veza/ansible/roles/incus/tasks/cluster.yml

---
# file: roles/incus/tasks/cluster.yml

- name: "set facts incus_cluster_main_ip"
  ansible.builtin.set_fact:
    incus_cluster_main_ip: "{{ hostvars[ovn_cluster_main_name]['incus_ip'] }}"

- name: "Set ovn_connection_type"
  ansible.builtin.set_fact:
    ovn_connection_type: "{{ ovn_ssl | ternary('ssl', 'tcp') }}"

- name: "set facts ovn_central bounds lists"
  ansible.builtin.set_fact:
    incus_ovn_northbound_list: "{{ (incus_ovn_northbound_list | default([])) + [ovn_connection_type + ':' + hostvars[item]['ovn_ip'] + ':6641'] }}"
  loop: "{{ ovn_central_servers }}"

- name: "set facts ovn_central bounds"
  ansible.builtin.set_fact:
    incus_ovn_northbound: "{{ incus_ovn_northbound_list | join(',') }}"

- name: "set facts ovn_ic bounds lists"
  ansible.builtin.set_fact:
    incus_ovn_ic_northbound_list: "{{ (incus_ovn_ic_northbound_list | default([])) + [ovn_connection_type + ':' + hostvars[item]['ovn_ip'] + ':6645'] }}"
    incus_ovn_ic_southbound_list: "{{ (incus_ovn_ic_southbound_list | default([])) + [ovn_connection_type + ':' + hostvars[item]['ovn_ip'] + ':6646'] }}"
  loop: "{{ ovn_ic_db_servers }}"
  when:
    - ovn_ic_db_servers is defined
    - ansible_hostname == incus_cluster_main_name

- name: "set facts ovn_ic bounds"
  ansible.builtin.set_fact:
    incus_ovn_ic_northbound: "{{ incus_ovn_ic_northbound_list | join(',') }}"
    incus_ovn_ic_southbound: "{{ incus_ovn_ic_southbound_list | join(',') }}"
  when:
    - ovn_ic_db_servers is defined
    - ansible_hostname == incus_cluster_main_name

- name: "Get {{ incus_cluster_name }} secrets from hashicorp vault"
  ansible.builtin.set_fact:
    incus_hv_secrets: "{{ lookup('community.hashi_vault.vault_kv2_get', 'group_vars/' + incus_cluster_name, engine_mount_point='talas-kv') }}"
  when: ovn_ssl

- name: "Extract cert and private key from hashicorp vault"
  ansible.builtin.set_fact:
    incus_client_cert_serial_number: "{{ incus_hv_secrets.secret.ovn_cert_incus_client_serial_number }}"
    incus_client_cert_private_key: "{{ incus_hv_secrets.secret.ovn_cert_incus_client_private_key }}"
  when: ovn_ssl

- name: "Get client cert and issuing certificates from hashicorp vault pki"
  ansible.builtin.set_fact:
    incus_client_cert_issuing_ca_chain: "{{ lookup('community.hashi_vault.vault_read', 'pki/issuer/OVN') | community.general.json_query('data.ca_chain') | join() | trim }}"
    incus_client_cert_ca: "{{ lookup('community.hashi_vault.vault_read', 'pki/cert/' + incus_client_cert_serial_number) | community.general.json_query('data.certificate') }}"
  when: ovn_ssl

- name: "init preseed if first cluster main install"
  ansible.builtin.shell:
    cmd: /usr/bin/incus admin init --preseed
    stdin: "{{ incus_cluster_main_init_yaml }}"
    stdin_add_newline: true
  when:
    - incus_admin_init_dump.stdout == incus_yaml_unconfigured
    - ansible_hostname == incus_cluster_main_name

# https://tracker.talas.com/browse/INFRA-179
#- name: "get and set OVN configuration WITH TLS"
#  ansible.builtin.include_tasks: get_and_set.yml
#  loop:
#    - { section: config, key: network.ovn.northbound_connection, value: "{{ incus_cluster_ovn_conf.northbound_connection }}" }
#    - { section: config, key: network.ovn.client_cert, value: "{{ incus_cluster_ovn_conf.client_cert }}" }
#    - { section: config, key: network.ovn.client_key, value: "{{ incus_cluster_ovn_conf.client_key }}" }
#    - { section: config, key: network.ovn.ca_cert, value: "{{ incus_cluster_ovn_conf.ca_cert }}" }
#  when:
#    - ovn_ssl
#    - ansible_hostname == incus_cluster_main_name

- name: "check if ovn_ic_integration exists"
  ansible.builtin.command: "/usr/bin/incus network integration show ovn_ic_integration"
  register: get_ovn_ic_integration
  changed_when: false
  check_mode: false
  failed_when: false
  when:
    - ovn_ssl
    - ovn_ic_db_servers is defined
    - ansible_hostname == incus_cluster_main_name

- name: "incus network integration create ovn_ic_integration"
  ansible.builtin.command: "/usr/bin/incus network integration create ovn_ic_integration ovn"
  when:
    - ovn_ssl
    - ovn_ic_db_servers is defined
    - ansible_hostname == incus_cluster_main_name
    - get_ovn_ic_integration.rc != 0

- name: "get and set OVN IC integration configuration WITH TLS"
  ansible.builtin.include_tasks: get_and_set.yml
  loop:
    - { section: "network integration", object: ovn_ic_integration, key: ovn.northbound_connection, value: "{{ incus_ovn_ic_northbound }}" }
    - { section: "network integration", object: ovn_ic_integration, key: ovn.southbound_connection, value: "{{ incus_ovn_ic_southbound }}" }
    - { section: "network integration", object: ovn_ic_integration, key: ovn.ca_cert, value: "{{ incus_cluster_ovn_conf.ca_cert }}" }
    - { section: "network integration", object: ovn_ic_integration, key: ovn.client_cert, value: "{{ incus_cluster_ovn_conf.client_cert }}" }
    - { section: "network integration", object: ovn_ic_integration, key: ovn.client_key, value: "{{ incus_cluster_ovn_conf.client_key }}" }
  when:
    - ovn_ssl
    - ovn_ic_db_servers is defined
    - ansible_hostname == incus_cluster_main_name

- name: "get IC integration transit pattern"
  ansible.builtin.shell:  incus network integration get ovn_ic_integration ovn.transit.pattern
  register: get_transit_pattern
  changed_when: false
  check_mode: false
  when:
    - ovn_ic_db_servers is defined
    - ansible_hostname == incus_cluster_main_name

- name: "/usr/bin/incus network integration set ovn_ic_integration ovn.transit.pattern"
  ansible.builtin.shell: "/usr/bin/incus network integration set ovn_ic_integration  ovn.transit.pattern {% raw %}'ts-incus-{{ integrationName }}-{{ peerName }}'{% endraw %}"
  when:
    - ovn_ic_db_servers is defined
    - ansible_hostname == incus_cluster_main_name
    - get_transit_pattern.stdout != {% raw %}'ts-incus-{{ integrationName }}-{{ peerName }}'{% endraw %}

- name: "get and set OVN configuration WITHOUT TLS"
  ansible.builtin.include_tasks: get_and_set.yml
  loop:
    - { section: config, key: "network.ovn.northbound_connection", value: "{{ incus_cluster_ovn_conf.northbound_connection }}" }
  when:
    - not ovn_ssl
    - ansible_hostname == incus_cluster_main_name

- name: "Create join tokens"
  throttle: 1
  delegate_to: "{{ incus_cluster_main_name }}"
  vars:
    ansible_python_interpreter: "{{ hostvars[incus_cluster_main_name].ansible_python_interpreter | default('/usr/bin/python3') }}"
  ansible.builtin.shell:
    cmd: "incus --force-local --quiet cluster add {{ inventory_hostname }}"
  register: incus_cluster_add
  when:
    - incus_admin_init_dump.stdout == incus_yaml_unconfigured
    - ansible_hostname != incus_cluster_main_name

- name: "init preseed if first cluster secondary install"
  ansible.builtin.shell:
    cmd: /usr/bin/incus admin init --preseed
    stdin: "{{ incus_cluster_init_yaml }}"
    stdin_add_newline: true
  throttle: 1
  when:
    - incus_admin_init_dump.stdout == incus_yaml_unconfigured
    - ansible_hostname != incus_cluster_main_name

- name: "get and set scheduler.instance"
  ansible.builtin.include_tasks: get_and_set_cluster.yml
  loop:
    - { key: 'scheduler.instance', value: "{{ incus_cluster_scheduler }}" }
  when: incus_cluster_scheduler is defined