---
- hosts: all
  any_errors_fatal: true
  tasks:
    # NOTE(yoctozepto): setting vars as facts for all to have them around in all the plays
    - name: Set facts for commonly used variables
      set_fact:
        kolla_ansible_src_dir: "{{ ansible_env.PWD }}/src/{{ zuul.project.canonical_hostname }}/openstack/kolla-ansible"
        kolla_ansible_venv_path: "{{ ansible_env.HOME }}/kolla-ansible-venv"
        upper_constraints_file: "{{ ansible_env.HOME }}/src/opendev.org/openstack/requirements/upper-constraints.txt"
        pip_user_path_env:
          PATH: "{{ ansible_env.HOME + '/.local/bin:' + ansible_env.PATH }}"

- hosts: primary
  any_errors_fatal: true
  environment: "{{ pip_user_path_env }}"
  tasks:
    - name: Ensure /etc/kolla exists
      file:
        path: "/etc/kolla"
        state: "directory"
        mode: 0777
      become: true

    - name: Install Python3.12 on RHEL derivatives
      dnf:
        name:
          - python3.12
          - python3.12-devel
        state: latest
      when: ansible_facts.os_family == 'RedHat'
      become: true

    - name: Create Kolla Ansible venv
      command:
        cmd: "{{ 'python3.12' if ansible_facts.os_family == 'RedHat' else 'python3' }} -m venv {{ kolla_ansible_venv_path }}"
        creates: "{{ kolla_ansible_venv_path }}"

    - name: Ensure the latest tested pip
      pip:
        name: "pip==23.*"
        state: latest
        virtualenv: "{{ kolla_ansible_venv_path }}"

    - name: Ensure the latest tested setuptools
      pip:
        name: "setuptools==67.2.0"
        state: latest
        virtualenv: "{{ kolla_ansible_venv_path }}"

    - name: Install kolla-ansible and dependencies
      pip:
        extra_args: "-c {{ upper_constraints_file }}"
        name:
          - "{{ kolla_ansible_src_dir }}"
          - "ansible-core{{ ansible_core_version_constraint }}"
          - "ara[server]<1.7"
        virtualenv: "{{ kolla_ansible_venv_path }}"

    - name: Copy passwords.yml file
      copy:
        src: "{{ kolla_ansible_src_dir }}/etc/kolla/passwords.yml"
        dest: /etc/kolla/passwords.yml
        mode: "0640"
        remote_src: true

    - name: Generate passwords
      command: "{{ kolla_ansible_venv_path }}/bin/kolla-genpwd"

    # At this point we have generated all necessary configuration, and are
    # ready to test Hashicorp Vault.
    - name: Run test-hashicorp-vault-passwords.sh script
      script:
        cmd: test-hashicorp-vault-passwords.sh
        executable: /bin/bash
        chdir: "{{ kolla_ansible_src_dir }}"
      environment:
        BASE_DISTRO: "{{ base_distro }}"
        KOLLA_ANSIBLE_VENV_PATH: "{{ kolla_ansible_venv_path }}"

    - name: Read template file
      slurp:
        src: "/etc/kolla/passwords.yml"
      register: template_file

    - name: Read generated file
      slurp:
        src: "/tmp/passwords-hashicorp-vault.yml"
      register: generated_file

    # This test will load in the original input file and the one that was
    # generated by Vault and ensure that the keys are the same in both files.
    # This ensures that we are not missing any passwords.
    - name: Check passwords that were written to Vault are as expected
      vars:
        input_passwords: "{{ template_file['content'] | b64decode | from_yaml | sort }}"
        output_passwords: "{{ generated_file['content'] | b64decode | from_yaml | sort }}"
      assert: { that: "input_passwords == output_passwords" }