- name: add keystone fernet keys secret
  ansible.builtin.shell: |
    {{ shell_header }}
    {{ oc_header }}
    CONTROLLER1_SSH="{{ controller1_ssh }}"
    oc apply -f - <<EOF
    apiVersion: v1
    data:
      CredentialKeys0: $($CONTROLLER1_SSH sudo cat /var/lib/config-data/puppet-generated/keystone/etc/keystone/credential-keys/0 | base64 -w 0)
      CredentialKeys1: $($CONTROLLER1_SSH sudo cat /var/lib/config-data/puppet-generated/keystone/etc/keystone/credential-keys/1 | base64 -w 0)
      FernetKeys0: $($CONTROLLER1_SSH sudo cat /var/lib/config-data/puppet-generated/keystone/etc/keystone/fernet-keys/0 | base64 -w 0)
      FernetKeys1: $($CONTROLLER1_SSH sudo cat /var/lib/config-data/puppet-generated/keystone/etc/keystone/fernet-keys/1 | base64 -w 0)
    kind: Secret
    metadata:
      name: keystone
    type: Opaque
    EOF

- name: Set IPA BaseDN var
  ansible.builtin.set_fact:
    ipa_basedn: "dc={{ ipa_hostname.split('.')[1:] | join(',dc=') }}"
  when: enable_keystone_ldap | default(false) | bool

- name: Create Keystone domain config secret for LDAP
  ansible.builtin.shell: |
    {{ shell_header }}
    {{ oc_header }}
    cat <<EOF | oc apply -n openstack -f -
    apiVersion: v1
    kind: Secret
    metadata:
      name: keystone-domains
    type: Opaque
    stringData:
      keystone.{{ ipa_domain | default('REDHAT') }}.conf: |
        [identity]
        driver = ldap
        [ldap]
        url = ldaps://osp-free-ipa-0.ooo.test
        user = uid=svc-ldap,cn=users,cn=accounts,{{ ipa_basedn }}
        password = {{ ipa_admin_password | default('nomoresecrets') }}
        suffix = {{ ipa_basedn }}
        user_tree_dn = cn=users,cn=accounts,{{ ipa_basedn }}
        user_objectclass = person
        user_id_attribute = uid
        user_name_attribute = uid
        user_mail_attribute = mail
        group_tree_dn = cn=groups,cn=accounts,{{ ipa_basedn }}
        group_objectclass = groupOfNames
        group_id_attribute = cn
        group_name_attribute = cn
        group_member_attribute = member
        group_desc_attribute = description
    EOF
  when: enable_keystone_ldap | default(false) | bool

- name: deploy podified Keystone
  ansible.builtin.shell: |
    {{ shell_header }}
    {{ oc_header }}
    if {{ enable_federation | default(false) | lower }} == true; then
      oc patch openstackcontrolplane openstack --type=merge --patch '{{ keystone_patch_federation }}'
    elif {{ enable_keystone_ldap | default(false) | lower }}; then
      oc patch openstackcontrolplane openstack --type=merge --patch '{{ keystone_patch_ldap }}'
    else
      oc patch openstackcontrolplane openstack --type=merge --patch '{{ keystone_patch }}'
    fi

- name: wait for Keystone to start up
  ansible.builtin.shell: |
    {{ shell_header }}
    {{ oc_header }}
    oc wait pod --for condition=Ready --selector=service=keystone
  register: keystone_running_result
  until: keystone_running_result is success
  retries: 10
  delay: "{{ keystone_retry_delay }}"

- name: wait for openstackclient pod to start up
  ansible.builtin.shell: |
    {{ shell_header }}
    {{ oc_header }}
    oc wait pod --for condition=Ready --selector=service=openstackclient
  register: osc_running_result
  until: osc_running_result is success
  retries: 10
  delay: "{{ keystone_retry_delay }}"

- name: check that Keystone is reachable and its endpoints are defined
  ansible.builtin.shell: |
    {{ shell_header }}
    {{ oc_header }}

    alias openstack="oc exec -t openstackclient -- openstack"

    ${BASH_ALIASES[openstack]} endpoint list | grep keystone
  register: keystone_responding_result
  until: keystone_responding_result is success
  retries: 10
  delay: "{{ keystone_retry_delay }}"

- name: verify that OpenStackControlPlane setup is complete
  ansible.builtin.shell: |
    {{ shell_header }}
    {{ oc_header }}
    oc wait --for=condition=Ready --timeout=3m OpenStackControlPlane openstack

- name: clean up services and endpoints
  ansible.builtin.shell: |
    {{ shell_header }}
    {{ oc_header }}

    alias openstack="oc exec -t openstackclient -- openstack"

    ${BASH_ALIASES[openstack]} endpoint list | grep keystone | awk '/admin/{ print $2; }' | xargs ${BASH_ALIASES[openstack]} endpoint delete || true

    for service in aodh heat heat-cfn barbican cinderv3 designate glance gnocchi manila manilav2 neutron nova octavia placement swift ironic-inspector ironic; do
      ${BASH_ALIASES[openstack]} service list | awk "/ $service /{ print \$2; }" | xargs -r ${BASH_ALIASES[openstack]} service delete || true
    done

- name: Ensure Keycloak CA secret exists when federation enabled
  when: enable_federation | default(false) | bool
  ansible.builtin.shell: |
    {{ shell_header }}
    {{ oc_header }}

    if ! oc get secret keycloakca >/dev/null 2>&1; then
      oc create secret generic keycloakca --from-file=KeyCloakCA={{ federation_ingress_ca_path }}
    fi

- name: Ensure Keystone httpd override secret exists when federation enabled
  when:
    - enable_federation | default(false) | bool
  ansible.builtin.shell: |
    {{ shell_header }}
    {{ oc_header }}

    cat <<EOF | oc apply -f -
    apiVersion: v1
    kind: Secret
    metadata:
      name: keystone-httpd-override
      namespace: openstack
    type: Opaque
    stringData:
      federation.conf: |
        OIDCClaimPrefix "{{ cifmw_keystone_oidc_claim_prefix }}"
        OIDCResponseType "{{ cifmw_keystone_oidc_response_type }}"
        OIDCScope "{{ cifmw_keystone_oidc_scope }}"
        OIDCClaimDelimiter "{{ cifmw_keystone_oidc_claim_delimiter }}"
        OIDCPassUserInfoAs "{{ cifmw_keystone_oidc_pass_user_info_as }}"
        OIDCPassClaimsAs "{{ cifmw_keystone_oidc_pass_claims_as }}"
        OIDCProviderMetadataURL "{{ cifmw_keystone_oidc_provider_metadata_url }}"
        OIDCClientID "{{ cifmw_keystone_oidc_client_id }}"
        OIDCClientSecret "{{ cifmw_keystone_oidc_client_secret }}"
        OIDCCryptoPassphrase "{{ cifmw_keystone_oidc_crypto_passphrase }}"
        OIDCOAuthClientID "{{ cifmw_keystone_oidc_oauth_client_id }}"
        OIDCOAuthClientSecret "{{ cifmw_keystone_oidc_oauth_client_secret }}"
        OIDCOAuthIntrospectionEndpoint "{{ cifmw_keystone_oidc_oauth_introspection_endpoint }}"
        OIDCRedirectURI "{{ cifmw_federation_keystone_url }}/v3/auth/OS-FEDERATION/identity_providers/{{ cifmw_keystone_oidc_provider_name }}/protocols/openid/websso/"
        LogLevel debug

        <LocationMatch "/v3/auth/OS-FEDERATION/identity_providers/{{ cifmw_keystone_oidc_provider_name }}/protocols/openid/websso">
          AuthType "openid-connect"
          Require valid-user
        </LocationMatch>

        <Location "/v3/OS-FEDERATION/identity_providers/{{ cifmw_keystone_oidc_provider_name }}/protocols/openid/auth">
          AuthType oauth20
          Require valid-user
        </Location>

        <LocationMatch "/v3/auth/OS-FEDERATION/websso/openid">
          AuthType "openid-connect"
          Require valid-user
        </LocationMatch>
    EOF

- name: Print session test token
  ansible.builtin.debug:
    var: before_adoption_token

- name: Verify that pre-adoption token still works
  ansible.builtin.shell: |
    {{ shell_header }}
    {{ oc_header }}

    alias openstack="oc exec -t openstackclient -- env -u OS_CLOUD - OS_AUTH_URL={{ auth_url }} OS_AUTH_TYPE=token OS_TOKEN={{ before_adoption_token.stdout }} openstack"

    if ${BASH_ALIASES[openstack]} endpoint list 2>&1 | grep "Failed to validate token"; then
      exit 1
    else
      exit 0
    fi
  register: adoption_token_result

- name: Verify that pre-adoption OIDC token still works
  when:
    - enable_federation | default(false) | bool
    - before_adoption_oidc_token is defined
    - before_adoption_oidc_token.stdout is defined
  ansible.builtin.shell:
    cmd: |
      {{ shell_header }}
      {{ oc_header }}

      alias openstack="oc exec -t openstackclient -- env -u OS_CLOUD - OS_AUTH_URL={{ auth_url }} OS_AUTH_TYPE=v3oidcaccesstoken OS_ACCESS_TOKEN={{ before_adoption_oidc_token.stdout }} openstack"

      ${BASH_ALIASES[openstack]} token issue -f json
  register: adoption_oidc_token_result

- name: Print credentials test token
  ansible.builtin.debug:
    var: before_adoption_token

- name: Verify that pre-adoption credential stills the same
  ansible.builtin.shell: |
    {{ shell_header }}
    {{ oc_header }}

    alias openstack="oc exec -t openstackclient -- openstack"

    ${BASH_ALIASES[openstack]} credential show {{ before_adoption_credential.stdout }} -f value -c blob
  register: after_adoption_credential
  failed_when: after_adoption_credential.stdout != 'test'

- name: get ldap user token
  ansible.builtin.shell: |
    {{ shell_header }}
    {{ oc_header }}

    alias openstack="oc exec -t openstackclient -- openstack"

    auth_url=$(${BASH_ALIASES[openstack]} endpoint list --service keystone --interface public -f value -c URL)

    alias openstack="oc exec -t openstackclient -- env -u OS_CLOUD - OS_AUTH_URL=${auth_url} OS_USERNAME=ipauser1 OS_PASSWORD={{ ipa_user_password }} OS_PROJECT_DOMAIN_NAME=REDHAT OS_USER_DOMAIN_NAME=REDHAT openstack"

    ${BASH_ALIASES[openstack]} token issue -f json
  register: keystone_ldap_responding_result
  when: enable_keystone_ldap | default(false) | bool

- name: Print ldap user token
  ansible.builtin.debug:
    var: keystone_ldap_responding_result
  when: enable_keystone_ldap | default(false) | bool