---
- name: Calico | Run kube proxy
  run_once: true
  import_role:
    name: kube_proxy_and_dns

- include_tasks: certs.yml

- name: Calico | Clean Calico etcd data
  when: calico_cleanup_path is defined and calico_cleanup_path != ""
  file:
    state: absent
    path: "{{ calico_cleanup_path }}"

- name: Calico | oc adm policy add-scc-to-user privileged system:serviceaccount:kube-system:calico-node
  oc_adm_policy_user:
    user: system:serviceaccount:kube-system:calico-node
    resource_kind: scc
    resource_name: privileged
    state: present

- name: Calico | oc adm policy add-scc-to-user privileged system:serviceaccount:kube-system:calico-kube-controllers
  oc_adm_policy_user:
    user: system:serviceaccount:kube-system:calico-kube-controllers
    resource_kind: scc
    resource_name: privileged
    state: present

- name: Calico | oc adm policy add-scc-to-user privileged system:serviceaccount:kube-system:calico-upgrade-job
  oc_adm_policy_user:
    user: system:serviceaccount:kube-system:calico-upgrade-job
    resource_kind: scc
    resource_name: privileged
    state: present

- name: Calico | Set default selector for kube-system
  command: >
    {{ openshift_client_binary }}
    --config={{ openshift.common.config_base }}/master/admin.kubeconfig
    annotate  ns kube-system openshift.io/node-selector="" --overwrite

- name: Calico | Create temp directory
  command: mktemp -d /tmp/openshift-ansible-XXXXXXX
  register: mktemp
  changed_when: False

- name: Calico | Write separate Calico etcd manifest
  when: use_calico_etcd
  template:
    dest: "{{ mktemp.stdout }}/calico-etcd.yml"
    src: calico-etcd.yml.j2

- name: Calico | Launch separate Calico etcd
  when: use_calico_etcd
  command: >
    {{ openshift_client_binary }} apply
    -f {{ mktemp.stdout }}/calico-etcd.yml
    --config={{ openshift.common.config_base }}/master/admin.kubeconfig
  register: calico_etcd_create_output
  failed_when: "calico_etcd_create_output.rc != 0"
  changed_when: "('created' in calico_etcd_create_output.stdout) or ('configured' in calico_etcd_create_output.stdout)"

- name: Calico | Parse node version
  set_fact:
    node_version: "{{ calico_node_image | regex_replace('^.*node:v?(.*)$', '\\1') }}"
    cnx: "{{ calico_node_image | regex_replace('^.*/(.*)-node:.*$', '\\1') }}"
    use_calico_credentials: "{{ calico_image_credentials is defined | bool }}"

- name: Calico | Encode Docker Credentials
  shell: >
    cat {{ calico_image_credentials }} | openssl base64 -A
  register: calico_encoded_credentials_output
  failed_when: "calico_encoded_credentials_output.rc != 0 or calico_encoded_credentials_output.stdout == ''"
  when: use_calico_credentials

- name: Calico | Set Encoded Docker Credentials Fact
  set_fact:
    calico_encoded_credentials: "{{ calico_encoded_credentials_output.stdout }}"
  when: use_calico_credentials

- name: Calico | Write Calico Pull Secret
  template:
    dest: "{{ mktemp.stdout }}/calico-pull-secret.yml"
    src: calico-pull-secret.yml.j2
  when: use_calico_credentials

- name: Calico | Create Calico Pull Secret
  when: use_calico_credentials
  command: >
    {{ openshift_client_binary }} apply
    -f {{ mktemp.stdout }}/calico-pull-secret.yml
    --config={{ openshift.common.config_base }}/master/admin.kubeconfig
  register: calico_pull_secret_create_output
  failed_when: "calico_pull_secret_create_output.rc != 0"
  changed_when: "('created' in calico_pull_secret_create_output.stdout) or ('configured' in calico_pull_secret_create_output.stdout)"

- name: Calico | Set the correct liveness and readiness checks
  set_fact:
    calico_binary_checks: "{{ (node_version > '3.2.0' and cnx != 'cnx') or (node_version > '2.2.0' and cnx == 'cnx') | bool }}"

- name: Calico | Write Calico v2
  template:
    dest: "{{ mktemp.stdout }}/calico.yml"
    src: calico.yml.j2
  when:
    - node_version | regex_search('^[0-9]\.[0-9]\.[0-9]') and node_version < '3.0.0'
    - cnx != "cnx"

- name: Calico | Write Calico v3
  template:
    dest: "{{ mktemp.stdout }}/calico.yml"
    src: calicov3.yml.j2
  when: (node_version | regex_search('^[0-9]\.[0-9]\.[0-9]') and node_version >= '3.0.0') or (node_version == 'master') or (cnx == "cnx" and node_version >= '2.0.0')

- name: Calico | Launch Calico
  run_once: true
  command: >
    {{ openshift_client_binary }} apply
    -f {{ mktemp.stdout }}/calico.yml
    --config={{ openshift.common.config_base }}/master/admin.kubeconfig
  register: calico_create_output
  failed_when: "calico_create_output.rc != 0"
  changed_when: "('created' in calico_create_output.stdout) or ('configured' in calico_create_output.stdout)"

- name: Calico | Delete temp directory
  file:
    name: "{{ mktemp.stdout }}"
    state: absent
  changed_when: False