- name: Cert Manager setup
  block:
    - name: Defined jetstack repository
      kubernetes.core.helm_repository:
        name: jetstack
        repo_url: "https://charts.jetstack.io"

    - name: Deploy latest version of Cert-Manager
      kubernetes.core.helm:
        context: "{{ my_context }}"
        name: cert-manager
        chart_ref: jetstack/cert-manager
        chart_version: "{{ certmanager_version }}"
        create_namespace: true
        release_namespace: "{{ cert_manager_namespace }}"
        values:
          installCRDs: true
#          global:
#            podSecurityPolicy:
#              enabled: true
#              useAppArmor: false
          extraArgs:
            - --dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53

# https://github.com/baarde/cert-manager-webhook-ovh/tree/master/deploy/cert-manager-webhook-ovh
    - name: Install OVH webhook
      block:
        - name: Git clone stable repo on HEAD
          ansible.builtin.git:
            repo: "https://github.com/baarde/cert-manager-webhook-ovh.git"
            dest: tmp/cert-manager-webhook-ovh

        - name: Deploy OVH webhook chart from local path
          run_once: true
          kubernetes.core.helm:
            state: present
            context: "{{ my_context }}"
            name: cert-manager-webhook-ovh
            chart_ref: tmp/cert-manager-webhook-ovh/deploy/cert-manager-webhook-ovh
            release_namespace: "{{ cert_manager_namespace }}"
            values:
#              groupName: '{{ cert_manager_issuer | selectattr("provider", "match", "ovh") | first }}'
              groupName: '{{ cert_manager_issuer | json_query(\"[?provider=="ovh"]\") | first }}'
#          with_items:
#            - "{{ cert_manager_issuer | selectattr('ovh', 'in', provider) }}"
#          when:
#            - item.provider == "ovh"

        - name: OVH WebHook dependency
          kubernetes.core.k8s:
            state: present
            context: "{{ my_context }}"
            apply: true
            namespace: "{{ cert_manager_namespace }}"
            resource_definition: "{{ lookup('template', item) | from_yaml }}"
          with_items:
            - cert-manager-webhook-ovh-Role.yml.j2
            - cert-manager-webhook-ovh-RoleBinding.yml.j2

      when:
        - false
        - cert_manager_issuer is defined
        - cert_manager_issuer.[].provider == "ovh"

# https://smallstep.com/
# https://github.com/smallstep/step-issuer
    - name: Install Step webhook
      block:
#        - name: SmallStep PVC
#          kubernetes.core.k8s:
#            state: present
#            context: "{{ my_context }}"
#            namespace: "cert-manager"
#            resource_definition: "{{ lookup('template', 'smallstep-pvc.yml.j2') | from_yaml }}"
        - name: Defined smallstep repository
          kubernetes.core.helm_repository:
            name: smallstep
            repo_url: "https://smallstep.github.io/helm-charts/"
        # https://github.com/smallstep/step-issuer
        - name: Deploy step-certificates chart
          kubernetes.core.helm:
            state: present
            name: step-certificates
            context: "{{ my_context }}"
            chart_ref: smallstep/step-certificates
            release_namespace: "{{ cert_manager_namespace }}"
#            values:
#              ca:
#                provisioner:
#                  name: "admin"
#                db:
#                  existingClaim: smallstep
        # https://github.com/smallstep/helm-charts/tree/master/step-issuer
        - name: Deploy step-certificates chart
          kubernetes.core.helm:
            state: present
            name: step-issuer
            context: "{{ my_context }}"
            chart_ref: smallstep/step-issuer
            release_namespace: "{{ cert_manager_namespace }}"
      when:
        - false
        - cert_manager_issuer is defined
        - cert_manager_issuer.[].provider == "step"

    - name: Add ClusterIssuers
      block:
        - name: Create Secret object for API Key authentification
          kubernetes.core.k8s:
            state: present
            context: "{{ my_context }}"
            apply: true
            namespace: "{{ cert_manager_namespace }}"
            resource_definition: "{{ lookup('template', 'api-key-secret.yml.j2') | from_yaml_all }}"
          with_items:
            - "{{ cert_manager_issuer }}"
            # - "{{ cert_manager_issuer | json_query(\"solvers.[?solver=="dns01"]\") }}"
          when:
            - item.acme_provider is defined
            - item.solvers is defined
            # - item.solvers.[].solver == "dns01"
            # - item.solvers.[].dns_provider is defined

# Tempo ici

        - name: Defined ClusterIssuers
          kubernetes.core.k8s:
            state: present
            context: "{{ my_context }}"
            apply: true
            namespace: "{{ cert_manager_namespace }}"
            resource_definition: "{{ lookup('template', 'clusterissuer.yml.j2') | from_yaml }}"
  #        debug:
  #          msg: "{{ lookup('template', item) | from_yaml }}"
          with_items:
            - "{{ cert_manager_issuer }}"

      when:
        - cert_manager_issuer is defined

  tags: cert-manager


# https://github.com/cert-manager/csi-driver/tree/main/deploy/charts/csi-driver
- name: install / uninstall Cert-Manager CSI Kubernetes drivers
  kubernetes.core.helm:
    context: "{{ my_context }}"
    name: cert-manager-csi-driver
    chart_ref: jetstack/cert-manager-csi-driver
    chart_version: "{{ certmanager_csi_version }}"
    create_namespace: true
    release_namespace: "{{ cert_manager_namespace }}"
  when:
    - certmanager_csi|bool
  tags:
    - cert-manager
    - storage