}/src/{{ zuul.project.canonical_hostname }}/openstack/kolla-ansible"
        upper_constraints_file: "{{ ansible_env.HOME }}/src/opendev.org/openstack/requirements/upper-constraints.txt"
        pip_user_path_env:
          PATH: "{{ ansible_env.HOME + '/.local/bin:' + ansible_env.PATH }}"

- hosts: primary
  any_errors_fatal: true
  environment: "{{ pip_user_path_env }}"
  tasks:
    - name: ensure /etc/kolla exists
      file:
        path: "/etc/kolla"
        state: "directory"
        mode: 0777
      become: true

    - name: ensure python3-pip exists
      package:
        name: python3-pip
      become: true

    # NOTE(mgoddard): We need a recent pip to install the latest cryptography
    # library. See https://github.com/pyca/cryptography/issues/5753
    - name: install pip 19.1.1+
      pip:
        name: "pip>=19.1.1"
        executable: "pip3"
        extra_args: "--user"

    - name: install kolla-ansible and dependencies
      pip:
        name:
          - "{{ kolla_ansible_src_dir }}"
        executable: "pip3"
        extra_args: "-c {{ upper_constraints_file }} --user"

    - name: copy passwords.yml file
      copy:
        src: "{{ kolla_ansible_src_dir }}/etc/kolla/passwords.yml"
        dest: /etc/kolla/passwords.yml
        remote_src: true

    - name: generate passwords
      command: kolla-genpwd

    # At this point we have generated all necessary configuration, and are
    # ready to test Hashicorp Vault.
    - name: Run test-hashicorp-vault-passwords.sh script
      script:
        cmd: test-hashicorp-vault-passwords.sh
        executable: /bin/bash
        chdir: "{{ kolla_ansible_src_dir }}"
      environment:
        BASE_DISTRO: "{{ base_distro }}"

    - name: Read template file
      slurp:
        src: "/etc/kolla/passwords.yml"
      register: template_file

    - name: Read generated file
      slurp:
        src: "/tmp/passwords-hashicorp-vault.yml"
      register: generated_file

    # This test will load in the original input file and the one that was
    # generated by Vault and ensure that the keys are the same in both files.
    # This ensures that we are not missing any passwords.
    - name: Check passwords that were written to Vault are as expected
      vars:
        input_passwords: "{{ template_file['content'] | b64decode | from_yaml | sort }}"
        output_passwords: "{{ generated_file['content'] | b64decode | from_yaml | sort }}"
      assert: { that: "input_passwords == output_passwords" }