---
# Configure OpenShift OAuth with Keycloak OIDC.
#
# Prerequisites:
#   - SNO cluster installed and accessible
#   - Keycloak OIDC client created (Play 5 in deploy_openshift.yml)
#   - KUBECONFIG environment variable set or oc_kubeconfig defined

# ------------------------------------------------------------------
# Secret: Keycloak client secret in openshift-config namespace
# ------------------------------------------------------------------
- name: Set OIDC client secret value
  ansible.builtin.set_fact:
    __sno_deploy_oidc_client_secret_value: >-
      {{ hostvars[inventory_hostname]['__oidc_client_secret']
         | default(vault_oidc_client_secret) }}
  no_log: true

- name: Create Keycloak client secret in openshift-config
  kubernetes.core.k8s:
    state: present
    definition:
      apiVersion: v1
      kind: Secret
      metadata:
        name: "{{ __sno_deploy_oidc_secret_name }}"
        namespace: openshift-config
      type: Opaque
      stringData:
        clientSecret: "{{ __sno_deploy_oidc_client_secret_value }}"
  no_log: false

# ------------------------------------------------------------------
# CA bundle: only needed when Keycloak uses a private/internal CA
# ------------------------------------------------------------------
- name: Create CA bundle ConfigMap for Keycloak TLS
  kubernetes.core.k8s:
    state: present
    definition:
      apiVersion: v1
      kind: ConfigMap
      metadata:
        name: "{{ __sno_deploy_oidc_ca_configmap_name }}"
        namespace: openshift-config
      data:
        ca.crt: "{{ lookup('ansible.builtin.file', oidc_ca_cert_file) }}"
  when: oidc_ca_cert_file | default('') | length > 0

# ------------------------------------------------------------------
# OAuth cluster resource: add/replace Keycloak IdP entry
# ------------------------------------------------------------------
- name: Get current OAuth cluster configuration
  kubernetes.core.k8s_info:
    api_version: config.openshift.io/v1
    kind: OAuth
    name: cluster
  register: __sno_deploy_current_oauth

- name: Build Keycloak OIDC identity provider definition
  ansible.builtin.set_fact:
    __sno_deploy_new_idp: >-
      {{
        {
          'name': oidc_provider_name,
          'mappingMethod': 'claim',
          'type': 'OpenID',
          'openID': (
            {
              'clientID': oidc_client_id,
              'clientSecret': {'name': __sno_deploy_oidc_secret_name},
              'issuer': __sno_deploy_oidc_issuer,
              'claims': {
                'preferredUsername': ['preferred_username'],
                'name': ['name'],
                'email': ['email'],
                'groups': ['groups']
              }
            } | combine(
              (oidc_ca_cert_file | default('') | length > 0) | ternary(
                {'ca': {'name': __sno_deploy_oidc_ca_configmap_name}}, {}
              )
            )
          )
        }
      }}

- name: Build updated identity providers list
  ansible.builtin.set_fact:
    __sno_deploy_updated_idps: >-
      {{
        (__sno_deploy_current_oauth.resources[0].spec.identityProviders | default([])
         | selectattr('name', '!=', oidc_provider_name) | list)
        + [__sno_deploy_new_idp]
      }}

- name: Apply updated OAuth cluster configuration
  kubernetes.core.k8s:
    state: present
    merge_type: merge
    definition:
      apiVersion: config.openshift.io/v1
      kind: OAuth
      metadata:
        name: cluster
      spec:
        identityProviders: "{{ __sno_deploy_updated_idps }}"

- name: Wait for OAuth deployment to roll out
  ansible.builtin.command:
    cmd: "{{ __sno_deploy_oc }} rollout status deployment/oauth-openshift -n openshift-authentication --timeout=300s --insecure-skip-tls-verify"
  changed_when: false

# ------------------------------------------------------------------
# ClusterRoleBinding: grant cluster-admin to OIDC admin groups
# ------------------------------------------------------------------
- name: Create ClusterRoleBinding for OIDC admin groups
  kubernetes.core.k8s:
    state: present
    definition:
      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRoleBinding
      metadata:
        name: "oidc-{{ item | regex_replace('[^a-zA-Z0-9-]', '-') }}-cluster-admin"
      roleRef:
        apiGroup: rbac.authorization.k8s.io
        kind: ClusterRole
        name: cluster-admin
      subjects:
        - apiGroup: rbac.authorization.k8s.io
          kind: Group
          name: "{{ item }}"
  loop: "{{ oidc_admin_groups }}"
  when: oidc_admin_groups | length > 0

- name: Display post-configuration summary
  ansible.builtin.debug:
    msg:
      - "OpenShift OIDC configuration complete!"
      - "  Provider : {{ oidc_provider_name }}"
      - "  Issuer   : {{ __sno_deploy_oidc_issuer }}"
      - "  Console  : https://console-openshift-console.apps.{{ ocp_cluster_name }}.{{ ocp_base_domain }}"
      - "  Login    : https://oauth-openshift.apps.{{ ocp_cluster_name }}.{{ ocp_base_domain }}"
      - ""
      - "Note: OAuth pods are restarting — login may be unavailable for ~2 minutes."
    verbosity: 1