# --------------------------------------
# -- Create kubernetes user
# --------------------------------------
# -- 1. Install packages
# -- 2. Generate certificate
# -- 3. Add user to kubernetes
# -- 4. Remove certificates (Optional)
# --------------------------------------
---
- name: Ensure required packages are installed
  when: not use_system_bins
  tags: packages
  block:
    - name: Create a working directory if it doesn't exist
      ansible.builtin.file:
        path: "{{ working_dir }}"
        state: directory
        mode: "0775"

    - name: Prepare bin directory
      block:
        - name: Set workdir as fact
          set_fact:
            bin_dir: "{{ working_dir }}/bin"

        - name: Create a directory if it does not exist
          ansible.builtin.file:
            path: "{{ bin_dir }}"
            state: directory
            mode: "0775"

    - name: Install yq
      block:
        - name: Ensure yq is installed
          become: true
          get_url:
            url: "https://github.com/mikefarah/yq/releases/download/{{ yq.version }}/{{ yq.binary }}"
            dest: "{{ bin_dir }}/yq"
            mode: "0777"

    - name: Install kubectl
      block:
        - name: Download kubectl release
          become: true
          get_url:
            url: https://dl.k8s.io/release/{{ kubectl.version }}/bin/linux/{{ kubectl.arch }}/kubectl
            dest: "{{ bin_dir }}/kubectl"
            mode: "0777"

        - name: Download the kubectl checksum file
          uri:
            url: https://dl.k8s.io/{{ kubectl.version }}/bin/linux/{{ kubectl.arch }}/kubectl.sha256
            dest: /tmp

        - name: Validate the kubectl binary against the checksum file
          shell: echo "$(cat /tmp/kubectl.sha256)  {{ bin_dir }}/kubectl" | sha256sum --check
          register: result

        - name: Assert that the kubectl binary is OK
          vars:
            expected: "{{ bin_dir }}/kubectl: OK"
          assert:
            that:
              - result.stdout == expected
            fail_msg: "{{ result.stdout }}"
            success_msg: "{{ result.stdout }}"

    - name: Ensure openssl is installed
      become: true
      package:
        name: "openssl"
        state: present

- name: Create kubernetes user
  loop: "{{ users }}"
  include_tasks: create-user.yaml
  vars:
    certificate_expires_in: "{{ item.certificate_expires_in | default('500') }}"
    username: "{{ item.username }}"
    host_user: "{{ item.host_user | default('') }}"
    cluster: "{{ item.cluster }}"
    binding_type: "{{ item.binding_type | default('ClusterRoleBinding') }}"
    role_type: "{{ item.role_type | default('ClusterRole') }}"
    role: "{{ item.role | default('cluster-admin') }}"
    user_k8s_config_path: "{{ item.k8s_config_path | default(k8s_config_path) }}"
    user_k8s_cert_path: "{{ item.k8s_cert_path | default(k8s_cert_path) }}"
    user_k8s_cert_crt_file: "{{ item.k8s_cert_crt_file | default(k8s_cert_crt_file) }}"
    user_k8s_cert_key_file: "{{ item.k8s_cert_key_file | default(k8s_cert_key_file) }}"