---
- name: Contiv | Load openvswitch kernel module
  copy:
    dest: /etc/modules-load.d/openvswitch.conf
    content: "openvswitch"
  notify:
    - Contiv | Reload kernel modules

- name: Contiv | Create contiv etcd directories
  file:
    dest: "{{ item }}"
    state: directory
    mode: 0750
    owner: root
    group: root
  with_items:
    - "{{ contiv_etcd_conf_dir }}"
    - "{{ contiv_etcd_data_dir }}"
  when: inventory_hostname in groups['kube-master']

- name: Contiv | Workaround https://github.com/contiv/netplugin/issues/1152
  set_fact:
    kube_apiserver_endpoint_for_contiv: |-
      {% if not is_kube_master and loadbalancer_apiserver_localhost -%}
      https://localhost:{{ loadbalancer_apiserver_port|default(kube_apiserver_port) }}
      {%- elif loadbalancer_apiserver is defined and loadbalancer_apiserver.port is defined -%}
      https://{{ apiserver_loadbalancer_domain_name|default('lb-apiserver.kubernetes.local') }}
      {%-   if loadbalancer_apiserver.port|string != "443" -%}
      :{{ loadbalancer_apiserver.port|default(kube_apiserver_port) }}
      {%-   endif -%}
      {%- else -%}
      https://{{ first_kube_master }}:{{ kube_apiserver_port }}
      {%- endif %}
  when: inventory_hostname in groups['kube-master']

- name: Contiv | Set necessary facts
  set_fact:
    contiv_config_dir: "{{ contiv_config_dir }}"
    contiv_enable_api_proxy: "{{ contiv_enable_api_proxy }}"
    contiv_fabric_mode: "{{ contiv_fabric_mode }}"
    contiv_fwd_mode: "{{ contiv_fwd_mode }}"
    contiv_netmaster_port: "{{ contiv_netmaster_port }}"
    contiv_networks: "{{ contiv_networks }}"
    contiv_manifests:
      - {name: contiv-config, file: contiv-config.yml, type: configmap}
      - {name: contiv-etcd, file: contiv-etcd.yml, type: daemonset}
      - {name: contiv-etcd-proxy, file: contiv-etcd-proxy.yml, type: daemonset}
      - {name: contiv-ovs, file: contiv-ovs.yml, type: daemonset}
      - {name: contiv-netmaster, file: contiv-netmaster-clusterrolebinding.yml, type: clusterrolebinding}
      - {name: contiv-netmaster, file: contiv-netmaster-clusterrole.yml, type: clusterrole}
      - {name: contiv-netmaster, file: contiv-netmaster-serviceaccount.yml, type: serviceaccount}
      - {name: contiv-netmaster, file: contiv-netmaster.yml, type: daemonset}
      - {name: contiv-netplugin, file: contiv-netplugin-clusterrolebinding.yml, type: clusterrolebinding}
      - {name: contiv-netplugin, file: contiv-netplugin-clusterrole.yml, type: clusterrole}
      - {name: contiv-netplugin, file: contiv-netplugin-serviceaccount.yml, type: serviceaccount}
      - {name: contiv-netplugin, file: contiv-netplugin.yml, type: daemonset}
  when: inventory_hostname in groups['kube-master']

- name: Contiv | Add another manifest if contiv_enable_api_proxy is true
  set_fact:
    contiv_manifests: |-
      {% set _ = contiv_manifests.append({"name": "contiv-api-proxy", "file": "contiv-api-proxy.yml", "type": "daemonset"}) %}
      {{ contiv_manifests }}
  when:
    - contiv_enable_api_proxy
    - inventory_hostname in groups['kube-master']

- name: Contiv | Create /var/contiv
  file:
    path: /var/contiv
    state: directory

- name: Contiv | Create contiv config directory
  file:
    dest: "{{ contiv_config_dir }}"
    state: directory
    mode: 0755
    owner: root
    group: root
  when: inventory_hostname in groups['kube-master']

- name: Contiv | Install all Kubernetes resources
  template:
    src: "{{ item.file }}.j2"
    dest: "{{ contiv_config_dir }}/{{ item.file }}"
  with_items: "{{ contiv_manifests }}"
  register: contiv_manifests_results
  when: inventory_hostname in groups['kube-master']

- name: Contiv | Copy certs generation script
  template:
    src: "generate-certificate.sh.j2"
    dest: "/var/contiv/generate-certificate.sh"
    mode: 0700
  when:
    - contiv_enable_api_proxy
    - contiv_generate_certificate
  delegate_to: "{{ groups['kube-master'][0] }}"
  run_once: true

- name: Contiv | Check for cert key existence
  stat:
    path: /var/contiv/auth_proxy_key.pem
  register: contiv_certificate_key_state
  when:
    - contiv_enable_api_proxy
    - contiv_generate_certificate
  delegate_to: "{{ groups['kube-master'][0] }}"
  run_once: true

- name: Contiv | Generate contiv-api-proxy certificates
  command: /var/contiv/generate-certificate.sh
  when:
    - contiv_enable_api_proxy
    - contiv_generate_certificate
    - (not contiv_certificate_key_state.stat.exists)
  delegate_to: "{{ groups['kube-master'][0] }}"
  run_once: true

- name: Contiv | Fetch the generated certificate
  fetch:
    src: "/var/contiv/{{ item }}"
    dest: "/tmp/kubespray-contiv-{{ item }}"
    flat: yes
  with_items:
    - auth_proxy_key.pem
    - auth_proxy_cert.pem
  when:
    - contiv_enable_api_proxy
    - contiv_generate_certificate
  delegate_to: "{{ groups['kube-master'][0] }}"
  run_once: true

- name: Contiv | Copy the generated certificate on nodes
  copy:
    src: "/tmp/kubespray-contiv-{{ item }}"
    dest: "/var/contiv/{{ item }}"
  with_items:
    - auth_proxy_key.pem
    - auth_proxy_cert.pem
  when:
    - inventory_hostname != groups['kube-master'][0]
    - inventory_hostname in groups['kube-master']
    - contiv_enable_api_proxy
    - contiv_generate_certificate

- name: Contiv | Copy netctl binary from docker container
  command: sh -c "{{ docker_bin_dir }}/docker rm -f netctl-binarycopy;
          {{ docker_bin_dir }}/docker create --name netctl-binarycopy {{ contiv_image_repo }}:{{ contiv_image_tag }} &&
          {{ docker_bin_dir }}/docker cp netctl-binarycopy:/contiv/bin/netctl {{ bin_dir }}/netctl &&
          {{ docker_bin_dir }}/docker rm -f netctl-binarycopy"
  register: contiv_task_result
  until: contiv_task_result.rc == 0
  retries: 4
  delay: "{{ retry_stagger | random + 3 }}"
  changed_when: false