source.yml

---
- name: Create dap namespace
  k8s:
    name: dap
    api_version: v1
    kind: Namespace
    state: present
    wait: yes
    wait_condition:
      reason: completed
      status: "True"
    wait_timeout: 360
    
- name: Load DAP source manifest
  k8s:
    state: present
    src: "{{ playbook_dir }}/files/manifests/dap/{{ dapLoad }}.yml"
    wait: yes
    wait_condition:
      reason: completed
      status: "True"
  register: dapManifestStatus
  with_items:
    - dapSourceManifest
  loop_control:
    loop_var: dapLoad

- name: Get POD information for DAP instances
  k8s_facts:
    kind: pod
    namespace: dap
    label_selectors:
      - role = source
  register: dappod
  until: dappod.resources[0].status.containerStatuses[0].ready == true
  retries: 60
  delay: 2

- name: Configure Variable with pod name
  set_fact:
    sourcePodName: "{{ dappod.resources[0].metadata.name }}"

- name: Check to see if DAP is running.
  uri:
    url: "https://{{dapIngressRoute}}/health"
    return_content: yes
    body_format: json
    validate_certs: no
    method: GET
    status_code: 200, 404, -1
  register: dapSourceStatus

- name: Set DAP configuration
  set_fact:
    dapSourceConfig: configured
  when: dapSourceStatus.status == 200

- name: Set DAP configuration
  set_fact:
    dapSourceConfig: unconfigured
  when: dapSourceStatus.status == 404 or dapSourceStatus.status == -1

- name: Perform configuration tasks
  block:
    - name: Configure DAP 
      command: |
        kubectl exec -n dap {{ sourcePodName }} -i -- evoke configure master --accept-eula -h {{ dapSourceService }} -p {{ dapAdminPass }} {{ dapAccount }}

    - name: Wait for health page to report OK
      uri:
        url: "https://{{dapIngressRoute}}/health"
        return_content: yes
        body_format: json
        validate_certs: no
        method: GET
      register: results
      until: results.conjur_health == "OK"
      retries: 60
      delay: 2

    - name: Set DAP configuration
      set_fact:
        dapSourceConfig: configured
      when: results.conjur_health == "OK"
  when: dapSourceConfig == "unconfigured"

- name: Get DAP access token in the proper format.
  block:
    - name: Get API token
      uri:
        url: https://{{dapIngressRoute}}/authn/{{ dapAccount }}/login
        return_content: yes
        method: GET
        url_password: "{{ dapAdminPass }}"
        url_username: "{{ dapAdmin }}"
        force_basic_auth: yes
        validate_certs: no
      register: dapAPIKey

    - name: Get Authentication token
      uri:
        url: https://{{dapIngressRoute}}/authn/{{ dapAccount }}/{{ dapAdmin }}/authenticate
        return_content: yes
        method: POST
        body: "{{ dapAPIKey.content }}"
        validate_certs: no
      register: dapToken

    - name: Generate dap JWT
      set_fact:
        dapTokenFormatted: "{{ dapToken.content | b64encode | replace('\r\n', '') }}"
      no_log: yes
  when: dapSourceConfig == "configured"

- name: Load Polcies and set status
  block:
    - name: Load policies
      uri:
        url: https://{{dapIngressRoute}}/policies/{{ dapAccount }}/policy/{{ policy_item }}
        status_code: 201
        return_content: yes
        method: PUT
        headers:
          Authorization: Token token="{{ dapTokenFormatted }}"
        validate_certs: no
        body: "{{lookup('file', '{{ playbook_dir }}/files/scm/DAP-Policy/{{ policy_item }}.yml') }}"
      with_items:
        - root
        - conjur
        - secrets
      loop_control:
        loop_var: policy_item

    - name: Create password for variable  
      set_fact:
        nginx_pass: "{{ lookup('password', '/dev/null length=15 chars=ascii_letters') }}"

    - name: Load Secret secrets/frontend/nginx_pwd
      uri:
        url: https://{{dapIngressRoute}}/secrets/{{ dapAccount }}/variable/secrets/frontend/nginx_pwd
        status_code: 201
        return_content: yes
        method: POST
        headers:
          Authorization: Token token="{{ dapTokenFormatted }}"
        validate_certs: no
        body: "{{ nginx_pass }}"

    - name: Load Secret secrets/backend/postgres_pwd
      uri:
        url: https://{{dapIngressRoute}}/secrets/{{ dapAccount }}/variable/secrets/backend/postgres_pwd
        status_code: 201
        return_content: yes
        method: POST
        headers:
          Authorization: Token token="{{ dapTokenFormatted }}"
        validate_certs: no
        body: "Cyberark1"
    
    - name: Load Secret secrets/backend/postgres_user
      uri:
        url: https://{{dapIngressRoute}}/secrets/{{ dapAccount }}/variable/secrets/backend/postgres_user
        status_code: 201
        return_content: yes
        method: POST
        headers:
          Authorization: Token token="{{ dapTokenFormatted }}"
        validate_certs: no
        body: "db_user"
    
    - name: Set dap status
      set_fact:
        dapSourceConfig: policiesLoaded
  when: dapSourceConfig == "configured"

- name: Check certificates and set authn-k8s status
  block:
    - name: Check to see if CA Variables for authn-k8s are filled
      uri:
        url: https://{{dapIngressRoute}}/secrets/{{ dapAccount }}/variable/conjur/authn-k8s/{{ authnk8s_name}}/ca/key
        status_code: 200, 404
        return_content: yes
        method: GET
        headers:
          Authorization: Token token="{{ dapTokenFormatted }}"
        validate_certs: no
      register: value
      until: value.status == 200 or value.status == 404
      retries: 60
      delay: 2
      with_items:
        - okd-follower
        - k8s-follower
      loop_control:
        loop_var: authnk8s_name

    - name: Initialize certificates for authn-k8s
      command: |
        kubectl -n dap exec {{ sourcePodName }} -i -- chpst -u conjur conjur-plugin-service possum rake authn_k8s:ca_init["conjur/authn-k8s/{{cert_item}}"]
      with_items:
        - okd-follower
        - k8s-follower
      loop_control:
        loop_var: cert_item
      when: value.results[0].status == 404 or value.results[1].status == 404
  when: dapSourceConfig == "policiesLoaded"