- name: Cert Manager setup
  block:
  - name: Defined jetstack repository
    community.kubernetes.helm_repository:
      name: jetstack
      repo_url: "https://charts.jetstack.io"

  - name: Deploy latest version of Cert-Manager
    community.kubernetes.helm:
      context: "{{ my_context }}"
      name: cert-manager
      chart_ref: jetstack/cert-manager
      create_namespace: yes
      release_namespace: "{{ cert_manager_namespace }}"
      values:
        installCRDs: true
        global:
          podSecurityPolicy:
            enabled: true
            useAppArmor: false
        extraArgs:
          - --dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53

  - name: Create Secret object for API Key authentification
    k8s:
      state: present
      context: "{{ my_context }}"
      apply: true
      namespace: "{{ cert_manager_namespace }}"
      resource_definition: "{{ lookup('template', 'api-key-secret.yml.j2') | from_yaml }}"
    when:
      - cert_manager_issuer is defined
    with_items:
      - "{{ cert_manager_issuer }}"

# Tempo ici

  - name: Defined ClusterIssuers
    k8s:
      state: present
      context: "{{ my_context }}"
      apply: true
      namespace: "{{ cert_manager_namespace }}"
      resource_definition: "{{ lookup('template', item) | from_yaml }}"
#    debug:
#      msg: "{{ lookup('template', item) | from_yaml }}"
    with_items:
      - clusterissuer.yml.j2
    when:
#      - false
      - cert_manager_issuer is defined

# https://github.com/baarde/cert-manager-webhook-ovh/tree/master/deploy/cert-manager-webhook-ovh
  - name: Install OVH webhook
    block:
    - name: Git clone stable repo on HEAD
      ansible.builtin.git:
        repo: "https://github.com/baarde/cert-manager-webhook-ovh.git"
        dest: tmp/cert-manager-webhook-ovh

    - name: Deploy OVH webhook chart from local path
      run_once: true
      community.kubernetes.helm:
        state: present
        context: "{{ my_context }}"
        name: cert-manager-webhook-ovh
        chart_ref: tmp/cert-manager-webhook-ovh/deploy/cert-manager-webhook-ovh
        release_namespace: "{{ cert_manager_namespace }}"
        values:
#          groupName: '{{ cert_manager_issuer | selectattr("provider", "match", "ovh") | first }}'
          groupName: '{{ cert_manager_issuer | json_query(\"[?provider=="ovh"]\") | first }}'
#      with_items:
#        - "{{ cert_manager_issuer | selectattr('ovh', 'in', provider) }}"
#      when:
#        - item.provider == "ovh"

    - name: OVH WebHook dependency
      k8s:
        state: present
        context: "{{ my_context }}"
        apply: true
        namespace: "{{ cert_manager_namespace }}"
        resource_definition: "{{ lookup('template', item) | from_yaml }}"
      with_items:
        - cert-manager-webhook-ovh-Role.yml.j2
        - cert-manager-webhook-ovh-RoleBinding.yml.j2

    when:
      - false
      - cert_manager_issuer is defined
      - cert_manager_issuer.[].provider == "ovh"

  tags: cert-manager



- name: install / uninstall Cert-Manager CSI Kubernetes drivers
  include_tasks: "csi.yml"
  when:
    - certmanager_csi|bool
  tags:
    - cert-manager
    - storage