---
- name: Set fact docker_registry_route_hostname
  set_fact:
    docker_registry_route_hostname: "{{ 'docker-registry-default.' ~ (openshift_master_default_subdomain | default('router.default.svc.cluster.local', true)) }}"
  run_once: true

- name: Get the certificate contents for registry
  copy:
    backup: True
    dest: "/etc/origin/master/named_certificates/{{ item | basename }}"
    src: "{{ item }}"
  register: openshift_hosted_registry_certificate_content
  with_items:
  - "{{ (openshift_hosted_registry_route_certificates | default({'certfile':none})).certfile }}"
  - "{{ (openshift_hosted_registry_route_certificates | default({'keyfile':none})).keyfile }}"
  - "{{ (openshift_hosted_registry_route_certificates | default({'cafile':none})).cafile }}"
  when: openshift_hosted_registry_route_certificates

- debug: var=openshift_hosted_registry_route_termination

- name: Create passthrough route for docker-registry
  oc_route:
    name: docker-registry
    namespace: "{{ openshift_hosted_registry_namespace }}"
    service_name: docker-registry
    host: "{{ docker_registry_route_hostname }}"
    tls_termination: "{{ openshift_hosted_registry_route_termination }}"
    host: "{{ openshift_hosted_registry_route_host | default(docker_registry_route_hostname) }}"
    cert_path: "{{ ('certfile' in openshift_hosted_registry_route_certificates) | ternary('/etc/origin/master/named_certificates/' ~ (openshift_hosted_registry_route_certificates.certfile | basename), omit) }}"
    key_path: "{{ ('keyfile' in openshift_hosted_registry_route_certificates) | ternary('/etc/origin/master/named_certificates/' ~ (openshift_hosted_registry_route_certificates.keyfile | basename), omit) }}"
    cacert_path: "{{ ('cafile' in openshift_hosted_registry_route_certificates) | ternary('/etc/origin/master/named_certificates/' ~ (openshift_hosted_registry_route_certificates.cafile | basename), omit) }}"
    dest_cacert_path: "{{ (openshift_hosted_registry_route_termination == 'reencrypt') | ternary('/etc/origin/master/ca.crt', omit) }}"
  run_once: true

- name: Retrieve registry service IP
  oc_service:
    namespace: "{{ openshift_hosted_registry_namespace }}"
    name: docker-registry
    state: list
  register: docker_registry_service_ip
  run_once: true

- name: Create registry certificates
  oc_adm_ca_server_cert:
    signer_cert: "{{ openshift_master_config_dir }}/ca.crt"
    signer_key: "{{ openshift_master_config_dir }}/ca.key"
    signer_serial: "{{ openshift_master_config_dir }}/ca.serial.txt"
    hostnames:
    - "{{ docker_registry_service_ip.results.clusterip }}"
    - docker-registry.default.svc.cluster.local
    - "{{ docker_registry_route_hostname }}"
    cert: "{{ openshift_master_config_dir }}/registry.crt"
    key: "{{ openshift_master_config_dir }}/registry.key"
  register: server_cert_out

- name: Create the secret for the registry certificates
  oc_secret:
    name: registry-certificates
    namespace: "{{ openshift_hosted_registry_namespace }}"
    files:
    - name: registry.crt
      path: "{{ openshift_master_config_dir }}/registry.crt"
    - name: registry.key
      path: "{{ openshift_master_config_dir }}/registry.key"
  register: create_registry_certificates_secret_out

- name: Add the secret to the registry's pod service accounts
  oc_serviceaccount_secret:
    service_account: "{{ item }}"
    secret: registry-certificates
    namespace: "{{ openshift_hosted_registry_namespace }}"
  with_items:
  - registry
  - default

- name: Set facts for secure registry
  set_fact:
    registry_secure_volume_mounts:
    - name: registry-certificates
      path: /etc/secrets
      type: secret
      secret_name: registry-certificates
    registry_secure_env_vars:
      REGISTRY_HTTP_TLS_CERTIFICATE: /etc/secrets/registry.crt
      REGISTRY_HTTP_TLS_KEY: /etc/secrets/registry.key
    registry_secure_edits:
    - key: spec.template.spec.containers[0].livenessProbe.httpGet.scheme
      value: HTTPS
      action: put
    - key: spec.template.spec.containers[0].readinessProbe.httpGet.scheme
      value: HTTPS
      action: put

- name: Update openshift_hosted facts with secure registry variables
  set_fact:
    openshift_hosted_registry_volumes: "{{ openshift_hosted_registry_volumes | union(registry_secure_volume_mounts) }}"
    openshift_hosted_registry_env_vars: "{{ openshift_hosted_registry_env_vars | combine(registry_secure_env_vars) }}"
    openshift_hosted_registry_edits: "{{ openshift_hosted_registry_edits | union(registry_secure_edits) }}"
    openshift_hosted_registry_force: "{{ openshift_hosted_registry_force | union([server_cert_out.changed]) | union([create_registry_certificates_secret_out.changed]) }}"