---
# file: roles/mariadb_cluster/tasks/certificates.yml 

- name: Ensure directory exists for local self-signed TLS certs
  file:
    path: /etc/ssl/galera/
    state: directory
    owner: mysql
    group: mysql
    recurse: true

- name: CA Setup
  block:
  - name: Generate an OpenSSL private key
    community.crypto.openssl_privatekey:
      path: /etc/ssl/galera/ca-certificate.key

  - name: Create certificate signing request (CSR) for CA certificate
    community.crypto.openssl_csr_pipe:
      privatekey_path: /etc/ssl/galera/ca-certificate.key
      common_name: Galera-Ansible
      use_common_name_for_san: false
      basic_constraints:
        - 'CA:TRUE'
      basic_constraints_critical: true
      key_usage:
        - keyCertSign
      key_usage_critical: true
    register: ca_csr
    changed_when: false

  - name: Create self-signed CA certificate from CSR
    community.crypto.x509_certificate:
      path: /etc/ssl/galera/ca-certificate.pem
      csr_content: "{{ ca_csr.csr }}"
      privatekey_path: /etc/ssl/galera/ca-certificate.key
      selfsigned_not_after: "{{ mariadb_cluster_cert_length }}"
      provider: selfsigned

  - name: Copy ca-certificate locally for transfer
    fetch:
      src: /etc/ssl/galera/ca-certificate.pem
      dest: /tmp/galera-ca-certificate.pem
      flat: yes
  when: inventory_hostname == mariadb_cluster_master

- name: Transfer ca cert to other members
  copy:
    src: /tmp/galera-ca-certificate.pem
    dest: /etc/ssl/galera/ca-certificate.pem
    owner: mysql
    group: mysql
    mode: '0644'

- name: Server Certificates
  include_tasks: certificates-server.yml
  loop: "{{ groups['mariadb_cluster'] }}"
  loop_control:
    extended: yes

- name: Ensure mysql has permissions to access certs
  file:
    path: /etc/ssl/galera/
    state: directory
    owner: mysql
    group: mysql
    recurse: true