---
- name: Stop if either kube_control_plane or kube_node group is empty
  assert:
    that: "groups.get('{{ item }}')"
  with_items:
    - kube_control_plane
    - kube_node
  run_once: true
  when: not ignore_assert_errors

- name: Stop if etcd group is empty in external etcd mode
  assert:
    that: groups.get('etcd')
    fail_msg: "Group 'etcd' cannot be empty in external etcd mode"
  run_once: true
  when:
    - not ignore_assert_errors
    - etcd_deployment_type != "kubeadm"

- name: Stop if non systemd OS type
  assert:
    that: ansible_service_mgr == "systemd"
  when: not ignore_assert_errors

- name: Stop if unknown OS
  assert:
    that: ansible_distribution in ['RedHat', 'CentOS', 'Fedora', 'Ubuntu', 'Debian', 'Flatcar', 'Flatcar Container Linux by Kinvolk', 'Suse', 'openSUSE Leap', 'openSUSE Tumbleweed', 'ClearLinux', 'OracleLinux', 'AlmaLinux', 'Rocky', 'Amazon', 'Kylin Linux Advanced Server', 'UnionTech', 'openEuler']
    msg: "{{ ansible_distribution }} is not a known OS"
  when: not ignore_assert_errors

- name: Stop if unknown network plugin
  assert:
    that: kube_network_plugin in ['calico', 'canal', 'flannel', 'weave', 'cloud', 'cilium', 'cni','kube-ovn', 'kube-router', 'macvlan']
    msg: "{{ kube_network_plugin }} is not supported"
  when:
    - kube_network_plugin is defined
    - not ignore_assert_errors

- name: Stop if unsupported version of Kubernetes
  assert:
    that: kube_version is version(kube_version_min_required, '>=')
    msg: "The current release of Kubespray only support newer version of Kubernetes than {{ kube_version_min_required }} - You are trying to apply {{ kube_version }}"
  when: not ignore_assert_errors

# simplify this items-list when   https://github.com/ansible/ansible/issues/15753  is resolved
- name: "Stop if known booleans are set as strings (Use JSON format on CLI: -e \"{'key': true }\")"
  assert:
    that: item.value|type_debug == 'bool'
    msg: "{{ item.value }} isn't a bool"
  run_once: yes
  with_items:
    - { name: download_run_once, value: "{{ download_run_once }}" }
    - { name: deploy_netchecker, value: "{{ deploy_netchecker }}" }
    - { name: download_always_pull, value: "{{ download_always_pull }}" }
    - { name: helm_enabled, value: "{{ helm_enabled }}" }
    - { name: openstack_lbaas_enabled, value: "{{ openstack_lbaas_enabled }}" }
  when: not ignore_assert_errors

- name: Stop if even number of etcd hosts
  assert:
    that: groups.etcd|length is not divisibleby 2
  when:
    - not ignore_assert_errors
    - inventory_hostname in groups.get('etcd',[])

- name: Stop if memory is too small for masters
  assert:
    that: ansible_memtotal_mb >= minimal_master_memory_mb
  when:
    - not ignore_assert_errors
    - inventory_hostname in groups['kube_control_plane']

- name: Stop if memory is too small for nodes
  assert:
    that: ansible_memtotal_mb >= minimal_node_memory_mb
  when:
    - not ignore_assert_errors
    - inventory_hostname in groups['kube_node']

# This assertion will fail on the safe side: One can indeed schedule more pods
# on a node than the CIDR-range has space for when additional pods use the host
# network namespace. It is impossible to ascertain the number of such pods at
# provisioning time, so to establish a guarantee, we factor these out.
# NOTICE: the check blatantly ignores the inet6-case
- name: Guarantee that enough network address space is available for all pods
  assert:
    that: "{{ (kubelet_max_pods | default(110)) | int <= (2 ** (32 - kube_network_node_prefix | int)) - 2 }}"
    msg: "Do not schedule more pods on a node than inet addresses are available."
  when:
    - not ignore_assert_errors
    - inventory_hostname in groups['k8s_cluster']
    - kube_network_node_prefix is defined
    - kube_network_plugin != 'calico'

- name: Stop if ip var does not match local ips
  assert:
    that: (ip in ansible_all_ipv4_addresses) or (ip in ansible_all_ipv6_addresses)
    msg: "IPv4: '{{ ansible_all_ipv4_addresses }}' and IPv6: '{{ ansible_all_ipv6_addresses }}' do not contain '{{ ip }}'"
  when:
    - not ignore_assert_errors
    - ip is defined

- name: Ensure ping package
  package:
    name: >-
          {%- if ansible_os_family == 'Debian' -%}
          iputils-ping
          {%- else -%}
          iputils
          {%- endif -%}
    state: present
  when:
    - access_ip is defined
    - not ignore_assert_errors
    - ping_access_ip
    - not is_fedora_coreos
    - not ansible_os_family in ["Flatcar", "Flatcar Container Linux by Kinvolk"]

- name: Stop if access_ip is not pingable
  command: ping -c1 {{ access_ip }}
  when:
    - access_ip is defined
    - not ignore_assert_errors
    - ping_access_ip

- name: Stop if RBAC is not enabled when dashboard is enabled
  assert:
    that: rbac_enabled
  when:
    - dashboard_enabled
    - not ignore_assert_errors

- name: Stop if RBAC is not enabled when OCI cloud controller is enabled
  assert:
    that: rbac_enabled
  when:
    - cloud_provider is defined and cloud_provider == "oci"
    - not ignore_assert_errors

- name: Stop if kernel version is too low
  assert:
    that: ansible_kernel.split('-')[0] is version('4.9.17', '>=')
  when:
    - kube_network_plugin == 'cilium' or cilium_deploy_additionally | default(false) | bool
    - not ignore_assert_errors

- name: Stop if bad hostname
  assert:
    that: inventory_hostname is match("[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$")
    msg: "Hostname must consist of lower case alphanumeric characters, '.' or '-', and must start and end with an alphanumeric character"
  when: not ignore_assert_errors

- name: check cloud_provider value
  assert:
    that: cloud_provider in ['gce', 'aws', 'azure', 'openstack', 'vsphere', 'oci', 'external']
    msg: "If set the 'cloud_provider' var must be set either to 'gce', 'aws', 'azure', 'openstack', 'vsphere', 'oci' or 'external'"
  when:
    - cloud_provider is defined
    - not ignore_assert_errors
  tags:
    - cloud-provider
    - facts

- name: "Check that kube_service_addresses is a network range"
  assert:
    that:
      - kube_service_addresses | ipaddr('net')
    msg: "kube_service_addresses = '{{ kube_service_addresses }}' is not a valid network range"
  run_once: yes

- name: "Check that kube_pods_subnet is a network range"
  assert:
    that:
      - kube_pods_subnet | ipaddr('net')
    msg: "kube_pods_subnet = '{{ kube_pods_subnet }}' is not a valid network range"
  run_once: yes

- name: "Check that kube_pods_subnet does not collide with kube_service_addresses"
  assert:
    that:
      - kube_pods_subnet | ipaddr(kube_service_addresses) | string == 'None'
    msg: "kube_pods_subnet cannot be the same network segment as kube_service_addresses"
  run_once: yes

- name: "Check that IP range is enough for the nodes"
  assert:
    that:
      - 2 ** (kube_network_node_prefix - kube_pods_subnet | ipaddr('prefix')) >= groups['k8s_cluster'] | length
    msg: "Not enough IPs are available for the desired node count."
  when: kube_network_plugin != 'calico'
  run_once: yes

- name: Stop if unknown dns mode
  assert:
    that: dns_mode in ['coredns', 'coredns_dual', 'manual', 'none']
    msg: "dns_mode can only be 'coredns', 'coredns_dual', 'manual' or 'none'"
  when: dns_mode is defined
  run_once: true

- name: Stop if unknown kube proxy mode
  assert:
    that: kube_proxy_mode in ['iptables', 'ipvs']
    msg: "kube_proxy_mode can only be 'iptables' or 'ipvs'"
  when: kube_proxy_mode is defined
  run_once: true

- name: Stop if unknown cert_management
  assert:
    that: cert_management|d('script') in ['script', 'none']
    msg: "cert_management can only be 'script' or 'none'"
  run_once: true

- name: Stop if unknown resolvconf_mode
  assert:
    that: resolvconf_mode in ['docker_dns', 'host_resolvconf', 'none']
    msg: "resolvconf_mode can only be 'docker_dns', 'host_resolvconf' or 'none'"
  when: resolvconf_mode is defined
  run_once: true

- name: Stop if etcd deployment type is not host, docker or kubeadm
  assert:
    that: etcd_deployment_type in ['host', 'docker', 'kubeadm']
    msg: "The etcd deployment type, 'etcd_deployment_type', must be host, docker or kubeadm"
  when:
    - inventory_hostname in groups.get('etcd',[])

- name: Stop if container manager is not docker, crio or containerd
  assert:
    that: container_manager in ['docker', 'crio', 'containerd']
    msg: "The container manager, 'container_manager', must be docker, crio or containerd"
  run_once: true

- name: Stop if etcd deployment type is not host or kubeadm when container_manager != docker
  assert:
    that: etcd_deployment_type in ['host', 'kubeadm']
    msg: "The etcd deployment type, 'etcd_deployment_type', must be host or kubeadm when container_manager is not docker"
  when:
    - inventory_hostname in groups.get('etcd',[])
    - container_manager != 'docker'

# TODO: Clean this task up when we drop backward compatibility support for `etcd_kubeadm_enabled`
- name: Stop if etcd deployment type is not host or kubeadm when container_manager != docker and etcd_kubeadm_enabled is not defined
  block:
    - name: Warn the user if they are still using `etcd_kubeadm_enabled`
      debug:
        msg: >
          "WARNING! => `etcd_kubeadm_enabled` is deprecated and will be removed in a future release.
          You can set `etcd_deployment_type` to `kubeadm` instead of setting `etcd_kubeadm_enabled` to `true`."
      changed_when: true

    - name: Stop if `etcd_kubeadm_enabled` is defined and `etcd_deployment_type` is not `kubeadm` or `host`
      assert:
        that: etcd_deployment_type == 'kubeadm'
        msg: >
          It is not possible to use `etcd_kubeadm_enabled` when `etcd_deployment_type` is set to {{ etcd_deployment_type }}.
          Unset the `etcd_kubeadm_enabled` variable and set `etcd_deployment_type` to desired deployment type (`host`, `kubeadm`, `docker`) instead."
      when: etcd_kubeadm_enabled
  run_once: yes
  when: etcd_kubeadm_enabled is defined

- name: Stop if download_localhost is enabled but download_run_once is not
  assert:
    that: download_run_once
    msg: "download_localhost requires enable download_run_once"
  when: download_localhost

- name: Stop if kata_containers_enabled is enabled when container_manager is docker
  assert:
    that: container_manager != 'docker'
    msg: "kata_containers_enabled support only for containerd and crio-o. See https://github.com/kata-containers/documentation/blob/1.11.4/how-to/run-kata-with-k8s.md#install-a-cri-implementation for details"
  when: kata_containers_enabled

- name: Stop if gvisor_enabled is enabled when container_manager is not containerd
  assert:
    that: container_manager == 'containerd'
    msg: "gvisor_enabled support only compatible with containerd. See https://github.com/kubernetes-sigs/kubespray/issues/7650 for details"
  when: gvisor_enabled

- name: Stop if download_localhost is enabled for Flatcar Container Linux
  assert:
    that: ansible_os_family not in ["Flatcar", "Flatcar Container Linux by Kinvolk"]
    msg: "download_run_once not supported for Flatcar Container Linux"
  when: download_run_once or download_force_cache

- name: Ensure minimum containerd version
  assert:
    that: containerd_version is version(containerd_min_version_required, '>=')
    msg: "containerd_version is too low. Minimum version {{ containerd_min_version_required }}"
  run_once: yes
  when:
    - containerd_version not in ['latest', 'edge', 'stable']
    - container_manager == 'containerd'

- name: Stop if using deprecated containerd_config variable
  assert:
    that: containerd_config is not defined
    msg: "Variable containerd_config is now deprecated. See https://github.com/kubernetes-sigs/kubespray/blob/master/inventory/sample/group_vars/all/containerd.yml for details."
  when:
    - containerd_config is defined
    - not ignore_assert_errors

- name: Stop if auto_renew_certificates is enabled when certificates are managed externally (kube_external_ca_mode is true)
  assert:
    that: not auto_renew_certificates
    msg: "Variable auto_renew_certificates must be disabled when CA are managed externally:  kube_external_ca_mode = true"
  when:
    - kube_external_ca_mode
    - not ignore_assert_errors

- name: Stop if using deprecated comma separated list for admission plugins
  assert:
    that: "',' not in kube_apiserver_enable_admission_plugins[0]"
    msg: "Comma-separated list for kube_apiserver_enable_admission_plugins is now deprecated, use separate list items for each plugin."
  when:
    - kube_apiserver_enable_admission_plugins is defined
    - kube_apiserver_enable_admission_plugins | length > 0