---
# Tasks for RBAC setup

# Set up cluster admin access
- name: Create ClusterRoleBinding for cluster-admin role for specific users
  kubernetes.core.k8s:
    state: present
    definition:
      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRoleBinding
      metadata:
        name: "google-cluster-admin-{{ admin_user | replace('@', '-') | replace('.', '-') }}"
      roleRef:
        apiGroup: rbac.authorization.k8s.io
        kind: ClusterRole
        name: cluster-admin
      subjects:
      - apiGroup: rbac.authorization.k8s.io
        kind: User
        name: "{{ admin_user }}"
    kubeconfig: "{{ k8s_auth_params.kubeconfig }}"
    validate_certs: "{{ k8s_auth_params.validate_certs }}"
  loop: "{{ admin_users }}"
  loop_control:
    loop_var: admin_user

# Set up cluster viewer access for domains
- name: Create ClusterRoleBinding for cluster-viewer role for domains
  kubernetes.core.k8s:
    state: present
    definition:
      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRoleBinding
      metadata:
        name: "google-cluster-viewer-{{ domain | replace('.', '-') }}"
      roleRef:
        apiGroup: rbac.authorization.k8s.io
        kind: ClusterRole
        name: view
      subjects:
      - apiGroup: rbac.authorization.k8s.io
        kind: Group
        name: "{{ domain }}"
    kubeconfig: "{{ k8s_auth_params.kubeconfig }}"
    validate_certs: "{{ k8s_auth_params.validate_certs }}"
  loop: "{{ viewer_domains }}"
  loop_control:
    loop_var: domain

# ArgoCD security - Note: OpenShift SCCs replaced with Pod Security Standards
# In vanilla Kubernetes, security is handled via Pod Security Standards and SecurityContext
# No additional ClusterRoleBinding needed for basic container privileges

# Set up ArgoCD cluster admin
- name: Create a ClusterRoleBinding to grant ArgoCD cluster-admin privileges
  kubernetes.core.k8s:
    state: present
    definition:
      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRoleBinding
      metadata:
        name: argocd-cluster-admin
      roleRef:
        apiGroup: rbac.authorization.k8s.io
        kind: ClusterRole
        name: cluster-admin
      subjects:
      - kind: ServiceAccount
        name: argocd-application-controller
        namespace: argocd
    kubeconfig: "{{ k8s_auth_params.kubeconfig }}"
    validate_certs: "{{ k8s_auth_params.validate_certs }}"

# Set up workload ArgoCD cluster admin
- name: Create a ClusterRoleBinding to grant workload ArgoCD cluster-admin privileges
  kubernetes.core.k8s:
    state: present
    definition:
      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRoleBinding
      metadata:
        name: wkl-argocd-cluster-admin
      roleRef:
        apiGroup: rbac.authorization.k8s.io
        kind: ClusterRole
        name: cluster-admin
      subjects:
      - kind: ServiceAccount
        name: wkl-argocd-application-controller
        namespace: wkl-argocd
    kubeconfig: "{{ k8s_auth_params.kubeconfig }}"
    validate_certs: "{{ k8s_auth_params.validate_certs }}"
  when: is_hub_cluster | bool