---
- name: Get the current resource web pod information.
  k8s_info:
    api_version: v1
    kind: Pod
    namespace: '{{ ansible_operator_meta.namespace }}'
    label_selectors:
      - "app.kubernetes.io/name={{ ansible_operator_meta.name }}-web"
      - "app.kubernetes.io/managed-by={{ deployment_type }}-operator"
      - "app.kubernetes.io/component={{ deployment_type }}"
    field_selectors:
      - status.phase=Running
  register: awx_web_pod

- name: Set the resource pod as a variable.
  set_fact:
    awx_web_pod: >-
      {{ awx_web_pod['resources']
         | rejectattr('metadata.deletionTimestamp', 'defined')
         | sort(attribute='metadata.creationTimestamp')
         | first | default({}) }}

- name: Set the resource pod name as a variable.
  set_fact:
    awx_web_pod_name: "{{ awx_web_pod['metadata']['name'] | default('') }}"

- name: Set user provided control plane ee image
  set_fact:
    _custom_control_plane_ee_image: "{{ control_plane_ee_image }}"
  when:
    - control_plane_ee_image | default([]) | length

- name: Set Control Plane EE image URL
  set_fact:
    _control_plane_ee_image: "{{ _custom_control_plane_ee_image | default(lookup('env', 'RELATED_IMAGE_CONTROL_PLANE_EE')) | default(_control_plane_ee_image, true) }}"

- name: Check for Receptor CA Secret
  k8s_info:
    kind: Secret
    namespace: '{{ ansible_operator_meta.namespace }}'
    name: '{{ ansible_operator_meta.name }}-receptor-ca'
  register: receptor_ca
  no_log: "{{ no_log }}"

- name: Migrate Receptor CA Secret
  when:
    - receptor_ca['resources'] | default([]) | length
    - receptor_ca['resources'][0]['type'] != "kubernetes.io/tls"
  block:
    - name: Delete old Receptor CA Secret
      k8s:
        state: absent
        kind: Secret
        namespace: '{{ ansible_operator_meta.namespace }}'
        name: '{{ ansible_operator_meta.name }}-receptor-ca'
    - name: Create tempfile for receptor-ca.key
      tempfile:
        state: file
        suffix: .key
      register: _receptor_ca_key_file
    - name: Copy Receptor CA key from old secret to tempfile
      copy:
        content: "{{ receptor_ca['resources'][0]['data']['receptor-ca.key'] | b64decode }}"
        dest: "{{ _receptor_ca_key_file.path }}"
      no_log: "{{ no_log }}"
    - name: Create tempfile for receptor-ca.crt
      tempfile:
        state: file
        suffix: .crt
      register: _receptor_ca_crt_file
    - name: Copy Receptor CA cert from old secret to tempfile
      copy:
        content: "{{ receptor_ca['resources'][0]['data']['receptor-ca.crt'] | b64decode }}"
        dest: "{{ _receptor_ca_crt_file.path }}"
      no_log: "{{ no_log }}"
    - name: Create New Receptor CA secret
      k8s:
        apply: true
        definition: "{{ lookup('template', 'secrets/receptor_ca_secret.yaml.j2') }}"
      no_log: "{{ no_log }}"
    - name: Read New Receptor CA Secret
      k8s_info:
        kind: Secret
        namespace: '{{ ansible_operator_meta.namespace }}'
        name: '{{ ansible_operator_meta.name }}-receptor-ca'
      register: _receptor_ca
      no_log: "{{ no_log }}"
    - name: Set receptor_ca variable
      set_fact:
        receptor_ca: '{{ _receptor_ca }}'
      no_log: "{{ no_log }}"
    - name: Remove tempfiles
      file:
        path: "{{ item }}"
        state: absent
      loop:
        - "{{ _receptor_ca_key_file.path }}"
        - "{{ _receptor_ca_crt_file.path }}"

- name: Create Receptor Mesh CA
  block:
    - name: Create tempfile for receptor-ca.key
      tempfile:
        state: file
        suffix: .key
      register: _receptor_ca_key_file
    - name: Generate Receptor CA key
      command: |
        openssl genrsa -out {{ _receptor_ca_key_file.path }} 4096
      no_log: "{{ no_log }}"
    - name: Create tempfile for receptor-ca.crt
      tempfile:
        state: file
        suffix: .crt
      register: _receptor_ca_crt_file
    - name: Generate Receptor CA cert
      command: |
        openssl req -x509 -new -nodes -key {{ _receptor_ca_key_file.path }} \
          -subj "/CN={{ ansible_operator_meta.name }} Receptor Root CA" \
          -sha256 -days 3650 -out {{ _receptor_ca_crt_file.path }}
      no_log: "{{ no_log }}"
    - name: Create Receptor CA secret
      k8s:
        apply: true
        definition: "{{ lookup('template', 'secrets/receptor_ca_secret.yaml.j2') }}"
      no_log: "{{ no_log }}"
    - name: Read Receptor CA secret
      k8s_info:
        kind: Secret
        namespace: '{{ ansible_operator_meta.namespace }}'
        name: '{{ ansible_operator_meta.name }}-receptor-ca'
      register: _receptor_ca
      no_log: "{{ no_log }}"
    - name: Set receptor_ca variable
      set_fact:
        receptor_ca: '{{ _receptor_ca }}'
      no_log: "{{ no_log }}"
    - name: Remove tempfiles
      file:
        path: "{{ item }}"
        state: absent
      loop:
        - "{{ _receptor_ca_key_file.path }}"
        - "{{ _receptor_ca_crt_file.path }}"
  when: not receptor_ca['resources'] | default([]) | length

- name: Check for Receptor work signing Secret
  k8s_info:
    kind: Secret
    namespace: '{{ ansible_operator_meta.namespace }}'
    name: '{{ ansible_operator_meta.name }}-receptor-work-signing'
  register: receptor_work_signing
  no_log: "{{ no_log }}"

- name: Generate Receptor work signing RSA key pair
  block:
    - name: Create tempfile for receptor work signing private key
      tempfile:
        state: file
        suffix: .pem
      register: _receptor_work_signing_private_key_file
    - name: Generate Receptor work signing private key
      command: |
        openssl genrsa -out {{ _receptor_work_signing_private_key_file.path }} 4096
      no_log: "{{ no_log }}"
    - name: Create tempfile for receptor work signing public key
      tempfile:
        state: file
        suffix: .pem
      register: _receptor_work_signing_public_key_file
    - name: Generate Receptor work signing public key
      command: |
        openssl rsa \
          -in {{ _receptor_work_signing_private_key_file.path }} \
          -out {{ _receptor_work_signing_public_key_file.path }} \
          -outform PEM -pubout
      no_log: "{{ no_log }}"
    - name: Create Receptor work signing Secret
      k8s:
        apply: true
        definition: "{{ lookup('template', 'secrets/receptor_work_signing_secret.yaml.j2') }}"
      no_log: "{{ no_log }}"
    - name: Read Receptor work signing Secret
      k8s_info:
        kind: Secret
        namespace: '{{ ansible_operator_meta.namespace }}'
        name: '{{ ansible_operator_meta.name }}-receptor-work-signing'
      register: _receptor_work_signing
      no_log: "{{ no_log }}"
    - name: Set receptor_work_signing variable
      set_fact:
        receptor_work_signing: '{{ _receptor_work_signing }}'
      no_log: "{{ no_log }}"
    - name: Remove tempfiles
      file:
        path: "{{ item }}"
        state: absent
      loop:
        - "{{ _receptor_work_signing_private_key_file.path }}"
        - "{{ _receptor_work_signing_public_key_file.path }}"
  when: not receptor_work_signing['resources'] | default([]) | length

- name: Apply Resources
  k8s:
    apply: yes
    definition: "{{ lookup('template', item + '.yaml.j2') }}"
    wait: yes
  loop:
    - 'configmaps/config'
    - 'configmaps/pre_stop_scripts'
    - 'secrets/app_credentials'
    - 'rbac/service_account'
    - 'storage/persistent'
    - 'networking/service'
    - 'networking/ingress'
  no_log: "{{ no_log }}"

- name: Set default awx app image
  set_fact:
    _default_image: "{{ _image }}:{{ _image_version }}"

- name: Set user provided awx app image
  set_fact:
    _custom_image: "{{ image }}:{{ image_version }}"
  when:
    - image | default([]) | length
    - image_version is defined and image_version != ''

- name: Set AWX app image URL
  set_fact:
    _image: "{{ _custom_image | default(lookup('env', 'RELATED_IMAGE_AWX')) | default(_default_image, true) }}"

- name: Set default redis image
  set_fact:
    _default_redis_image: "{{ _redis_image }}:{{ _redis_image_version }}"

- name: Set user provided redis image
  set_fact:
    _custom_redis_image: "{{ redis_image }}:{{ redis_image_version }}"
  when:
    - redis_image | default([]) | length
    - redis_image_version is defined and redis_image_version != ''

- name: Set Redis image URL
  set_fact:
    _redis_image: "{{ _custom_redis_image | default(lookup('env', 'RELATED_IMAGE_AWX_REDIS')) | default(_default_redis_image, true) }}"

- name: Apply deployment resources
  k8s:
    apply: yes
    definition: "{{ lookup('template', 'deployments/{{ item }}.yaml.j2') }}"
  loop:
    - web
    - task
  register: this_deployment_result

- block:
    - name: Get the new resource pod information after updating resource.
      k8s_info:
        kind: Pod
        namespace: '{{ ansible_operator_meta.namespace }}'
        label_selectors:
          - "app.kubernetes.io/name={{ ansible_operator_meta.name }}-web"
          - "app.kubernetes.io/managed-by={{ deployment_type }}-operator"
          - "app.kubernetes.io/component={{ deployment_type }}"
        field_selectors:
          - status.phase=Running
      register: _new_pod
      until:
        - _new_pod['resources'] | length
        - _new_pod['resources'] | rejectattr('metadata.deletionTimestamp', 'defined') | list | length
      retries: 60
      delay: 5

    - name: Update new resource pod as a variable.
      set_fact:
        awx_web_pod: >-
          {{ _new_pod['resources']
             | rejectattr('metadata.deletionTimestamp', 'defined')
             | sort(attribute='metadata.creationTimestamp')
             | last | default({}) }}

    - name: Update new resource pod name as a variable.
      set_fact:
        awx_web_pod_name: '{{ awx_web_pod["metadata"]["name"] | default("")}}'
  when:
    - this_deployment_result.changed

- name: Verify the resource pod name is populated.
  assert:
    that:
      - awx_web_pod_name != ''
    fail_msg: "Could not find the tower pod's name."
  when: web_replicas | int > 0 or (web_replicas == '' and replicas > 0)