# Copyright (c) 2022 VEXXHOST, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.

- name: Uninstall the legacy HelmRelease
  run_once: true
  block:
    - name: Suspend the existing HelmRelease
      kubernetes.core.k8s:
        state: patched
        api_version: helm.toolkit.fluxcd.io/v2beta1
        kind: HelmRelease
        name: "{{ octavia_helm_release_name }}"
        namespace: "{{ octavia_helm_release_namespace }}"
        definition:
          spec:
            suspend: true

    - name: Remove the existing HelmRelease
      kubernetes.core.k8s:
        state: absent
        api_version: helm.toolkit.fluxcd.io/v2beta1
        kind: HelmRelease
        name: "{{ octavia_helm_release_name }}"
        namespace: "{{ octavia_helm_release_namespace }}"

- name: Generate resources
  ansible.builtin.import_tasks:
    file: generate_resources.yml

- name: Create CAs & Issuers
  kubernetes.core.k8s:
    state: present
    definition:
      - apiVersion: cert-manager.io/v1
        kind: Certificate
        metadata:
          name: "{{ item }}-ca"
          namespace: openstack
        spec:
          isCA: true
          commonName: "{{ octavia_tls_server_common_name if item == 'octavia-server' else octavia_tls_client_common_name }}"
          secretName: "{{ item }}-ca"
          duration: 87600h
          renewBefore: 720h
          privateKey: "{{ private_key | from_yaml }}"
          issuerRef:
            name: self-signed
            kind: ClusterIssuer
            group: cert-manager.io

      - apiVersion: cert-manager.io/v1
        kind: Issuer
        metadata:
          name: "{{ item }}"
          namespace: openstack
        spec:
          ca:
            secretName: "{{ item }}-ca"
  vars:
    # NOTE(mnaser): Unfortuantely, Ansible renders all variables as strings so
    #               we do this workaround to make sure the size is an integer.
    private_key: |
      algorithm: "{{ octavia_tls_server_private_key_algorithm if item == 'octavia-server' else octavia_tls_client_private_key_algorithm }}"
      size: {{ octavia_tls_server_private_key_size if item == 'octavia-server' else octavia_tls_client_private_key_size }}
  loop:
    - octavia-client
    - octavia-server

- name: Create certificate for Octavia clients
  kubernetes.core.k8s:
    state: present
    definition:
      apiVersion: cert-manager.io/v1
      kind: Certificate
      metadata:
        name: octavia-client-certs
        namespace: openstack
      spec:
        commonName: "{{ octavia_tls_client_common_name }}"
        secretName: octavia-client-certs
        additionalOutputFormats:
          - type: CombinedPEM
        duration: 87600h
        renewBefore: 720h
        privateKey: "{{ private_key | from_yaml }}"
        issuerRef:
          name: octavia-client
          kind: Issuer
          group: cert-manager.io
  vars:
    # NOTE(mnaser): Unfortuantely, Ansible renders all variables as strings so
    #               we do this workaround to make sure the size is an integer.
    private_key: |
      algorithm: "{{ octavia_tls_client_private_key_algorithm }}"
      size: {{ octavia_tls_client_private_key_size }}

- name: Create admin compute quotaset
  openstack.cloud.quota:
    cloud: atmosphere
    # NOTE(okozachenko): It uses project name instead of id.
    name: admin
    instances: -1
    cores: -1
    ram: -1
    volumes: -1
    gigabytes: -1
    security_group: -1
    security_group_rule: -1

- name: Deploy Helm chart
  run_once: true
  kubernetes.core.helm:
    name: "{{ octavia_helm_release_name }}"
    chart_ref: "{{ octavia_helm_chart_ref }}"
    release_namespace: "{{ octavia_helm_release_namespace }}"
    create_namespace: true
    kubeconfig: /etc/kubernetes/admin.conf
    values: "{{ _octavia_helm_values | combine(octavia_helm_values, recursive=True) }}"

- name: Add implied roles
  run_once: true
  ansible.builtin.shell: |
    openstack implied role create \
      --implied-role {{ item.implies }} \
      {{ item.role }}
  loop:
    - role: member
      implies: load-balancer_member
    - role: reader
      implies: load-balancer_observer
  environment:
    OS_CLOUD: atmosphere
  register: _octavia_implied_role_create
  changed_when: _octavia_implied_role_create.rc == 0
  failed_when: _octavia_implied_role_create.rc != 0 and 'Duplicate entry.' not in _octavia_implied_role_create.stderr

- name: Create Ingress
  ansible.builtin.include_role:
    name: openstack_helm_ingress
  vars:
    openstack_helm_ingress_endpoint: load_balancer
    openstack_helm_ingress_service_name: octavia-api
    openstack_helm_ingress_service_port: 9876
    openstack_helm_ingress_annotations: "{{ octavia_ingress_annotations }}"