---
# Copyright 2018, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

- name: Create the server CA private key
  openssl_privatekey:
    path: "{{ octavia_ca_private_key }}"
    passphrase: "{{ octavia_ca_private_key_passphrase }}"
    cipher: "{{ octavia_cert_cipher_server }}"
    size: "{{ octavia_cert_key_length_server }}"

- name: Create server CA certificate
  command: >
    openssl req -x509 -passin pass:'{{ octavia_ca_private_key_passphrase }}' -new -nodes -key {{ octavia_ca_private_key }}  \
    -config {{ octavia_cert_dir }}/openssl.cnf \
    -subj "{{ octavia_cert_server_ca_subject }}" \
    -days {{ octavia_cert_validity_days }} \
    -out {{ octavia_ca_certificate }}
  args:
    chdir: "{{ octavia_cert_dir }}"
    creates: "{{ octavia_ca_certificate }}"

- name: Generate Octavia client certificate
  block:
    - name: Create the client cert private key
      openssl_privatekey:
        path: "{{ octavia_cert_dir }}/client.key"
        size: "{{ octavia_cert_key_length_client }}"

    - name: Create client cert CSR
      openssl_csr:
        path: "{{ octavia_cert_dir }}/client.csr"
        common_name: "{{ octavia_cert_client_req_common_name }}"
        country_name: "{{ octavia_cert_client_req_country_name }}"
        state_or_province_name: "{{ octavia_cert_client_req_state_or_province_name }}"
        locality_name: "{{ octavia_cert_client_req_locality_name }}"
        organization_name: "{{ octavia_cert_client_req_organization_name }}"
        privatekey_path: "{{ octavia_cert_dir }}/client.key"

    - name: Create client certificate
      command: >
        openssl ca -passin pass:'{{ octavia_ca_private_key_passphrase }}' -config {{ octavia_cert_dir }}/openssl.cnf \
        -in client.csr -days {{ octavia_cert_validity_days }} -out client-.pem -batch
      args:
        chdir: "{{ octavia_cert_dir }}"
        creates: "{{ octavia_cert_dir }}/client-.pem"

    # use cat to avoid mangling the certs
    - name: Generate single pem client.pem
      shell: "cat client-.pem client.key >{{ octavia_client_cert }}"
      args:
        chdir: "{{ octavia_cert_dir }}"
        creates: "{{ octavia_client_cert }}"
      tags:
          - skip_ansible_lint

  when: octavia_generate_client_cert|bool