---

- name: Cert Manager | Remove legacy addon dir and manifests
  file:
    path: "{{ kube_config_dir }}/addons/cert_manager"
    state: absent
  when:
    - inventory_hostname == groups['kube_control_plane'][0]
  tags:
    - upgrade

- name: Cert Manager | Remove legacy namespace
  shell: |
    {{ bin_dir }}/kubectl delete namespace {{ cert_manager_namespace }}
  ignore_errors: true  # noqa ignore-errors
  when:
    - inventory_hostname == groups['kube_control_plane'][0]
  tags:
    - upgrade

- name: Cert Manager | Create addon dir
  file:
    path: "{{ kube_config_dir }}/addons/cert_manager"
    state: directory
    owner: root
    group: root
    mode: 0755
  when:
    - inventory_hostname == groups['kube_control_plane'][0]

- name: Cert Manager | Templates list
  set_fact:
    cert_manager_templates:
      - { name: 00-namespace, file: 00-namespace.yml, type: ns }
      - { name: sa-cert-manager, file: sa-cert-manager.yml, type: sa }
      - { name: crd-certificate, file: crd-certificate.yml, type: crd }
      - { name: crd-challenge, file: crd-challenge.yml, type: crd }
      - { name: crd-clusterissuer, file: crd-clusterissuer.yml, type: crd }
      - { name: crd-issuer, file: crd-issuer.yml, type: crd }
      - { name: crd-order, file: crd-order.yml, type: crd }
      - { name: clusterrole-cert-manager, file: clusterrole-cert-manager.yml, type: clusterrole }
      - { name: clusterrolebinding-cert-manager, file: clusterrolebinding-cert-manager.yml, type: clusterrolebinding }
      - { name: role-cert-manager, file: role-cert-manager.yml, type: role }
      - { name: rolebinding-cert-manager, file: rolebinding-cert-manager.yml, type: rolebinding }
      - { name: deploy-cert-manager, file: deploy-cert-manager.yml, type: deploy }
      - { name: svc-cert-manager, file: svc-cert-manager.yml, type: svc }
      - { name: webhook-cert-manager, file: webhook-cert-manager.yml, type: webhook }
      - { name: secret-cert-manager, file: secret-cert-manager.yml, type: secret }

- name: Cert Manager | Create manifests
  template:
    src: "{{ item.file }}.j2"
    dest: "{{ kube_config_dir }}/addons/cert_manager/{{ item.file }}"
  with_items: "{{ cert_manager_templates }}"
  register: cert_manager_manifests
  when:
    - inventory_hostname == groups['kube_control_plane'][0]

- name: Cert Manager | Apply manifests
  kube:
    name: "{{ item.item.name }}"
    kubectl: "{{ bin_dir }}/kubectl"
    resource: "{{ item.item.type }}"
    filename: "{{ kube_config_dir }}/addons/cert_manager/{{ item.item.file }}"
    state: "latest"
  with_items: "{{ cert_manager_manifests.results }}"
  when:
    - inventory_hostname == groups['kube_control_plane'][0]

- name: Cert Manager | Wait for Webhook pods become ready
  command: "{{ bin_dir }}/kubectl wait po --namespace={{ cert_manager_namespace }} --selector app=webhook --for=condition=Ready --timeout=600s"
  register: cert_manager_webhook_pods_ready
  when: inventory_hostname == groups['kube_control_plane'][0]

- name: Cert Manager | Create ClusterIssuer manifest
  template:
    src: "clusterissuer-cert-manager.yml.j2"
    dest: "{{ kube_config_dir }}/addons/cert_manager/clusterissuer-cert-manager.yml"
  register: cert_manager_clusterissuer_manifest
  when:
    - inventory_hostname == groups['kube_control_plane'][0] and cert_manager_webhook_pods_ready is succeeded

- name: Cert Manager | Apply ClusterIssuer manifest
  kube:
    name: "clusterissuer-cert-manager"
    kubectl: "{{ bin_dir }}/kubectl"
    filename: "{{ kube_config_dir }}/addons/cert_manager/clusterissuer-cert-manager.yml"
    state: "latest"
  when: inventory_hostname == groups['kube_control_plane'][0] and cert_manager_clusterissuer_manifest is succeeded