---
- name: create CA directory
  file:
    path: /etc/kubernetes/addons/node-feature-discovery/ca
    state: directory
    owner: root
    group: root
    mode: 0700

- name: create CA private key
  openssl_privatekey:
    path: /etc/kubernetes/addons/node-feature-discovery/ca/key.pem
    type: RSA
    size: 4096
    owner: root
    group: root
    mode: 0600

- name: create signing request for CA certificate
  openssl_csr:
    path: /etc/kubernetes/addons/node-feature-discovery/ca/csr.pem
    privatekey_path: /etc/kubernetes/addons/node-feature-discovery/ca/key.pem
    CN: "CA for kubernetes cluster addon node-feature discovery"
    useCommonNameForSAN: no
    key_usage:
    - cRLSign
    - keyCertSign
    key_usage_critical: yes
    basic_constraints:
    - 'CA:TRUE'
    - 'pathlen:0'
    basic_constraints_critical: yes

- name: create self-signed CA certificate
  openssl_certificate:
    path: /etc/kubernetes/addons/node-feature-discovery/ca/crt.pem
    csr_path: /etc/kubernetes/addons/node-feature-discovery/ca/csr.pem
    privatekey_path: /etc/kubernetes/addons/node-feature-discovery/ca/key.pem
    provider: selfsigned
    selfsigned_digest: sha256
    selfsigned_not_after: "+18250d" ## 50 years
    selfsigned_create_subject_key_identifier: always_create

- name: slurp CA certificate for worker to use
  slurp:
    src: /etc/kubernetes/addons/node-feature-discovery/ca/crt.pem
  register: node_feature_discovery_ca_certificate


- name: create private key for master certificate
  openssl_privatekey:
    path: /etc/kubernetes/addons/node-feature-discovery/ca/master.key
    type: RSA
    size: 4096
    owner: root
    group: root
    mode: 0600

- name: create signing request for master certificate
  openssl_csr:
    path: /etc/kubernetes/addons/node-feature-discovery/ca/master.csr
    privatekey_path: /etc/kubernetes/addons/node-feature-discovery/ca/master.key
    CN: nfd-master
    subject_alt_name:
    - "DNS:nfd-master"
    - "DNS:nfd-master.node-feature-discovery.svc.{{ kubernetes.dns_domain | default('cluster.local') }}"
    - "DNS:localhost"
    key_usage:
    - digitalSignature
    key_usage_critical: yes
    extended_key_usage:
    - serverAuth
    - clientAuth ## this cert is also used for health checks
    extended_key_usage_critical: yes
    basic_constraints:
    - 'CA:FALSE'
    basic_constraints_critical: yes

- name: check if master certificate exists
  stat:
    path: /etc/kubernetes/addons/node-feature-discovery/ca/master.crt
  register: node_feature_discovery_master_certificate_stat

- name: check master certificate validity
  when: node_feature_discovery_master_certificate_stat.stat.exists
  openssl_certificate_info:
    path: /etc/kubernetes/addons/node-feature-discovery/ca/master.crt
    valid_at:
      ten_years: '+3650d'
  register: node_feature_discovery_master_certificate_info

- name: create master certificate
  openssl_certificate:
    path: /etc/kubernetes/addons/node-feature-discovery/ca/master.crt
    csr_path: /etc/kubernetes/addons/node-feature-discovery/ca/master.csr
    provider: ownca
    ownca_path: /etc/kubernetes/addons/node-feature-discovery/ca/crt.pem
    ownca_privatekey_path: /etc/kubernetes/addons/node-feature-discovery/ca/key.pem
    ownca_digest: sha256
    ownca_not_after: "+18250d" ## 50 years
    force: "{{ node_feature_discovery_master_certificate_stat.stat.exists and (not node_feature_discovery_master_certificate_info.valid_at.ten_years) }}"