---
- name: "Login with keycloak-admin"
  include_role:
    name: keycloak
    tasks_from: _authenticate

- name: "Setup keycloak-realm for argocd"
  include_role:
    name: keycloak
    tasks_from: _configure_realm
  vars:
    current_realm_name: '{{ argo_realm_name }}'
    current_realm_display_name: '{{ argo_realm_display_name }}'
    create_client: False
  when:
  - inventory_hostname == groups['kube_control_plane'][0]

- name: "Create a Keycloak group, authentication with credentials"
  include_role:
    name: keycloak
    tasks_from: _create_realm_groups
  vars:
    current_realm_name: '{{ argo_realm_name }}'
    current_realm_display_name: '{{ argo_realm_display_name }}'
    current_realm_groups:
      - name: "{{ argo_realm_group }}"
  when:
  - inventory_hostname == groups['kube_control_plane'][0]

- name: "Create keycloak user(s)"
  include_role:
    name: keycloak
    tasks_from: _create_realm_users
  vars:
    current_realm_name: '{{ argo_realm_name }}'
    current_realm_users: '{{ argo_realm_users }}'
  when:
  - inventory_hostname == groups['kube_control_plane'][0]

- name: "ADD user group mapping"
  include_role:
    name: keycloak
    tasks_from: _configure_user_groupmembership_crud
  vars:
    username: '{{ argocd_admin_username }}'
    destination_group: '{{ argo_realm_group }}'
    realm_name: '{{ argo_realm_name }}'
    bearer_token: '{{ access_token }}'
  when:
  - inventory_hostname == groups['kube_control_plane'][0]

- name: "Create keycloak clientscope"
  delegate_to: localhost
  become: False
  community.general.keycloak_clientscope:
    auth_client_id: admin-cli
    auth_keycloak_url: "{{ keycloak_server_url }}/auth"
    auth_realm: 'master'
    auth_username: "{{ keycloak_admin_username }}"
    auth_password: "{{ keycloak_admin_password }}"
    name: '{{ argo_keycloak_clientscope_name }}'
    realm: '{{ argo_realm_name }}'
    protocol: '{{ argo_keycloak_clientscope_protocol }}'
    protocol_mappers:
      - config:
          access.token.claim: True
          claim.name: '{{ argo_keycloak_clientscope_name }}'
          full.path: False # set it to true and you will be DAMNED => groupname for argo k8s configmap argocd-rbac-cm will be "/{{ group_name }}" !!!! instead of "{{ group_name }}"
          id.token.claim: True
          userinfo.token.claim: True
        name: '{{ argo_keycloak_clientscope_name }}'
        protocol: openid-connect
        protocolMapper: oidc-group-membership-mapper
  when:
  - inventory_hostname == groups['kube_control_plane'][0]

# using template from exported keycloak client object
# due to needed params but missing in community.general.keycloak_client
# e.g. defaultClientScopes
- name: "Create json object as VAR from template"
  set_fact:
    keycloak_realm_create_client: "{{ lookup('template','keycloak-realm-create-client-argocd.json.j2') }}"
  vars:
    client_redirect_uri: '{{ argo_client_redirect_uris }}'
    client_web_origins: '{{ argo_client_web_origins }}'
    client_id: '{{ argo_client_id }}'
    realm_name: '{{ argo_realm_name }}'
    client_root_url: '{{ argo_client_root_url }}'
    client_admin_url: '{{ argo_client_admin_url }}'
    client_base_url: '{{ argo_client_base_url }}'
    keycloak_clientscope_name: '{{ argo_keycloak_clientscope_name }}'
    keycloak_clientscope_protocol: '{{ argo_keycloak_clientscope_protocol }}'
    keycloak_client_secret: '{{ argo_keycloak_client_secret }}'

# throw needed VARs against keycloak API
# to CRUD
- name: "Create client"
  include_role:
    name: keycloak
    tasks_from: _configure_client_crud
  vars:
    client_id: '{{ argo_client_id }}'
    realm_name: '{{ argo_realm_name }}'
    keycloak_client_object: '{{ keycloak_realm_create_client }}'
    bearer_token: '{{ access_token }}'
  when:
  - inventory_hostname == groups['kube_control_plane'][0]

- name: "GET available clients from <<{{ argo_realm_name }}>>-realm"
  delegate_to: localhost
  become: False
  uri:
    url: "{{ keycloak_server_url }}/auth/admin/realms/{{ argo_realm_name }}/clients"
    method: GET
    headers:
      Content-Type: "application/json"
      Authorization: "Bearer {{ access_token }}"
    status_code: [200]
  register: argo_realm_clients
  when:
  - inventory_hostname == groups['kube_control_plane'][0]

# available clients: get needed ID
- name: "Get ID of client by paring argo_realm_clients object"
  set_fact:
    id_of_client: '{{ ( argo_realm_clients.json | selectattr("clientId","equalto",argo_client_id ) | first ).id }}'
  when:
  - inventory_hostname == groups['kube_control_plane'][0]

- name: "GET client-secret for client <<{{ argo_client_id }}>> in realm <<{{ argo_realm_name }}>>"
  delegate_to: localhost
  become: False
  uri:
    url: "{{ keycloak_server_url }}/auth/admin/realms/{{ argo_realm_name }}/clients/{{ id_of_client }}/client-secret"
    method: GET
    headers:
      Content-Type: "application/json"
      Authorization: "Bearer {{ access_token }}"
    status_code: [200]
  register: client_secret
  when:
  - inventory_hostname == groups['kube_control_plane'][0]

- name: "DEBUG"
  debug:
    msg: "DEBUGGING: {{ client_secret.json.value }}"
  when:
  - debug
  - inventory_hostname == groups['kube_control_plane'][0]

- name: "Create namespace <{{ k8s_argocd_helm__release_namespace }}>"
  kubernetes.core.k8s:
    name: "{{ k8s_argocd_helm__release_namespace }}"
    api_version: v1
    kind: Namespace
    state: present

- name: "Create a k8s Secret containing GPG key"
  kubernetes.core.k8s:
    state: present
    definition:
      apiVersion: v1
      data:
       gpg_key_smardigo_automation__private: '{{ gpg_key_smardigo_automation__private | string | b64encode }}'
      kind: Secret
      metadata:
        name: sops-gpg
        namespace: '{{ k8s_argocd_helm__release_namespace }}'
      type: Opaque

- name: "Create VAR to overwrite specific helm value - prepare combining dicts"
  set_fact:
    additional_helm_values:
      configs:
        secret:
          extra:
            oidc.keycloak.clientSecret: '{{ client_secret.json.value }}'
  when:
  - inventory_hostname == groups['kube_control_plane'][0]

- name: "Combining helm release values"
  set_fact:
    combined_helm__release_values: '{{ k8s_argocd_helm__release_values | combine(additional_helm_values, recursive=True) }}'
  when:
  - inventory_hostname == groups['kube_control_plane'][0]

- name: "DEBUG"
  debug:
    msg: "DEBUGGING: {{ combined_helm__release_values }}"
  when:
  - debug
  - inventory_hostname == groups['kube_control_plane'][0]

- name: Deploy argo-cd inside argo-cd namespace
  kubernetes.core.helm:
    name: "{{ k8s_argocd_helm__name }}"
    chart_ref: "{{ k8s_argocd_helm__chart_ref | default('argo-cd') }}"
    chart_repo_url: "{{ k8s_argocd_helm__chart_repo_url | default('https://argoproj.github.io/argo-helm') }}"
    release_namespace: "{{ k8s_argocd_helm__release_namespace }}"
    create_namespace: yes
    release_values: "{{ combined_helm__release_values }}"
  when:
  - inventory_hostname == groups['kube_control_plane'][0]

- name: Download argo-cd ApplicationSet CRD
  get_url:
    url: 'https://raw.githubusercontent.com/argoproj/applicationset/{{ k8s_argocd__crd_applicationset_version }}/manifests/install.yaml'
    dest: '/tmp/argocd_ApplicationSet_install_{{ k8s_argocd__crd_applicationset_version }}.yml'
    mode: '0440'
  when:
  - inventory_hostname == groups['kube_control_plane'][0]

- name: Deploy argo-cd ApplicationSet CRD
  kubernetes.core.k8s:
    state: present
    namespace: '{{ k8s_argocd_helm__release_namespace }}'
    src: '/tmp/argocd_ApplicationSet_install_{{ k8s_argocd__crd_applicationset_version }}.yml'
  when:
  - inventory_hostname == groups['kube_control_plane'][0]

- name: Checkout defined argocd-related objects
  ansible.builtin.git:
    repo: 'https://{{ gitea_admin_username }}:{{ gitea_admin_password }}@{{ shared_service_gitea_hostname }}/gitea-admin/argocd.git'
    dest: '/tmp/gitrepo'
    version: master
  when:
  - inventory_hostname == groups['kube_control_plane'][0]

- name: Find file with definition of argocd-AppProjects
  find:
    paths: '/tmp/gitrepo/AppProjects'
    pattern: '*.yml'
  register: appprojects
  when:
  - inventory_hostname == groups['kube_control_plane'][0]

- name: Find file with definition of argocd-ApplicationSets
  find:
    paths: '/tmp/gitrepo/ApplicationSets'
    pattern: '*.yml'
  register: applicationsets
  when:
  - inventory_hostname == groups['kube_control_plane'][0]

- name: Apply defined AppProjects defined in checked out repo
  kubernetes.core.k8s:
    state: present
    namespace: '{{ k8s_argocd_helm__release_namespace }}'
    src: '{{ item.path }}'
  loop: '{{ appprojects.files }}'
  when:
  - inventory_hostname == groups['kube_control_plane'][0]

- name: Apply defined ApplicationSets defined in checked out repo
  kubernetes.core.k8s:
    state: present
    namespace: '{{ k8s_argocd_helm__release_namespace }}'
    src: '{{ item.path }}'
  loop: '{{ applicationsets.files }}'
  when:
  - inventory_hostname == groups['kube_control_plane'][0]