---
# Copyright Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.

- name: Execute all as root
  become: true
  block:
    - name: Ensure target directory exists
      ansible.builtin.file:
        path: "{{ cifmw_install_ca_trust_dir }}"
        state: directory
        mode: "0755"

    - name: Install internal CA from url
      when: cifmw_install_ca_url is defined
      block:
        - name: Wait until CA URL is reachable
          ansible.builtin.uri:
            url: "{{ cifmw_install_ca_url }}"
            method: HEAD
            validate_certs: false
            follow_redirects: all
            status_code: [200, 301, 302, 303, 307, 308, 401, 403, 404, 405]
          register: _cifmw_install_ca_dns_wait
          until: _cifmw_install_ca_dns_wait is succeeded
          retries: 30
          delay: 10
          changed_when: false

        - name: Install internal CA from url
          ansible.builtin.get_url:
            url: "{{ cifmw_install_ca_url }}"
            dest: "{{ cifmw_install_ca_trust_dir }}"
            validate_certs: "{{ cifmw_install_ca_url_validate_certs | default(omit) }}"
            mode: "0644"

    - name: Install custom CA bundle from inline
      register: ca_inline
      when:
        - cifmw_install_ca_bundle_inline is defined
        - cifmw_install_ca_bundle_inline != ''
      ansible.builtin.copy:
        dest: "{{ cifmw_install_ca_trust_dir }}/cifmw_inline_ca_bundle.crt"
        content: "{{ cifmw_install_ca_bundle_inline }}"
        mode: "0644"

    - name: Install custom CA bundle from file
      register: ca_bundle
      when:
        - cifmw_install_ca_bundle_src is defined
        - cifmw_install_ca_bundle_src != ''
      ansible.builtin.copy:
        dest: "{{ cifmw_install_ca_trust_dir }}/{{ cifmw_install_ca_bundle_src | basename }}"
        src: "{{ cifmw_install_ca_bundle_src }}"
        mode: "0644"

    - name: Update ca bundle
      vars:
        _ca_bundle_changed: "{{ ca_bundle is defined and ca_bundle is changed }}"
        _ca_inline_changed: "{{ ca_inline is defined and ca_inline is changed }}"
        _ca_url_changed: "{{ cifmw_install_ca_url is defined }}"
      when:
        - _ca_url_changed or _ca_bundle_changed or _ca_inline_changed
      ansible.builtin.command:
        cmd: update-ca-trust