- name: patch osp-secret with kek
  ansible.builtin.shell: |
    {{ shell_header }}
    {{ oc_header }}
    CONTROLLER1_SSH="{{ controller1_ssh }}"
    oc set data secret/osp-secret "BarbicanSimpleCryptoKEK=$($CONTROLLER1_SSH \
    "sudo python3 -c \"import configparser; c = configparser.ConfigParser(); \
    c.read('/var/lib/config-data/puppet-generated/barbican/etc/barbican/barbican.conf'); \
    print(c['simple_crypto_plugin']['kek'])\"")"

- name: Create HSM login secret for Barbican
  when: barbican_hsm_enabled|default(false)
  ansible.builtin.shell: |
    {{ shell_header }}
    {{ oc_header }}
    cat <<EOF | oc apply -f -
    apiVersion: v1
    kind: Secret
    metadata:
      name: {{ proteccio_login_secret_name | default('hsm-login') }}
      namespace: openstack
    type: Opaque
    stringData:
      PKCS11Pin: "{{ proteccio_login_password | default('') }}"
    EOF

- name: Check if HSM client data files exist
  when: barbican_hsm_enabled|default(false)
  ansible.builtin.stat:
    path: /tmp/hsm-prep-working-dir/proteccio_data_secret.yml
  register: hsm_data_secret_file

- name: Create HSM client data secret from file
  when:
    - barbican_hsm_enabled|default(false)
    - hsm_data_secret_file.stat.exists|default(false)
  ansible.builtin.command: oc apply -f /tmp/hsm-prep-working-dir/proteccio_data_secret.yml

- name: Create empty HSM client data secret if file not found
  when:
    - barbican_hsm_enabled|default(false)
    - not hsm_data_secret_file.stat.exists|default(true)
  ansible.builtin.shell: |
    {{ shell_header }}
    {{ oc_header }}
    cat <<EOF | oc apply -f -
    apiVersion: v1
    kind: Secret
    metadata:
      name: {{ proteccio_client_data_secret_name | default('proteccio-data') }}
      namespace: openstack
    type: Opaque
    EOF

- name: deploy podified Barbican (standard)
  ansible.builtin.shell: |
    {{ shell_header }}
    {{ oc_header }}
    oc patch openstackcontrolplane openstack --type=merge --patch '{{ barbican_patch }}'
  when: not barbican_hsm_enabled|default(false)

- name: deploy podified Barbican (HSM)
  ansible.builtin.shell: |
    {{ shell_header }}
    {{ oc_header }}
    oc patch openstackcontrolplane openstack --type=merge --patch '{{ barbican_hsm_patch }}'
  when: barbican_hsm_enabled|default(false)

- name: wait for Barbican to start up
  ansible.builtin.shell: |
    {{ shell_header }}
    {{ oc_header }}
    oc wait pod --for condition=Ready --selector=service=barbican
  register: barbican_running_result
  until: barbican_running_result is success
  retries: 180
  delay: "{{ barbican_retry_delay }}"

- name: check that Barbican is reachable and its endpoints are defined
  ansible.builtin.shell: |
    {{ shell_header }}
    {{ oc_header }}

    alias openstack="oc exec -t openstackclient -- openstack"

    ${BASH_ALIASES[openstack]} endpoint list | grep key-manager
    ${BASH_ALIASES[openstack]} secret list
  register: barbican_responding_result
  until: barbican_responding_result is success
  retries: 60
  delay: "{{ barbican_retry_delay }}"

- name: check that Barbican secret payload was migrated successfully
  ansible.builtin.shell: |
    {{ shell_header }}
    {{ oc_header }}
    alias openstack="oc exec -t openstackclient -- openstack"
    secret_id=`${BASH_ALIASES[openstack]} secret list | grep testSecret | cut -d'|' -f 2 | xargs`
    secret_payload=`${BASH_ALIASES[openstack]} secret get $secret_id --payload -f value`
    if [ "$secret_payload" != "TestPayload" ]
    then
      exit 1
    fi