- name: Install unzip dependency.
  package:
    name: unzip
    state: present
  delegate_to: "127.0.0.1"
  when:
    - node_certs_generator

- name: Check if certificate exists locally
  stat:
    path: "{{ node_certs_destination }}/{{ elasticsearch_node_name }}.crt"
  register: certificate_file_exists

- name: Write the instances.yml file in the selected node (force = no)
  template:
    src: instances.yml.j2
    dest: "{{ node_certs_source }}/instances.yml"
    force: no
  register: instances_file_exists
  tags:
    - config
    - xpack-security
  when:
    - node_certs_generator
    - not certificate_file_exists.stat.exists

- name: Update instances.yml status after generation
  stat:
    path: "{{ node_certs_source }}/instances.yml"
  register: instances_file_exists
  when:
    - node_certs_generator

- name: Check if the certificates ZIP file exists
  stat:
    path: "{{ node_certs_source }}/certs.zip"
  register: xpack_certs_zip
  when:
    - node_certs_generator

- name: Importing custom CA key
  copy:
    src: "{{ master_certs_path }}/ca/{{ ca_key_name }}"
    dest: "{{ node_certs_source }}/{{ ca_key_name }}"
    mode: '0664'
  when:
   - not generate_CA
   - node_certs_generator
  tags: xpack-security

- name: Importing custom CA cert
  copy:
    src: "{{ master_certs_path }}/ca/{{ ca_cert_name }}"
    dest: "{{ node_certs_source }}/{{ ca_cert_name }}"
    mode: '0664'
  when:
    - not generate_CA
    - node_certs_generator
  tags: xpack-security

- name: Generating certificates for Elasticsearch security (generating CA)
  command: >-
    /usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem
    --in {{ node_certs_source }}/instances.yml
    --out {{ node_certs_source }}/certs.zip
  when:
    - node_certs_generator
    - not xpack_certs_zip.stat.exists
    - generate_CA
  tags: xpack-security

- name: Generating certificates for Elasticsearch security (using provided CA | Without CA Password)
  command: >-
    /usr/share/elasticsearch/bin/elasticsearch-certutil cert
    --ca-key {{ node_certs_source }}/{{ ca_key_name }}
    --ca-cert {{ node_certs_source }}/{{ ca_cert_name }}
    --pem --in {{ node_certs_source }}/instances.yml
    --out {{ node_certs_source }}/certs.zip
  when:
    - node_certs_generator
    - not xpack_certs_zip.stat.exists
    - not generate_CA
    - ca_password | length == 0
  tags: xpack-security

- name: Generating certificates for Elasticsearch security (using provided CA | Using CA Password)
  command: >-
    /usr/share/elasticsearch/bin/elasticsearch-certutil cert
    --ca-key {{ node_certs_source }}/{{ ca_key_name }}
    --ca-cert {{ node_certs_source }}/{{ ca_cert_name }}
    --pem --in {{ node_certs_source }}/instances.yml --out {{ node_certs_source }}/certs.zip
    --ca-pass {{ ca_password }}
  when:
    - node_certs_generator
    - not xpack_certs_zip.stat.exists
    - not generate_CA
    - ca_password | length > 0
  tags: xpack-security

- name: Verify the Elastic certificates directory
  file:
    path: "{{ master_certs_path }}"
    state: directory
    mode: '0700'
  delegate_to: "127.0.0.1"
  when:
    - node_certs_generator

- name: Verify the Certificates Authority directory
  file:
    path: "{{ master_certs_path }}/ca/"
    state: directory
    mode: '0700'
  delegate_to: "127.0.0.1"
  when:
    - node_certs_generator

- name: Copying certificates to Ansible master
  fetch:
    src: "{{ node_certs_source }}/certs.zip"
    dest: "{{ master_certs_path }}/"
    flat: yes
    mode: 0700
  when:
    - node_certs_generator
  tags: xpack-security

- name: Delete certs.zip in Generator node
  file:
    state: absent
    path: "{{ node_certs_source }}/certs.zip"
  when:
    - node_certs_generator

- name: Unzip generated certs.zip
  unarchive:
    src: "{{ master_certs_path }}/certs.zip"
    dest: "{{ master_certs_path }}/"
  become: true
  delegate_to: "127.0.0.1"
  when:
    - node_certs_generator
  tags: xpack-security

- name: Copying node's certificate from master
  copy:
    src: "{{ item }}"
    dest: "{{ node_certs_destination }}/"
  with_items:
    - "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.key"
    - "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.crt"
    - "{{ master_certs_path }}/ca/ca.crt"
  when:
    - generate_CA
  tags: xpack-security

- name: Copying node's certificate from master (Custom CA)
  copy:
    src: "{{ item }}"
    dest: "{{ node_certs_destination }}/"
  with_items:
    - "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.key"
    - "{{ master_certs_path }}/{{ elasticsearch_node_name }}/{{ elasticsearch_node_name }}.crt"
    - "{{ master_certs_path }}/ca/{{ ca_cert_name }}"
  when:
    - not generate_CA
  tags: xpack-security

- name: Ensuring folder permissions
  file:
    path: "{{ node_certs_destination }}/"
    mode: '0774'
    state: directory
    recurse: yes
  when:
    - elasticsearch_xpack_security
    - generate_CA
  tags: xpack-security

- name: Set elasticsearch bootstrap password
  command: >-
     set -o pipefail
     echo {{ elasticsearch_xpack_security_password }} | {{ node_certs_source }}/bin/elasticsearch-keystore add -xf bootstrap.password
  when:
    - node_certs_generator