acs-playbooks/roles/deploy-central/tasks/main.yml

---
- name: is there already a subscription?
  kubernetes.core.k8s_info:
    kubeconfig: "{{ ansible_facts['user_dir'] }}/kubeconfig-ocp4"
    validate_certs: no
    api_version: operators.coreos.com/v1alpha1
    kind: subscription
    namespace: rhacs
    name: rhacs
  register: sub

- name: oi - is there already an operator?
  kubernetes.core.k8s_info:
    kubeconfig: "{{ ansible_facts['user_dir'] }}/kubeconfig-ocp4"
    validate_certs: no
    api_version: operators.coreos.com/v1alpha1
    kind: clusterserviceversion
    name: "{{ sub.resources[0].status.installedCSV }}"
    namespace: rhacs
  register: csv
  when:
    - sub.resources is defined
    - (sub.resources | length) > 0
    - sub.resources[0].spec.name == "rhacs-operator"
    - sub.resources[0].status.installedCSV is defined

- name: assert csv is there
  set_fact:
    csv_is_there: true

- name: reset the above fact if not the case
  set_fact:
    csv_is_there: false
  when: (csv is not defined) or (csv.resources is not defined) or (csv.resources | length == 0) or (csv.resources[0].status.phase != "Succeeded")

- name: is there a central pod?
  kubernetes.core.k8s_info:
    kubeconfig: "{{ ansible_facts['user_dir'] }}/kubeconfig-ocp4"
    validate_certs: no
    api_version: v1
    kind: pod
    namespace: rhacs
    label_selectors:
      - app=central
  register: central

- name: assert central is there
  set_fact:
    central_is_there: true

- name: reset the above fact if not the case
  set_fact:
    central_is_there: false
  when: (central is not defined) or (central.resources is not defined) or (central.resources | length == 0) or (central.resources[0].status.phase != "Running")

- name: create ns, og, and sub
  kubernetes.core.k8s:
    kubeconfig: "{{ ansible_facts['user_dir'] }}/kubeconfig-ocp4"
    validate_certs: no
    template: templates/central-ns-and-sub.yml
  when: not csv_is_there

- name: wait until csv is there and ready
  kubernetes.core.k8s_info:
    kubeconfig: "{{ ansible_facts['user_dir'] }}/kubeconfig-ocp4"
    validate_certs: no
    api_version: operators.coreos.com/v1alpha1
    kind: clusterserviceversion
    name: rhacs-operator.v{{ acs_z }}
    namespace: rhacs
  when: not csv_is_there
  register: csv
  until: (csv.resources | length) > 0 and csv.resources[0].status.phase == "Succeeded"
  retries: 30
  delay: 5

- name: deploy cr
  kubernetes.core.k8s:
    kubeconfig: "{{ ansible_facts['user_dir'] }}/kubeconfig-ocp4"
    validate_certs: no
    src: files/central-cr.yml
  when: not central_is_there

- name: wait for central pod to be up
  kubernetes.core.k8s_info:
    kubeconfig: "{{ ansible_facts['user_dir'] }}/kubeconfig-ocp4"
    validate_certs: no
    api_version: v1
    kind: pod
    namespace: rhacs
    label_selectors:
      - app=central
  when: not central_is_there
  register: central
  until: (central.resources | length) > 0 and central.resources[0].status.phase == "Running"
  retries: 30
  delay: 5

- name: look up route
  kubernetes.core.k8s_info:
    kubeconfig: "{{ ansible_facts['user_dir'] }}/kubeconfig-ocp4"
    validate_certs: no
    api_version: route.openshift.io/v1
    kind: route
    namespace: rhacs
    name: central
  register: central_route

- assert:
    that: central_route.resources | length > 0
    fail_msg: "ERROR: Central seems to be there, but route is not present."
    success_msg: "OK, got route to Central."

- name: store route hostname as fact
  set_fact:
    central_ep: "{{ central_route.resources[0].spec.host }}"

- name: store the api endpoint in a file
  copy:
    dest: "{{ ansible_facts['user_dir'] }}/api-endpoint"
    content: "{{ central_ep }}:443"

- name: look up secret
  kubernetes.core.k8s_info:
    kubeconfig: "{{ ansible_facts['user_dir'] }}/kubeconfig-ocp4"
    validate_certs: no
    api_version: v1
    kind: secret
    namespace: rhacs
    name: central-htpasswd
  register: central_secret

- assert:
    that: central_secret.resources | length > 0
    fail_msg: "ERROR: Central seems to be there, but auth secret is not present."
    success_msg: "OK, got secret to Central."

- name: store central pass as fact
  set_fact:
    central_pass: "{{ central_secret.resources[0].data.password }}"

- name: store the password in a file
  copy:
    dest: "{{ ansible_facts['user_dir'] }}/api-password"
    content: "{{ central_pass | string | b64decode }}"

- name: wait for central to be up
  uri:
    method: GET
    force_basic_auth: true
    return_content: true
    validate_certs: false
    url: "https://{{ central_ep }}/v1/centralhealth/upgradestatus"
    url_username: admin
    url_password: "{{ central_pass | string | b64decode }}"
    headers:
      Accept: application/json
      Content-Type: application/json
  register: central_status
  until: central_status.status == 200
  retries: 30
  delay: 5

- name: does a token exist?
  uri:
    method: GET
    force_basic_auth: true
    return_content: true
    validate_certs: false
    url: "https://{{ central_ep }}/v1/apitokens?revoked=false"
    url_username: admin
    url_password: "{{ central_pass | string | b64decode }}"
    headers:
      Accept: application/json
      Content-Type: application/json
  register: token_list

- name: generate an api token
  uri:
    method: POST
    force_basic_auth: true
    return_content: true
    validate_certs: false
    url: "https://{{ central_ep }}/v1/apitokens/generate"
    url_username: admin
    url_password: "{{ central_pass | string | b64decode }}"
    body_format: json
    body: '{"name":"automation","role":null,"roles":["Admin"]}'
    headers:
      Accept: application/json
      Content-Type: application/json
  register: api_token
  when: (token_list.json.tokens | items2dict(key_name='name', value_name='revoked'))["automation"] is not defined

- name: store api token in a file
  copy:
    dest: "{{ ansible_facts['user_dir'] }}/api-token"
    content: "{{ api_token.json.token }}"
    owner: "{{ ansible_user }}"
    group: "{{ ansible_user }}"
    mode: 0600
  when: (api_token.skipped is not defined) or (not api_token.skipped)

- name: check if policies have been stored
  stat:
    path: "{{ ansible_facts['user_dir'] }}/api-policies"
  register: default_policy_file

- name: read token if not defined
  set_fact:
    api_token:
      json:
        token: "{{ lookup('file', ansible_facts['user_dir'] + '/api-token') }}"
  when:
    - ((api_token.json is not defined) or (api_token.json.token is not defined))
    - default_policy_file.stat is defined
    - not default_policy_file.stat.exists

- name: get a list of default policies for later reference
  uri:
    method: GET
    return_content: true
    validate_certs: false
    url: "https://{{ central_ep }}/v1/policies"
    headers:
      Accept: application/json
      Authorization: Bearer {{ api_token.json.token }}
  register: default_policies
  when:
    - default_policy_file.stat is defined
    - not default_policy_file.stat.exists

- name: create an export of all policies returned above
  uri:
    method: POST
    return_content: true
    validate_certs: false
    url: "https://{{ central_ep }}/v1/policies/export"
    headers:
      Content-Type: application/json
      Accept: application/json
      Authorization: Bearer {{ api_token.json.token }}
    body: '{ "policyIds": {{ default_policies.json | json_query("policies[*].id") | list | to_json }}}'
    body_format: json
  register: export_policies
  when: (default_policies.skipped is not defined) or (not default_policies.skipped)

- name: store default policies in a file
  copy:
    dest: "{{ ansible_facts['user_dir'] }}/api-policies"
    content: "{{ export_policies.json }}"
    owner: "{{ ansible_user }}"
    group: "{{ ansible_user }}"
    mode: 0600
  when: (export_policies.skipped is not defined) or (not export_policies.skipped)
...