---
# roxctl doesn't really leave any specific signature, so check for sensor.sh
- name: sensor.sh check
  stat:
    path: "{{ ansible_facts['user_dir'] }}/{{ cluster }}-secured/sensor.sh"
  register: sensor_script_present

- name: check for deployments anyway as well
  k8s_info:
    kubeconfig: "{{ ansible_facts['user_dir'] }}/kubeconfig-{{ cluster }}"
    validate_certs: no
    api_version: apps/v1
    kind: deployment
    namespace: "{{ clusters[cluster].namespace }}"
    label_selectors:
      - app.kubernetes.io/instance=stackrox-secured-cluster-services
  register: sensor_deployments_present

- name: create sensor.sh resources
  ansible.builtin.command:
    argv:
      - /usr/local/bin/roxctl
      - -e
      - "{{ api_ep }}"
      - --token-file={{ ansible_facts['user_dir'] }}/api-token
      - sensor
      - generate
      - openshift
      - --openshift-version=4
      - --admission-controller-scan-inline=true
      - --admission-controller-timeout=10
      - --admission-controller-listen-on-events
      - --admission-controller-listen-on-creates
      - --admission-controller-listen-on-updates
      - --central={{ api_ep }}
      - --collection-method=kernel-module
      - --slim-collector=true
      - --name={{ clusters[cluster].name }}
      - --output-dir=./{{ clusters[cluster].name }}-secured
    chdir: "{{ ansible_facts['user_dir'] }}"
  when: not sensor_script_present.stat.exists

- name: apply sensor.sh resources
  ansible.builtin.command:
    argv:
      - /usr/bin/env
      - REGISTRY_USERNAME={{ pull_user }}
      - REGISTRY_PASSWORD={{ pull_pass }}
      - KUBECONFIG={{ ansible_facts['user_dir'] }}/kubeconfig-{{ cluster }}
      - "{{ ansible_facts['user_dir'] }}/{{ clusters[cluster].name }}-secured/sensor.sh"
    chdir: "{{ ansible_facts['user_dir'] }}"
  when: sensor_deployments_present.resources | length < 2
...