---
- name: Notebooks deployments
  hosts: master
  become: true
  tasks:
    - name: Configure helm repo
      shell: |-
        helm repo add jupyterhub https://jupyterhub.github.io/helm-chart/
        helm repo update
      when: "'jupyterhub' not in ansible_local.helm_repos | map(attribute='name') | list"
    - name: Get Secrets from Vault for notebooks
      vars:
        name: "{{ item | basename | splitext | first }}"
      set_fact:
        secrets: "{{ secrets|default({}) | combine({name: lookup('community.hashi_vault.hashi_vault', vault_mount_point + '/deployment-' + name,
          token_validate=false)}) }}"
      with_fileglob:
        - "../deployments/*.yaml"
    - name: Get Secrets from Vault for gateway
      set_fact:
        gateways_token: "{{ {item: lookup('community.hashi_vault.hashi_vault', vault_mount_point + '/gateway-' + item + ':authtoken',
          token_validate=false)} }}"
      loop:
        - cesnet-mcc
    # - name: Debug Deployments Secrets
    #   debug:
    #     msg: "{{ item.key }} = {{ item.value }}"
    #   loop: "{{ secrets | dict2items }}"
    # - name: Debug Gateway Secrets
    #   debug:
    #     msg: "{{ item.key }} = {{ item.value }}"
    #   loop: "{{ gateways_token | dict2items }}"
    - name: Copy config file to master
      vars:
        name: "{{ item | basename | splitext | first }}"
        secret: "{{ secrets[name] }}"
        gateways_token: "{{ gateways_token }}"
      template:
        src: "{{ item }}"
        dest: "/tmp/{{ item | basename }}"
        mode: 0600
      with_fileglob:
        - "../deployments/*.yaml"
    - name: Deploy/upgrade notebook instance
      vars:
        name: "{{ item | basename | splitext | first }}"
        version: "3.2.1" # app 4.0.2 (2023-11-27)
      shell: |-
        helm status --namespace {{ name }} {{ name }}
        if [ $? -ne 0 ]; then
            helm install --create-namespace --namespace {{ name }} \
                -f /tmp/{{ item | basename }} --version {{ version }} --timeout 2h \
                 {{ name }} jupyterhub/jupyterhub
        else
            helm upgrade --version {{ version }} -f /tmp/{{ item | basename }} --timeout 2h \
                --namespace {{ name }} {{ name }} jupyterhub/jupyterhub
        fi
      environment:
        KUBECONFIG: /etc/kubernetes/admin.conf
        PATH: /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin
      when: true
      with_fileglob:
        - "../deployments/*.yaml"

    - name: Configure secrets management for the hub
      vars:
        name: "{{ item | basename | splitext | first }}"
      shell: |-
        kubectl apply -f - << EOF
        ---
        kind: Role
        apiVersion: rbac.authorization.k8s.io/v1
        metadata:
          name: hub-secrets
          namespace: {{ name }}
        rules:
          - apiGroups: [""]       # "" indicates the core API group
            resources: ["secrets"]
            verbs: ["get", "watch", "list", "create", "delete", "patch", "update"]
        ---
        kind: RoleBinding
        apiVersion: rbac.authorization.k8s.io/v1
        metadata:
          name: hub-secrets
          namespace: {{ name }}
        subjects:
          - kind: ServiceAccount
            name: hub
            namespace: {{ name }}
        roleRef:
          kind: Role
          name: hub-secrets
          apiGroup: rbac.authorization.k8s.io
        EOF
      environment:
        KUBECONFIG: /etc/kubernetes/admin.conf
        PATH: /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin
      when: true
      with_fileglob:
         - "../deployments/*.yaml"