---
- name: Set cert dir
  set_fact:
    calico_cert_dir: "{{ canal_cert_dir }}"
  when: kube_network_plugin == 'canal'
  tags: [facts, canal]

- name: Get calico-policy-controller version if running
  shell: "{{ bin_dir }}/kubectl -n {{ system_namespace }} get rs calico-policy-controller -o=jsonpath='{$.spec.template.spec.containers[:1].image}' | cut -d':' -f2"
  register: existing_calico_policy_version
  run_once: true
  failed_when: false

# FIXME(mattymo): This should not be necessary
- name: Delete calico-policy-controller if an old one is installed
  kube:
    name: calico-policy-controller
    kubectl: "{{bin_dir}}/kubectl"
    resource: rs
    namespace: "{{ system_namespace }}"
    state: absent
  run_once: true
  when:
    - not "NotFound" in existing_calico_policy_version.stderr
    - existing_calico_policy_version.stdout | version_compare('v0.7.0', '<')

- name: Create calico-policy-controller manifests
  template:
    src: "{{item.file}}.j2"
    dest: "{{kube_config_dir}}/{{item.file}}"
  with_items:
    - {name: calico-policy-controller, file: calico-policy-controller.yml, type: rs}
    - {name: calico-policy-controller, file: calico-policy-sa.yml, type: sa}
    - {name: calico-policy-controller, file: calico-policy-cr.yml, type: clusterrole}
    - {name: calico-policy-controller, file: calico-policy-crb.yml, type: clusterrolebinding}
  register: calico_policy_manifests
  when:
    - rbac_enabled or item.type not in rbac_resources

- name: Start of Calico policy controller
  kube:
    name: "{{item.item.name}}"
    namespace: "{{ system_namespace }}"
    kubectl: "{{bin_dir}}/kubectl"
    resource: "{{item.item.type}}"
    filename: "{{kube_config_dir}}/{{item.item.file}}"
    state: "{{item.changed | ternary('latest','present') }}"
  with_items: "{{ calico_policy_manifests.results }}"
  when: inventory_hostname == groups['kube-master'][0]