---
# Deploy standard ArgoCD installation

# Deploy ArgoCD using Helm
- name: Deploy latest version of argocd
  kubernetes.core.helm:
    name: argocd
    release_namespace: argocd
    create_namespace: true
    chart_ref: "{{ argocd_chart_url }}"
    values:
      openshift:
        enabled: false  # Changed to false for vanilla Kubernetes
      redis:
        enabled: true
      server:
        ingress:  # Changed from route to ingress
          enabled: true
          hostname: "{{ argocd_hostname }}"
          ingressClassName: "{{ ingress_class_name | default('nginx') }}"
          annotations:
            nginx.ingress.kubernetes.io/ssl-redirect: "true"
            nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
            cert-manager.io/cluster-issuer: "{{ cert_manager_issuer | default('letsencrypt-prod') }}"
          tls: true
        route:
          enabled: false  # Disable OpenShift routes
      configs:
        cm:
          url: "https://{{ argocd_hostname }}"
          oidc.config: |
            name: generic-oidc
            issuer: "{{ oidc_issuer_url | default('https://auth.container.mom') }}"
            clientID: "{{ argocd_client_id }}"
            clientSecret: "{{ argocd_client_secret }}"
            redirectURI: "https://{{ argocd_hostname }}/api/dex/callback"
        params:
          server.rootpath: ""
          server.basehref: "/"
          server.insecure: "true"
          server.staticassets: "/app/dist"
          server.rootpath.middleware.enabled: "false"
          server.enable.proxy.extension: "true"
          server.extension.cors: "true"
      dex:
        enabled: true
        config: |
          connectors:
            - type: openshift
              id: openshift
              name: OpenShift
              config:
                clientID: "{{ argocd_client_id }}"
                clientSecret: "{{ argocd_client_secret }}"
                redirectURI: "https://{{ argocd_hostname }}/api/dex/callback"
    kubeconfig: "{{ k8s_auth_params.kubeconfig }}"
    validate_certs: "{{ k8s_auth_params.validate_certs }}"

# Create ArgoCD specific certificate
- name: Include cert_management role for ArgoCD certificate
  include_role:
    name: cert_management
  vars:
    certificate_name: "argocd-cert"
    certificate_namespace: "argocd"
    certificate_secret_name: "argocd-tls"
    certificate_common_name: "{{ argocd_hostname }}"
    certificate_dns_names:
      - "{{ argocd_hostname }}"
    certificate_issuer: "letsencrypt-prod"
    certificate_issuer_kind: "ClusterIssuer"
    certificate_wait_retries: 30
    certificate_wait_delay: 10
    role_name: "argocd-tls-reader"
    rolebinding_name: "argocd-tls-reader-binding"
    router_service_account: "router"
    router_namespace: "openshift-ingress"
    create_route_role: true

# Check if ArgoCD TLS secret exists
- name: Check if ArgoCD TLS secret exists
  kubernetes.core.k8s_info:
    api_version: v1
    kind: Secret
    name: "argocd-tls"
    namespace: "argocd"
    kubeconfig: "{{ k8s_auth_params.kubeconfig }}"
    validate_certs: "{{ k8s_auth_params.validate_certs }}"
  register: argocd_tls_secret
  ignore_errors: true

# Get ArgoCD route info
- name: Get ArgoCD route
  kubernetes.core.k8s_info:
    api_version: route.openshift.io/v1
    kind: Route
    name: argocd-server
    namespace: argocd
    kubeconfig: "{{ k8s_auth_params.kubeconfig }}"
    validate_certs: "{{ k8s_auth_params.validate_certs }}"
  register: argocd_route
  ignore_errors: true

# Remove path from ArgoCD route if it exists
- name: Remove path from ArgoCD route if it exists
  kubernetes.core.k8s_json_patch:
    api_version: route.openshift.io/v1
    kind: Route
    name: argocd-server
    namespace: argocd
    patch:
      - op: remove
        path: /spec/path
    kubeconfig: "{{ k8s_auth_params.kubeconfig }}"
    validate_certs: "{{ k8s_auth_params.validate_certs }}"
  when:
    - argocd_route.resources is defined
    - argocd_route.resources | length > 0
    - argocd_route.resources[0].spec.path is defined

# Check if ArgoCD route has a rewrite-target annotation that needs to be removed
- name: Check if ArgoCD route has rewrite-target annotation
  kubernetes.core.k8s_info:
    api_version: route.openshift.io/v1
    kind: Route
    name: argocd-server
    namespace: argocd
    kubeconfig: "{{ k8s_auth_params.kubeconfig }}"
    validate_certs: "{{ k8s_auth_params.validate_certs }}"
  register: check_argocd_route_annotation
  ignore_errors: true

- name: Remove rewrite-target annotation from ArgoCD route if it exists
  kubernetes.core.k8s_json_patch:
    api_version: route.openshift.io/v1
    kind: Route
    name: argocd-server
    namespace: argocd
    patch:
      - op: remove
        path: /metadata/annotations/haproxy.router.openshift.io~1rewrite-target
    kubeconfig: "{{ k8s_auth_params.kubeconfig }}"
    validate_certs: "{{ k8s_auth_params.validate_certs }}"
  when:
    - check_argocd_route_annotation.resources is defined
    - check_argocd_route_annotation.resources | length > 0
    - check_argocd_route_annotation.resources[0].metadata.annotations is defined
    - "'haproxy.router.openshift.io/rewrite-target' in check_argocd_route_annotation.resources[0].metadata.annotations"

# Update ArgoCD route to use external certificate
- name: Update ArgoCD route to use external certificate
  kubernetes.core.k8s:
    state: present
    definition:
      apiVersion: route.openshift.io/v1
      kind: Route
      metadata:
        name: argocd-server
        namespace: argocd
        annotations:
          haproxy.router.openshift.io/timeout: 60s
          route.openshift.io/termination: edge
      spec:
        host: "{{ argocd_hostname }}"
        port:
          targetPort: "{{ argocd_route.resources[0].spec.port.targetPort }}"
        tls:
          termination: edge
          insecureEdgeTerminationPolicy: None
          externalCertificate:
            name: "argocd-tls"
        to:
          kind: Service
          name: argocd-server
          weight: 100
        wildcardPolicy: None
    kubeconfig: "{{ k8s_auth_params.kubeconfig }}"
    validate_certs: "{{ k8s_auth_params.validate_certs }}"
  when:
    - argocd_route.resources is defined
    - argocd_route.resources | length > 0
    - argocd_tls_secret.resources is defined
    - argocd_tls_secret.resources | length > 0

# Create GitHub repository credentials secret
- name: Create GitHub repo credentials secret for ArgoCD
  kubernetes.core.k8s:
    state: present
    definition:
      apiVersion: v1
      kind: Secret
      metadata:
        name: argocd-github-repo
        namespace: argocd
        labels:
          argocd.argoproj.io/secret-type: repository
      type: Opaque
      stringData:
        type: git
        url: "{{ github_repo_url }}"
        username: "{{ github_repo_username }}"
        password: "{{ global.repo_token | default('') }}"
    kubeconfig: "{{ k8s_auth_params.kubeconfig }}"
    validate_certs: "{{ k8s_auth_params.validate_certs }}"
  when: global is defined and global.repo_token is defined

# Create Forgejo repository credentials secret
- name: Create Forgejo repo credentials secret for ArgoCD
  kubernetes.core.k8s:
    state: present
    definition:
      apiVersion: v1
      kind: Secret
      metadata:
        name: argocd-forgejo-repo
        namespace: argocd
        labels:
          argocd.argoproj.io/secret-type: repository
      type: Opaque
      stringData:
        type: git
        url: "https://git.container-mom.apps.{{ cluster_name }}.{{ cluster_region }}.container.mom"
        username: "{{ global.forgejo.admin_username | default(forgejo_admin_username) }}"
        password: "{{ global.forgejo.admin_password | default(forgejo_admin_password) }}"
    kubeconfig: "{{ k8s_auth_params.kubeconfig }}"
    validate_certs: "{{ k8s_auth_params.validate_certs }}"
  when: is_hub_cluster | bool