##############################################################################
# Copyright (c) 2016 HUAWEI TECHNOLOGIES CO.,LTD and others.
#
# All rights reserved. This program and the accompanying materials
# are made available under the terms of the Apache License, Version 2.0
# which accompanies this distribution, and is available at
# http://www.apache.org/licenses/LICENSE-2.0
##############################################################################
---
- include_vars: "{{ ansible_os_family }}.yml"

- name: keystone-manage db-sync
  shell: su -s /bin/sh -c 'keystone-manage db_sync' keystone

- name: Check if fernet keys already exist
  stat:
    path: "/etc/keystone/fernet-keys/0"
  register: fernet_keys_0

- name: Create fernet keys for Keystone
  command:
    keystone-manage fernet_setup
      --keystone-user keystone
      --keystone-group keystone
  when: not fernet_keys_0.stat.exists
  notify:
    - restart keystone services

- name: Rotate fernet keys for Keystone
  command:
    keystone-manage fernet_rotate
      --keystone-user keystone
      --keystone-group keystone
  when: fernet_keys_0.stat.exists
  notify:
    - restart keystone services

- name: Distribute the fernet key repository
  shell: |
    rsync -e 'ssh -o StrictHostKeyChecking=no' \
        -avz \
        --delete \
        /etc/keystone/fernet-keys \
        root@{{ hostvars[ item ].ansible_eth0.ipv4.address }}:/etc/keystone/
  with_items: "{{ groups['controller'][1:] }}"
  notify:
    - restart keystone services

- name: Check if credential keys already exist
  stat:
    path: "/etc/keystone/credential-keys/0"
  register: credential_keys_0

- name: Create credential keys for Keystone
  command:
    keystone-manage credential_setup
      --keystone-user keystone
      --keystone-group keystone
  when: not credential_keys_0.stat.exists
  notify:
    - restart keystone services

- name: Rotate credential keys for Keystone
  command:
    keystone-manage credential_rotate
      --keystone-user keystone
      --keystone-group keystone
  when: credential_keys_0.stat.exists
  notify:
    - restart keystone services

- name: Distribute the credential key repository
  shell: |
    rsync -e 'ssh -o StrictHostKeyChecking=no' \
        -avz \
       --delete \
       /etc/keystone/credential-keys \
       root@{{ hostvars[ item ].ansible_eth0.ipv4.address }}:/etc/keystone/
  with_items: "{{ groups['controller'][1:] }}"
  notify:
    - restart keystone services

- name: Bootstrap the Identity service
  shell:
    keystone-manage bootstrap \
      --bootstrap-password {{ ADMIN_PASS }} \
      --bootstrap-admin-url http://{{ internal_ip }}:35357/v3/ \
      --bootstrap-internal-url http://{{ internal_ip }}:35357/v3/ \
      --bootstrap-public-url http://{{ internal_ip }}:5000/v3/
      --bootstrap-region-id RegionOne \
  notify:
    - restart keystone services

- meta: flush_handlers

- name: wait for keystone ready
  wait_for: port=35357 delay=15 timeout=60 host={{ internal_ip }}