---
# GitOps Configuration Tasks

# Create GitHub repository credentials secret for ArgoCD
- name: Create GitHub repo credentials secret for ArgoCD
  kubernetes.core.k8s:
    state: present
    definition:
      apiVersion: v1
      kind: Secret
      metadata:
        name: argocd-github-repo
        namespace: "{{ app_of_apps_namespace }}"
        labels:
          argocd.argoproj.io/secret-type: repository
      type: Opaque
      stringData:
        type: git
        url: "{{ repo_url }}"
        username: "{{ repo_username }}"
        password: "{{ global.repo_token | default('') }}"
    kubeconfig: "{{ k8s_auth_params.kubeconfig }}"
    validate_certs: "{{ k8s_auth_params.validate_certs }}"

# Create Gitea/Forgejo repository credentials secret for ArgoCD (if hub cluster)
- name: Create Forgejo repo credentials secret for ArgoCD
  kubernetes.core.k8s:
    state: present
    definition:
      apiVersion: v1
      kind: Secret
      metadata:
        name: argocd-forgejo-repo
        namespace: "{{ app_of_apps_namespace }}"
        labels:
          argocd.argoproj.io/secret-type: repository
      type: Opaque
      stringData:
        type: git
        url: "https://git.container.mom"
        username: "{{ global.forgejo.admin_username | default('forgejo_admin') }}"
        password: "{{ global.forgejo.admin_password | default('forgejo_admin') }}"
    kubeconfig: "{{ k8s_auth_params.kubeconfig }}"
    validate_certs: "{{ k8s_auth_params.validate_certs }}"
  when: is_hub_cluster | bool

# ArgoCD cluster-admin permissions
- name: Create a ClusterRoleBinding to grant ArgoCD cluster-admin privileges
  kubernetes.core.k8s:
    state: present
    definition:
      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRoleBinding
      metadata:
        name: argocd-cluster-admin
      roleRef:
        apiGroup: rbac.authorization.k8s.io
        kind: ClusterRole
        name: cluster-admin
      subjects:
      - kind: ServiceAccount
        name: argocd-application-controller
        namespace: "{{ app_of_apps_namespace }}"
    kubeconfig: "{{ k8s_auth_params.kubeconfig }}"
    validate_certs: "{{ k8s_auth_params.validate_certs }}"

# Configure app-of-apps
- name: Configure the Application of Applications (app-of-apps)
  kubernetes.core.k8s:
    state: present
    apply: true
    definition:
      apiVersion: argoproj.io/v1alpha1
      kind: Application
      metadata:
        name: "{{ app_of_apps_name }}"
        namespace: "{{ app_of_apps_namespace }}"
      spec:
        destination:
          namespace: "{{ app_of_apps_namespace }}"
          server: https://kubernetes.default.svc
        project: default
        source:
          path: "{{ app_of_apps_path }}"
          repoURL: "{{ repo_url }}"
          targetRevision: "{{ app_of_apps_revision }}"
        syncPolicy:
          automated:
            prune: "{{ app_of_apps_prune }}"
            selfHeal: "{{ app_of_apps_self_heal }}"
    kubeconfig: "{{ k8s_auth_params.kubeconfig }}"
    validate_certs: "{{ k8s_auth_params.validate_certs }}"

# Hub-specific final configuration
- name: Create container-mom AppProject for hub cluster
  kubernetes.core.k8s:
    state: present
    definition:
      apiVersion: argoproj.io/v1alpha1
      kind: AppProject
      metadata:
        name: container-mom
        namespace: "{{ app_of_apps_namespace }}"
      spec:
        description: Container Mom Applications
        sourceRepos:
        - '*'
        destinations:
        - namespace: '*'
          server: '*'
        clusterResourceWhitelist:
        - group: '*'
          kind: '*'
        namespaceResourceWhitelist:
        - group: '*'
          kind: '*'
    kubeconfig: "{{ k8s_auth_params.kubeconfig }}"
    validate_certs: "{{ k8s_auth_params.validate_certs }}"
  when: is_hub_cluster | bool and create_container_mom_project | bool