---
- name: "Check_certs | check if all certs have already been generated on first master"
  find:
    paths: "{{ etcd_cert_dir }}"
    patterns: "ca.pem,node*.pem"
    get_checksum: true
  delegate_to: "{{groups['etcd'][0]}}"
  register: etcdcert_master
  run_once: true

- name: "Check_certs | Set default value for 'sync_certs', 'gen_certs' and 'etcd_secret_changed' to false"
  set_fact:
    sync_certs: false
    gen_certs: false
    etcd_secret_changed: false

- name: "Check certs | check if a cert already exists on node"
  stat:
    path: "{{ etcd_cert_dir }}/{{ item }}"
  register: etcdcert_node
  with_items:
    - ca.pem
    - node-{{ inventory_hostname }}-key.pem


- name: "Check_certs | Set 'gen_certs' to true"
  set_fact:
    gen_certs: true
  when: not item in etcdcert_master.files|map(attribute='path') | list
  run_once: true
  with_items: >-
       ['{{etcd_cert_dir}}/ca.pem',
       {% set all_etcd_hosts = groups['k8s-cluster']|union(groups['etcd'])|union(groups['calico-rr']|default([]))|unique|sort %}
       {% for host in all_etcd_hosts %}
       '{{etcd_cert_dir}}/node-{{ host }}-key.pem'
       {% if not loop.last %}{{','}}{% endif %}
       {% endfor %}]


- name: "Check_certs | Set 'gen_node_certs' to true"
  set_fact:
    gen_node_certs: |-
      {
      {% set all_etcd_hosts = groups['k8s-cluster']|union(groups['etcd'])|union(groups['calico-rr']|default([]))|unique|sort -%}
      {% set existing_certs = etcdcert_master.files|map(attribute='path')|list|sort %}
      {% for host in all_etcd_hosts -%}
        {% set host_cert = "%s/node-%s-key.pem"|format(etcd_cert_dir, host) %}
        {% if host_cert in existing_certs -%}
        "{{ host }}": False,
        {% else -%}
        "{{ host }}": True,
        {% endif -%}
      {% endfor %}
      }
  run_once: true

- name: "Check_certs | Set 'sync_certs' to true"
  set_fact:
    sync_certs: true
  when:
    - gen_node_certs[inventory_hostname] or
      (not etcdcert_node.results[0].stat.exists|default(false)) or
      (not etcdcert_node.results[1].stat.exists|default(false)) or
      (etcdcert_node.results[1].stat.checksum|default('') != etcdcert_master.files|selectattr("path", "equalto", etcdcert_node.results[1].stat.path)|map(attribute="checksum")|first|default(''))