---
- name: Prepare SKMO leaf prerequisites in regionZero
  hosts: "{{ cifmw_target_hook_host | default('localhost') }}"
  gather_facts: false
  vars:
    skmo_values_file: "{{ cifmw_architecture_repo }}/examples/va/multi-namespace-skmo/control-plane2/skmo-values.yaml"
    osp_secrets_env_file: "{{ cifmw_architecture_repo }}/lib/control-plane/base/osp-secrets.env"
    central_namespace: openstack
    leaf_namespace: openstack2
    central_rootca_secret: rootca-public
    central_rootca_internal_secret: rootca-internal
    leaf_transport_url_name: barbican-keystone-listener-regiontwo
    leaf_transport_url_username: barbican-keystone-listener-regiontwo
    leaf_transport_url_name_secret: rabbitmq-transport-url-barbican-keystone-listener-regiontwo
  tasks:
    - name: Wait for central Keystone API to be ready
      kubernetes.core.k8s_info:
        api_version: keystone.openstack.org/v1beta1
        kind: KeystoneAPI
        namespace: "{{ central_namespace }}"
      register: _keystoneapi_info
      retries: 60
      delay: 10
      until:
        - _keystoneapi_info.resources | length > 0
        - _keystoneapi_info.resources[0].status.conditions is defined
        - _keystoneapi_info.resources[0].status.conditions |
          selectattr('type', 'equalto', 'Ready') |
          selectattr('status', 'equalto', 'True') | list | length > 0

    - name: Wait for openstackclient pod to be ready in central region
      kubernetes.core.k8s_info:
        api_version: v1
        kind: Pod
        namespace: "{{ central_namespace }}"
        name: openstackclient
      register: _osc_pod_info
      retries: 30
      delay: 10
      until:
        - _osc_pod_info.resources | length > 0
        - _osc_pod_info.resources[0].status.conditions is defined
        - _osc_pod_info.resources[0].status.conditions |
          selectattr('type', 'equalto', 'Ready') |
          selectattr('status', 'equalto', 'True') | list | length > 0

    - name: Load SKMO values
      ansible.builtin.set_fact:
        skmo_values: "{{ lookup('file', skmo_values_file) | from_yaml }}"

    - name: Set SKMO leaf facts
      ansible.builtin.set_fact:
        leaf_region: "{{ skmo_values.data.leafRegion }}"
        leaf_admin_user: "{{ skmo_values.data.leafAdminUser }}"
        leaf_admin_project: "{{ skmo_values.data.leafAdminProject }}"
        leaf_admin_password_key: "{{ skmo_values.data.leafAdminPasswordKey }}"
        keystone_internal_url: "{{ skmo_values.data.keystoneInternalURL }}"
        keystone_public_url: "{{ skmo_values.data.keystonePublicURL }}"
        ca_bundle_secret_name: "{{ skmo_values.data.leafCaBundleSecretName }}"

    - name: Read leaf admin password from env file
      ansible.builtin.set_fact:
        leaf_admin_password: >-
          {{ dict(lookup('file', osp_secrets_env_file) |
                  regex_findall('^([^#=\n][^=\n]*)=(.*)', multiline=True))[leaf_admin_password_key] | trim }}

    - name: Ensure leaf region exists in central Keystone
      ansible.builtin.shell: |
        set -euo pipefail
        oc -n {{ central_namespace }} rsh openstackclient \
          openstack region show {{ leaf_region }} >/dev/null 2>&1 || \
        oc -n {{ central_namespace }} rsh openstackclient \
          openstack region create {{ leaf_region }}
      args:
        executable: /bin/bash

    - name: Ensure keystone catalog endpoints exist for leaf region
      ansible.builtin.shell: |
        set -euo pipefail
        if ! oc -n {{ central_namespace }} rsh openstackclient \
          openstack endpoint list --service keystone --interface public --region {{ leaf_region }} \
          -f value -c ID | head -1 | grep -q .; then
          oc -n {{ central_namespace }} rsh openstackclient \
            openstack endpoint create --region {{ leaf_region }} identity public "{{ keystone_public_url }}"
        fi
        if ! oc -n {{ central_namespace }} rsh openstackclient \
          openstack endpoint list --service keystone --interface internal --region {{ leaf_region }} \
          -f value -c ID | head -1 | grep -q .; then
          oc -n {{ central_namespace }} rsh openstackclient \
            openstack endpoint create --region {{ leaf_region }} identity internal "{{ keystone_internal_url }}"
        fi
      args:
        executable: /bin/bash

    - name: Ensure leaf admin project exists in central Keystone
      ansible.builtin.shell: |
        set -euo pipefail
        oc -n {{ central_namespace }} rsh openstackclient \
          openstack project show {{ leaf_admin_project }} >/dev/null 2>&1 || \
        oc -n {{ central_namespace }} rsh openstackclient \
          openstack project create {{ leaf_admin_project }}
      args:
        executable: /bin/bash

    - name: Ensure leaf admin user exists and has admin role
      ansible.builtin.shell: |
        set -euo pipefail
        if ! oc -n {{ central_namespace }} rsh openstackclient \
          openstack user show {{ leaf_admin_user }} >/dev/null 2>&1; then
          oc -n {{ central_namespace }} rsh openstackclient \
            openstack user create --domain Default --password "{{ leaf_admin_password }}" {{ leaf_admin_user }}
        fi
        oc -n {{ central_namespace }} rsh openstackclient \
          openstack role add --project {{ leaf_admin_project }} --user {{ leaf_admin_user }} admin
      args:
        executable: /bin/bash
      no_log: true

    - name: Get existing leaf CA bundle secret if present
      kubernetes.core.k8s_info:
        api_version: v1
        kind: Secret
        namespace: "{{ leaf_namespace }}"
        name: "{{ ca_bundle_secret_name }}"
      register: _existing_bundle

    - name: Get central rootca certs
      kubernetes.core.k8s_info:
        api_version: v1
        kind: Secret
        namespace: "{{ central_namespace }}"
        name: "{{ item }}"
      register: _central_certs
      loop:
        - "{{ central_rootca_secret }}"
        - "{{ central_rootca_internal_secret }}"

    - name: Create or update leaf CA bundle secret
      kubernetes.core.k8s:
        state: present
        definition:
          apiVersion: v1
          kind: Secret
          metadata:
            name: "{{ ca_bundle_secret_name }}"
            namespace: "{{ leaf_namespace }}"
          data: "{{ (_existing_bundle.resources[0].data | default({})) | combine({
            'skmo-central-rootca.crt': _central_certs.results[0].resources[0].data['tls.crt'],
            'skmo-central-rootca-internal.crt': _central_certs.results[1].resources[0].data['tls.crt']
          }) }}"

    - name: Create TransportURL CR in central region for leaf listener
      kubernetes.core.k8s:
        state: present
        definition:
          apiVersion: rabbitmq.openstack.org/v1beta1
          kind: TransportURL
          metadata:
            name: "{{ leaf_transport_url_name }}"
            namespace: "{{ central_namespace }}"
          spec:
            rabbitmqClusterName: rabbitmq
            username: "{{ leaf_transport_url_username }}"

    - name: Wait for TransportURL to be ready
      kubernetes.core.k8s_info:
        api_version: rabbitmq.openstack.org/v1beta1
        kind: TransportURL
        name: "{{ leaf_transport_url_name }}"
        namespace: "{{ central_namespace }}"
      register: _transport_url_info
      retries: 12
      delay: 10
      until:
        - _transport_url_info.resources | length > 0
        - _transport_url_info.resources[0].status is defined
        - _transport_url_info.resources[0].status.conditions is defined
        - _transport_url_info.resources[0].status.conditions |
          selectattr('type', 'equalto', 'Ready') |
          selectattr('status', 'equalto', 'True') | list | length > 0