From 9b9886b33a104c4dc38093b3ab8b16d8d17954ca Mon Sep 17 00:00:00 2001
From: treddy08 <treddy@redhat.com>
Date: Fri, 1 May 2026 18:49:10 +1000
Subject: [PATCH 1/3] Skip reencrypt route config if rhacs-central-tls secret
 does not exist

Move secret check outside the block and update block condition to check
both reencrypt_route enabled and secret exists. This prevents failure
when the secret is not yet created.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 roles/ocp4_workload_rhacs/tasks/workload.yml | 22 +++++++++++---------
 1 file changed, 12 insertions(+), 10 deletions(-)

diff --git a/roles/ocp4_workload_rhacs/tasks/workload.yml b/roles/ocp4_workload_rhacs/tasks/workload.yml
index 5fb39d7..24f020b 100644
--- a/roles/ocp4_workload_rhacs/tasks/workload.yml
+++ b/roles/ocp4_workload_rhacs/tasks/workload.yml
@@ -69,18 +69,20 @@
   when: ocp4_workload_rhacs_enable_route_certs | bool
   ansible.builtin.include_tasks: certificate.yml
 
-- name: Extract CA certificate chain for reencrypt route
+- name: Get rhacs-central-tls secret for reencrypt route
   when: ocp4_workload_rhacs_enable_reencrypt_route | bool
-  block:
-    - name: Get rhacs-central-tls secret
-      kubernetes.core.k8s_info:
-        api_version: v1
-        kind: Secret
-        name: rhacs-central-tls
-        namespace: "{{ ocp4_workload_rhacs_central_namespace }}"
-      register: r_rhacs_central_tls_secret
-      failed_when: r_rhacs_central_tls_secret.resources | length == 0
+  kubernetes.core.k8s_info:
+    api_version: v1
+    kind: Secret
+    name: rhacs-central-tls
+    namespace: "{{ ocp4_workload_rhacs_central_namespace }}"
+  register: r_rhacs_central_tls_secret
 
+- name: Extract CA certificate chain for reencrypt route
+  when:
+    - ocp4_workload_rhacs_enable_reencrypt_route | bool
+    - r_rhacs_central_tls_secret.resources | default([]) | length > 0
+  block:
     - name: Extract intermediate CA chain from certificate
       ansible.builtin.set_fact:
         _cert_intermediate_ca_chain: >-

From ec570fb05eb2ec6b6ffc13934345f94df2f06b5e Mon Sep 17 00:00:00 2001
From: treddy08 <treddy@redhat.com>
Date: Fri, 1 May 2026 18:51:01 +1000
Subject: [PATCH 2/3] Add conditional check for destinationCACertificate in
 template

Only include the destinationCACertificate field if the variable is defined.
This prevents template errors when rhacs-central-tls secret doesn't exist.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 roles/ocp4_workload_rhacs/templates/central.yaml.j2 | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/roles/ocp4_workload_rhacs/templates/central.yaml.j2 b/roles/ocp4_workload_rhacs/templates/central.yaml.j2
index 3e3f81c..3a925d4 100644
--- a/roles/ocp4_workload_rhacs/templates/central.yaml.j2
+++ b/roles/ocp4_workload_rhacs/templates/central.yaml.j2
@@ -38,9 +38,11 @@ spec:
 {% if ocp4_workload_rhacs_enable_reencrypt_route | bool %}
         reencrypt:
           enabled: true
+{% if ocp4_workload_rhacs_reencrypt_destination_ca is defined %}
           tls:
             destinationCACertificate: |
 {{ ocp4_workload_rhacs_reencrypt_destination_ca | indent(14, True) }}
+{% endif %}
 {% endif %}
     persistence:
       persistentVolumeClaim:

From f1dddd7184ffed5ed69aa373a16b88f1b9e5ea09 Mon Sep 17 00:00:00 2001
From: treddy08 <treddy@redhat.com>
Date: Fri, 1 May 2026 18:54:53 +1000
Subject: [PATCH 3/3] Use underscore prefix for internal reencrypt CA variable

Rename ocp4_workload_rhacs_reencrypt_destination_ca to
_ocp4_workload_rhacs_reencrypt_destination_ca to indicate it's an
internal variable. Skip reencrypt block if variable is not defined.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 roles/ocp4_workload_rhacs/tasks/workload.yml        | 2 +-
 roles/ocp4_workload_rhacs/templates/central.yaml.j2 | 6 ++----
 2 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/roles/ocp4_workload_rhacs/tasks/workload.yml b/roles/ocp4_workload_rhacs/tasks/workload.yml
index 24f020b..b5d626b 100644
--- a/roles/ocp4_workload_rhacs/tasks/workload.yml
+++ b/roles/ocp4_workload_rhacs/tasks/workload.yml
@@ -99,7 +99,7 @@
 
     - name: Combine intermediate CAs with cluster trust bundle
       ansible.builtin.set_fact:
-        ocp4_workload_rhacs_reencrypt_destination_ca: >-
+        _ocp4_workload_rhacs_reencrypt_destination_ca: >-
           {{ _cert_intermediate_ca_chain }}{{ r_cluster_trusted_ca_bundle.resources[0].data['ca-bundle.crt'] }}
 
 - name: Create Central
diff --git a/roles/ocp4_workload_rhacs/templates/central.yaml.j2 b/roles/ocp4_workload_rhacs/templates/central.yaml.j2
index 3a925d4..979c3e4 100644
--- a/roles/ocp4_workload_rhacs/templates/central.yaml.j2
+++ b/roles/ocp4_workload_rhacs/templates/central.yaml.j2
@@ -35,14 +35,12 @@ spec:
         enabled: false
       route:
         enabled: true
-{% if ocp4_workload_rhacs_enable_reencrypt_route | bool %}
+{% if ocp4_workload_rhacs_enable_reencrypt_route | bool and _ocp4_workload_rhacs_reencrypt_destination_ca is defined %}
         reencrypt:
           enabled: true
-{% if ocp4_workload_rhacs_reencrypt_destination_ca is defined %}
           tls:
             destinationCACertificate: |
-{{ ocp4_workload_rhacs_reencrypt_destination_ca | indent(14, True) }}
-{% endif %}
+{{ _ocp4_workload_rhacs_reencrypt_destination_ca | indent(14, True) }}
 {% endif %}
     persistence:
       persistentVolumeClaim: