---
# This playbook redeploys Lets Encrypt certificates
# It does not renew the certs, which is done by the certbot cronjob.
#
# Please ensure CA and key have not changed.

- hosts: localhost
  gather_facts: no
  become: no
  vars:
  - _certbot_install_dir: "/home/{{ ansible_user }}/certificates"
  - _certbot_remote_dir: "/home/{{ ansible_user }}"
  - _certbot_dir: "{{ _certbot_remote_dir }}/certbot"
  tasks:
  - name: Determine API server hostname
    shell: "oc whoami --show-server | cut -f 2 -d ':' | cut -f 3 -d '/' | sed 's/-api././'"
    register: api_hostname

  - name: Compute domain name
    set_fact:
      _certbot_domain: "{{ api_hostname.stdout }}"

  - name: Install certificates
    copy:
      src: "{{ _certbot_dir }}/config/live/{{ _certbot_domain }}/{{ item }}"
      dest: "{{ _certbot_install_dir }}/{{ item }}"
      remote_src: yes
    loop:
    - "cert.pem"
    - "fullchain.pem"
    - "chain.pem"
    - "privkey.pem"

  - name: Read Certificate
    slurp:
      src: "$HOME/certificates/fullchain.pem"
    register: server_cert

  - name: Read Key
    slurp:
      src: "$HOME/certificates/privkey.pem"
    register: server_key

  - name: Create Router Certificate
    k8s:
      state: present
      definition: "{{ lookup('template', './router-certs.j2' ) | from_yaml }}"