---
- name: Ensure generated_certs directory present
  file:
    path: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}"
    state: directory
    mode: 0700
  with_items: etcd_needing_server_certs

- name: Create the server csr
  command: >
    openssl req -new -keyout {{ item.etcd_cert_prefix }}server.key
    -config {{ etcd_openssl_conf }}
    -out {{ item.etcd_cert_prefix }}server.csr
    -reqexts {{ etcd_req_ext }} -batch -nodes
    -subj /CN={{ item.etcd_hostname }}
  args:
    chdir: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}"
    creates: "{{ etcd_generated_certs_dir ~ '/' ~  item.etcd_cert_subdir ~ '/'
                 ~ item.etcd_cert_prefix ~ 'server.csr' }}"
  environment:
    SAN: "IP:{{ item.etcd_ip }}"
  with_items: etcd_needing_server_certs

- name: Sign and create the server crt
  command: >
    openssl ca -name {{ etcd_ca_name }} -config {{ etcd_openssl_conf }}
    -out {{ item.etcd_cert_prefix }}server.crt
    -in {{ item.etcd_cert_prefix }}server.csr
    -extensions {{ etcd_ca_exts_server }} -batch
  args:
    chdir: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}"
    creates: "{{ etcd_generated_certs_dir ~ '/' ~  item.etcd_cert_subdir ~ '/'
                 ~ item.etcd_cert_prefix ~ 'server.crt' }}"
  environment:
    SAN: "IP:{{ item.etcd_ip }}"
  with_items: etcd_needing_server_certs

- name: Create the peer csr
  command: >
    openssl req -new -keyout {{ item.etcd_cert_prefix }}peer.key
    -config {{ etcd_openssl_conf }}
    -out {{ item.etcd_cert_prefix }}peer.csr
    -reqexts {{ etcd_req_ext }} -batch -nodes
    -subj /CN={{ item.etcd_hostname }}
  args:
    chdir: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}"
    creates: "{{ etcd_generated_certs_dir ~ '/' ~  item.etcd_cert_subdir ~ '/'
                 ~ item.etcd_cert_prefix ~ 'peer.csr' }}"
  environment:
    SAN: "IP:{{ item.etcd_ip }}"
  with_items: etcd_needing_server_certs

- name: Sign and create the peer crt
  command: >
    openssl ca -name {{ etcd_ca_name }} -config {{ etcd_openssl_conf }}
    -out {{ item.etcd_cert_prefix }}peer.crt
    -in {{ item.etcd_cert_prefix }}peer.csr
    -extensions {{ etcd_ca_exts_peer }} -batch
  args:
    chdir: "{{ etcd_generated_certs_dir }}/{{ item.etcd_cert_subdir }}"
    creates: "{{ etcd_generated_certs_dir ~ '/' ~  item.etcd_cert_subdir ~ '/'
                 ~ item.etcd_cert_prefix ~ 'peer.crt' }}"
  environment:
    SAN: "IP:{{ item.etcd_ip }}"
  with_items: etcd_needing_server_certs

- file:
    src: "{{ etcd_ca_cert }}"
    dest: "{{ etcd_generated_certs_dir}}/{{ item.etcd_cert_subdir }}/{{ item.etcd_cert_prefix }}ca.crt"
    state: hard
  with_items: etcd_needing_server_certs