# NOTE: This is included from two paths to setup the bridge/bastion
# host in different circumstances:
#
# 1) Gate tests -- here Zuul is running this on the executor against
#    ephemeral nodes.  It uses the "bastion" group as defined in the
#    system-config-run jobs.
#
# 2) Production -- here we actually run against the real bastion host.
#    The host is dynamically added in opendev/base-jobs before this
#    runs, and put into a group called "bastion".
#
# In both cases, the "bastion" group has one entry, which is the
# bastion host to run against.

- hosts: prod_bastion[0]:!disabled
  name: "Bridge: bootstrap the bastion host"
  become: true
  tasks:

    - name: Install ansible
      include_role:
        name: install-ansible

    # This is the key that bridge uses to log into remote hosts.
    #
    # For production, this root-key variable is kept with the others
    # in the Ansible production secrets.  Thus we need to deploy via
    # the local Ansible we just installed that will load these
    # variables.  Remote hosts have trusted this from their bringup
    # procedure.
    #
    # In testing, we have been called with "root_rsa_key" variable set
    # with an ephemeral key.  In this case, we pass it in as a "-e"
    # variable directly from the file written on disk.  The testing
    # ephemeral nodes have been made to trust this by the multinode
    # setup.
    #
    # NOTE(ianw) : Another option here is to keep the root key as a
    # secret directly in Zuul, which could be written out directly
    # here.  Maybe one day we will do something like this.
    - name: Create root key variable when testing
      when: root_rsa_key is defined
      block:
        - name: Create vars dict
          set_fact:
            _root_rsa_key_dict:
              root_rsa_key: '{{ root_rsa_key }}'

        - name: Save extra-vars
          copy:
            content: '{{ _root_rsa_key_dict | to_nice_json }}'
            dest: '/home/zuul/root-rsa-key.json'

        - name: Save abstracted inventory file
          copy:
            content: |
                {{ inventory_hostname }}
                [prod_bastion]
                {{ inventory_hostname }}
            dest: '/home/zuul/bastion-inventory.ini'

    - name: Make ansible log directory
      file:
        path: '/var/log/ansible'
        state: directory
        owner: root
        mode: 0755

    - name: Install root key
      shell: >-
          ansible-playbook -v ${ROOT_RSA_KEY} ${BRIDGE_INVENTORY}
          /home/zuul/src/opendev.org/opendev/system-config/playbooks/zuul/run-production-bootstrap-bridge-add-rootkey.yaml
          > /var/log/ansible/install-root-key.{{ lookup('pipe', 'date +%Y-%m-%dT%H:%M:%S') }}.log 2>&1
      environment:
        ROOT_RSA_KEY: '{{ "-e @/home/zuul/root-rsa-key.json" if root_rsa_key is defined else "" }}'
        # In production "install-ansible" has setup ansible to point
        # to the system-config inventory which has the bastion group
        # in it.  In the gate, bridge is ephemeral and we haven't yet
        # built the inventory to use for testing (that is done in
        # zuul/run-base.yaml).  Use this constructed inventory.
        BRIDGE_INVENTORY: '{{ "-i/home/zuul/bastion-inventory.ini" if root_rsa_key is defined else "" }}'
        ANSIBLE_ROLES_PATH: '/home/zuul/src/opendev.org/opendev/system-config/playbooks/roles'
      no_log: true

    - name: Setup global known_hosts
      include_role:
        name: add-inventory-known-hosts