#### Install SSL/TLS certificates when platinum license is present
#ES_PATH_CONF="/etc/elasticsearch/ases1" && export ES_PATH_CONF
#/usr/share/elasticsearch/bin/x-pack/setup-passwords auto --url https://localhost:9200

- name: Check if /etc/ssl/elasticsearch folder exists
  file:
    path: /etc/ssl/elasticsearch
    state: directory
    owner: elasticsearch
    group: elasticsearch
    mode: 0755
  register: es_ssl_folder

- name: Verify if elastic CA keys are present
  stat:
    path: "/etc/ssl/elasticsearch/elastic-ca.p12"
  become: true
  become_user: elasticsearch
  register: es_ssl_ca_present
  when: es_ssl_folder

- name: Generate SSL/TLS CA Authority (required for platinum license)
  environment: 
    - ES_PATH_CONF: "{{conf_dir}}"
  command: /usr/share/elasticsearch/bin/x-pack/certutil ca --silent -out /etc/ssl/elasticsearch/elastic-ca.p12 -pass "test"
  become: true
  become_user: elasticsearch
  register: elastic_ca
  when: es_platinum_license is defined and es_ssl_config["enabled"] is defined and not es_ssl_ca_present.stat.exists

- name: Check if /usr/local/share/ca-certificates/local-elastic-ca folder exists
  file:
    path: /usr/local/share/ca-certificates/local-elastic-ca
    state: directory
    owner: root
    group: root
    mode: 0755
  register: es_ca_folder

- name: Extract CA certificate to the trusted CA folder
  command: openssl pkcs12 -in /etc/ssl/elasticsearch/elastic-ca.p12 -clcerts -nokeys -out /usr/local/share/ca-certificates/local-elastic-ca/elastic-ca.crt -passin pass:test
  when: es_ca_folder

- name: Add CA certificate to cacerts
  become: true
  command: update-ca-certificates

- name: Verify if elastic Cert keys are present
  stat:
    path: "{{conf_dir}}/ssl/{{ es_ssl_config['dns'] }}.p12"
  become: true
  become_user: elasticsearch
  register: es_ssl_cert_present

- name: Generate SSL/TLS certificate for ES (required for platinum license)
  environment: 
    - ES_PATH_CONF: "{{conf_dir}}"
  command: /usr/share/elasticsearch/bin/x-pack/certutil cert --silent --ca /etc/ssl/elasticsearch/elastic-ca.p12 --ca-pass "test" --ip {{ es_ssl_config['ip'] }} --dns {{ es_ssl_config['dns'] }},localhost --out {{conf_dir}}/ssl/{{ es_ssl_config['dns'] }}.p12 --pass "test"
  become: true
  become_user: elasticsearch
  when: es_ssl_regen_cert is defined or not es_ssl_cert_present.stat.exists

- name: Add SSL/TLS keystore password to ES keystore (required for platinum license)
  environment: 
    - ES_PATH_CONF: "{{conf_dir}}"
  shell: echo "test" | /usr/share/elasticsearch/bin/elasticsearch-keystore add --silent xpack.security.http.ssl.keystore.secure_password -x --force
  become: true
  become_user: elasticsearch
  when: elastic_ca

- name: Add SSL/TLS truststore password to ES keystore (required for platinum license)
  environment: 
    - ES_PATH_CONF: "{{conf_dir}}"
  shell: echo "test" | /usr/share/elasticsearch/bin/elasticsearch-keystore add --silent xpack.security.http.ssl.truststore.secure_password -x --force
  become: true
  become_user: elasticsearch
  when: elastic_ca

- name: set fact es_http_type to HTTPS
  set_fact: es_http_type=https
  when: elastic_ca

##################################### Kibana certificates #####################################

- name: Verify if kibana Cert keys are present
  stat:
    path: "/etc/ssl/elasticsearch/kb-{{ item }}.zip"
  become: true
  become_user: elasticsearch
  register: es_kb_ssl_cert_present
  loop: "{{ groups['kibana_droplets'] }}"

- name: Generate SSL/TLS certificate for Kibana
  environment: 
    - ES_PATH_CONF: "{{conf_dir}}"
  command: /usr/share/elasticsearch/bin/x-pack/certutil cert --silent --ca /etc/ssl/elasticsearch/elastic-ca.p12 --ca-pass "test" --ip "{{ hostvars[item.item].ansible_host }}" --dns {{ item.item }},localhost --out /etc/ssl/elasticsearch/kb-{{ item.item }}.zip --pem --name {{ item.item }}
  become: true
  become_user: elasticsearch
  when: es_ssl_regen_certs is defined or not item.stat.exists
  loop: "{{ es_kb_ssl_cert_present.results }}"

- name: Find kibana certificates in /etc/ssl/elasticsearch
  find:
    paths: /etc/ssl/elasticsearch
    patterns: 'kb-.*\.zip'
    use_regex: yes
  register: es_kb_ssl_cert_archives

- debug:
    msg: "Found Kibana certificate ZIP files: {{ es_kb_ssl_cert_archives }}"

# - name: Unarchive certificates for Kibana
  # unarchive:
  #   src: "{{item.path}}"
  #   dest: "{{item.path | regex_replace('(.*).zip$', '\\1')}}"
  #   remote_src: yes
  # become: true
  # become_user: elasticsearch
  # loop: "{{ es_kb_ssl_cert_archives.files }}"

# - name: Unarchive certificates for Kibana
#   command: unzip {{item.path}}
#   become: true
#   become_user: elasticsearch
#   loop: "{{ es_kb_ssl_cert_archives.files }}"

# - name: Find kibana certificate directories in /etc/ssl/elasticsearch
#   find:
#     paths: /etc/ssl/elasticsearch
#     patterns: 'kb-.*'
#     use_regex: yes
#     file_type: directory
#   register: es_kb_ssl_cert_folder

- name: Fetch certificates for Kibana
  fetch:
    src: "{{item.path}}"
    dest: /tmp/certs/
    flat: true
  loop: "{{ es_kb_ssl_cert_archives.files }}"

- name: Fetch CA certificate from primary ES server
  fetch:
    src: /usr/local/share/ca-certificates/local-elastic-ca/elastic-ca.crt
    dest: /tmp/certs/
    flat: true