---

## Sync Certs

- include: bootstrap/sync_vault_certs.yml
  when: inventory_hostname in groups.vault

- include: bootstrap/sync_etcd_certs.yml
  when: inventory_hostname in groups.etcd

- include: bootstrap/sync_etcd_node_certs.yml
  when: inventory_hostname in groups["k8s-cluster"] | union(groups.etcd)

## Generate Certs

# Start a temporary instance of Vault
- include: bootstrap/start_vault_temp.yml
  when: >-
        ( hostvars[groups.etcd|first].get("vault_etcd_certs_needed", [])|length > 0 or
        hostvars[groups.etcd|first].get("vault_etcd_node_certs_needed", [])|length > 0 or
        hostvars[groups.vault|first]["vault_ca_cert_needed"] ) and
        inventory_hostname == groups.vault|first

# Generate root CA certs for Vault if none exist
- include: bootstrap/gen_vault_certs.yml
  when: >-
        ( hostvars[groups.vault|first]["vault_ca_cert_needed"] or
        hostvars[groups.vault|first]["vault_api_cert_needed"] ) and
        inventory_hostname in groups.vault

# Change vault-temp's issuing CA to use existing ca.pem/ca-key.pem
- include: config_ca.yml
  vars:
    vault_url: "http://{{ groups.vault|first }}:{{ vault_temp_port }}"
  when: >-
        ( hostvars[groups.etcd|first].get("vault_etcd_certs_needed", [])|length > 0 or
        hostvars[groups["k8s-cluster"]|first].get("vault_etcd_node_certs_needed", [])|length > 0 or
        hostvars[groups.vault|first]["vault_api_cert_needed"] ) and
        not hostvars[groups.vault|first]["vault_ca_cert_needed"] and
        inventory_hostname == groups.vault|first

# Generate etcd certs for etcd cluster members
- include: bootstrap/gen_etcd_certs.yml
  when: >- 
        hostvars[groups.etcd|first].get("vault_etcd_certs_needed", [])|length > 0 and
        inventory_hostname in groups.etcd

# Generate etcd node certs for all k8s-cluster
- include: bootstrap/gen_etcd_node_certs.yml
  when: >-
        hostvars[groups["k8s-cluster"]|first].get("vault_etcd_node_certs_needed", [])|length > 0 and
        inventory_hostname in groups["k8s-cluster"] | union(groups.etcd)

# Stop temporary vault
- include: bootstrap/stop_vault_temp.yml
  when: >-
        inventory_hostname == groups.vault|first and
        hostvars[groups.vault|first]["vault_temp_start"]|succeeded

- include: ca_trust.yml