---
# Copyright 2018, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

- name: Create the server CA private key
  openssl_privatekey:
    path: "{{ octavia_ca_private_key }}"
    passphrase: "{{ octavia_ca_private_key_passphrase }}"
    cipher: "{{ octavia_cert_cipher_server }}"
    size: "{{ octavia_cert_key_length_server }}"

- name: Create server CA CSR
  openssl_csr:
    path: "{{ octavia_cert_dir }}/ca_server_01.csr"
    common_name: "{{ octavia_cert_server_ca_common_name }}"
    privatekey_path: "{{ octavia_ca_private_key }}"
    privatekey_passphrase: "{{ octavia_ca_private_key_passphrase }}"

- name: Create server CA certificate
  openssl_certificate:
    path: "{{ octavia_ca_certificate }}"
    privatekey_path: "{{ octavia_ca_private_key }}"
    privatekey_passphrase: "{{ octavia_ca_private_key_passphrase }}"
    csr_path: "{{ octavia_cert_dir }}/ca_server_01.csr"
    provider: selfsigned
    owner: "{{ lookup('env', 'USER') }}"

- name: Generate Octavia client certificate
  block:
    - name: Create the client cert private key
      openssl_privatekey:
        path: "{{ octavia_cert_dir }}/client.key"
        size: "{{ octavia_cert_key_length_client }}"

    - name: Create client cert CSR
      openssl_csr:
        path: "{{ octavia_cert_dir }}/client.csr"
        common_name: "{{ octavia_cert_client_req_common_name }}"
        privatekey_path: "{{ octavia_cert_dir }}/client.key"

    - name: Create client certificate
      openssl_certificate:
        path: "{{ octavia_cert_dir }}/client-.pem"
        privatekey_path: "{{ octavia_ca_private_key }}"
        privatekey_passphrase: "{{ octavia_ca_private_key_passphrase }}"
        csr_path: "{{ octavia_cert_dir }}/client.csr"
        provider: selfsigned
        owner: "{{ lookup('env', 'USER') }}"

    # use cat to avoid mangling the certs
    - name: Generate single pem client.pem
      shell: "cat client-.pem client.key >{{ octavia_client_cert }}"
      args:
        chdir: "{{ octavia_cert_dir }}"
        creates: "{{ octavia_client_cert }}"
      tags:
          - skip_ansible_lint

  when: octavia_generate_client_cert|bool