---
# Creates all ING-related ClusterRoles in the target cluster.
# Ensures that corresponding OpenShift groups exist.
# Only adds self-provisioner role to admin groups.
- name: Make sure the cluster roles are there
  kubernetes.core.k8s:
    kubeconfig: tmp/kubeconfig-ocp4
    validate_certs: no
    api_version: rbac.authorization.k8s.io/v1
    kind: clusterrole
    name: "{{ item }}"
    src: "files/{{ item }}.yaml"
  loop: "{{ create_cluster_roles }}"

- name: Ensure that corresponding cluster groups also exist
  kubernetes.core.k8s:
    kubeconfig: tmp/kubeconfig-ocp4
    validate_certs: no
    api_version: user.openshift.io/v1
    kind: group
    name: "{{ item | ansible.builtin.regex_replace('ichp', 'global') }}s"
  loop: "{{ create_cluster_roles }}"

- name: Ensure that global groups have roles assigned to them.
  kubernetes.core.k8s:
    kubeconfig: tmp/kubeconfig-ocp4
    validate_certs: no
    api_version: rbac.authorization.k8s.io/v1
    kind: clusterrolebinding
    name: "{{ item }}s"
    resource_definition:
      roleRef:
        apiGroup: rbac.authorization.k8s.io
        kind: ClusterRole
        name: "{{ item }}"
      subjects:
        - kind: Group
          name: "{{ item | ansible.builtin.regex_replace('ichp', 'global') }}s"
  loop: "{{ create_cluster_roles }}"

- name: Get all CRBs.
  kubernetes.core.k8s_info:
    kubeconfig: tmp/kubeconfig-ocp4
    validate_certs: no
    api_version: rbac.authorization.k8s.io/v1
    kind: clusterrolebinding
  register: all_crbs

- name: Weed out CRBs that assign a self-provisioner CR.
  ansible.builtin.set_fact:
    sp_crbs: "{{ all_crbs | ansible.builtin.json_query('resources[?roleRef.name==`self-provisioner`].metadata.name') }}"

- name: Warn if more than one role assigns self-provisioner.
  ansible.builtin.pause:
    prompt: |
      **************************************************************************
      * WARNING: More than one ClusterRoleBinding assigns the self-provisioner *
      *          role to users. This role will fix the default one and remove  *
      *          any others.                                                   *
      *                                                                        *
      *          Interrupt execution by pressing Ctrl-C if this is not OK.     *
      **************************************************************************
    seconds: 5
  when:
    - (sp_crbs | length > 1) or (sp_crbs is not contains("self-provisioners"))

# Looks like we have to remove all of them and recreate self-provisioner.
- name: Remove any CRBs that are not the default self-provisioners CRB.
  kubernetes.core.k8s:
    kubeconfig: tmp/kubeconfig-ocp4
    validate_certs: no
    api_version: rbac.authorization.k8s.io/v1
    kind: clusterrolebinding
    name: "{{ item }}"
    state: absent
  loop: "{{ sp_crbs }}"
  # "{{ sp_crbs | difference(['self-provisioners']) }}"

- name: Ensure that the self-provisioners CRB lists only admin groups.
  kubernetes.core.k8s:
    kubeconfig: tmp/kubeconfig-ocp4
    validate_certs: no
    api_version: rbac.authorization.k8s.io/v1
    kind: clusterrolebinding
    name: self-provisioners
    resource_definition:
      roleRef:
        apiGroup: rbac.authorization.k8s.io
        kind: ClusterRole
        name: self-provisioner
      subjects:
      - apiGroup: rbac.authorization.k8s.io
        kind: Group
        name: admins
      - apiGroup: rbac.authorization.k8s.io
        kind: Group
        name: global-project-admins
...