---
# Copyright 2015, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# This script is being created with mode 0755 intentionally. This is so that the
#  script can be executed by root to rotate the keys as needed. The script being
#  executed will always change it's user context to the keystone user before
#  execution and while the script may be world read/executable its contains only
#  the necessary bits that are required to run the rotate and sync commands.
- name: Drop credential key auto rotate script
  template:
    src: "keystone-credential-rotate.sh.j2"
    dest: "{{ keystone_credential_auto_rotation_script }}"
    owner: "{{ keystone_system_user_name }}"
    group: "{{ keystone_system_group_name }}"
    mode: "0755"

# This creates the auto rotation job on the first keystone host.
- name: Create auto rotation job
  cron:
    name: "Credential auto rotate job"
    special_time: "{{ keystone_credential_rotation }}"
    user: "{{ keystone_system_user_name }}"
    job: "{{ keystone_credential_auto_rotation_script }}"
    cron_file: keystone-credential-rotate
  when: _keystone_is_first_play_host

# This makes sure that no auto rotation jobs are on any other hosts.
- name: Remove extra auto rotation job
  cron:
    name: "Credential auto rotate job"
    user: "{{ keystone_system_user_name }}"
    cron_file: keystone-credential-rotate
    state: "absent"
  when: not _keystone_is_first_play_host