---
# Main tasks for certificate management

# Import role setup tasks
- name: Setup RBAC for certificate access
  import_tasks: setup_roles.yml
  when: create_route_role | bool

# Create OpenShift-wide router permissions for external certificates
- name: Create ClusterRoleBinding for OpenShift router to access certificate secrets
  kubernetes.core.k8s:
    state: present
    definition:
      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRoleBinding
      metadata:
        name: "openshift-router-external-certs-{{ certificate_namespace }}-{{ certificate_name }}"
      roleRef:
        apiGroup: rbac.authorization.k8s.io
        kind: ClusterRole
        name: system:openshift:controller:certificate-controller
      subjects:
      - kind: ServiceAccount
        name: "{{ router_service_account }}"
        namespace: "{{ router_namespace }}"
      - kind: User
        name: "system:serviceaccount:{{ router_namespace }}:{{ router_service_account }}"
    kubeconfig: "{{ k8s_auth_params.kubeconfig }}"
    validate_certs: "{{ k8s_auth_params.validate_certs }}"
  when: create_route_role | bool

# Create the Certificate resource
- name: Create certificate for namespace
  kubernetes.core.k8s:
    state: present
    definition:
      apiVersion: cert-manager.io/v1
      kind: Certificate
      metadata:
        name: "{{ certificate_name }}"
        namespace: "{{ certificate_namespace }}"
      spec:
        secretName: "{{ certificate_secret_name }}"
        issuerRef:
          name: "{{ certificate_issuer | default('letsencrypt-prod') }}"
          kind: "{{ certificate_issuer_kind | default('ClusterIssuer') }}"
        commonName: "{{ certificate_common_name }}"
        dnsNames: "{{ certificate_dns_names }}"
        usages: "{{ certificate_usages | default(['server auth']) }}"
    kubeconfig: "{{ k8s_auth_params.kubeconfig }}"
    validate_certs: "{{ k8s_auth_params.validate_certs }}"

# Wait for certificate to be ready if specified
- name: Wait for certificate to be ready
  kubernetes.core.k8s_info:
    api_version: cert-manager.io/v1
    kind: Certificate
    name: "{{ certificate_name }}"
    namespace: "{{ certificate_namespace }}"
    kubeconfig: "{{ k8s_auth_params.kubeconfig }}"
    validate_certs: "{{ k8s_auth_params.validate_certs }}"
  register: certificate_status
  until: certificate_status.resources is defined and certificate_status.resources | length > 0 and certificate_status.resources[0].status.conditions is defined and certificate_status.resources[0].status.conditions | selectattr('type', 'equalto', 'Ready') | selectattr('status', 'equalto', 'True') | list | length > 0
  retries: "{{ certificate_wait_retries | default(30) }}"
  delay: "{{ certificate_wait_delay | default(10) }}"
  when: certificate_wait_retries | default(30) > 0

# Import API server certificate setup
- name: Setup API server certificate
  import_tasks: api_server_cert.yml
  when: setup_api_server_cert | default(true) | bool
  tags:
    - api-server-cert