---
# Delete the kubeadmin user after OIDC is configured and admin groups
# have cluster-admin. This is a security best practice.
#
# Safety checks:
#   1. Verify at least one group in oidc_admin_groups is configured
#   2. Verify ClusterRoleBindings exist for those groups
#   3. Verify the OAuth deployment is ready (OIDC login is available)
#   4. Only then delete the kubeadmin secret

- name: Fail if no admin groups are configured
  ansible.builtin.fail:
    msg: >-
      Cannot delete kubeadmin: oidc_admin_groups is empty.
      At least one OIDC group must have cluster-admin before kubeadmin can be removed.
  when: oidc_admin_groups | length == 0

- name: Verify OIDC admin ClusterRoleBindings exist
  kubernetes.core.k8s_info:
    api_version: rbac.authorization.k8s.io/v1
    kind: ClusterRoleBinding
    name: "oidc-{{ item | regex_replace('[^a-zA-Z0-9-]', '-') }}-cluster-admin"
  loop: "{{ oidc_admin_groups }}"
  register: __sno_deploy_admin_crbs
  failed_when: __sno_deploy_admin_crbs.resources | length == 0

- name: Verify OAuth deployment is ready
  kubernetes.core.k8s_info:
    api_version: apps/v1
    kind: Deployment
    namespace: openshift-authentication
    name: oauth-openshift
  register: __sno_deploy_oauth_status
  failed_when: >-
    __sno_deploy_oauth_status.resources | length == 0 or
    (__sno_deploy_oauth_status.resources[0].status.readyReplicas | default(0)) < 1

- name: Delete kubeadmin secret
  kubernetes.core.k8s:
    api_version: v1
    kind: Secret
    namespace: kube-system
    name: kubeadmin
    state: absent
  register: __sno_deploy_kubeadmin_deleted

- name: Display kubeadmin deletion result
  ansible.builtin.debug:
    msg: >-
      {{ 'kubeadmin user deleted successfully. Login is now only available via OIDC.'
         if __sno_deploy_kubeadmin_deleted.changed
         else 'kubeadmin was already deleted.' }}