---
- name: 0. Generate keycloak auth token
  ansible.builtin.uri:
    url: "{{ keycloak_url }}{{ keycloak_context }}/realms/master/protocol/openid-connect/token"
    method: POST
    body: "client_id={{ keycloak_auth_client }}&username={{ keycloak_admin_user }}&password={{ keycloak_admin_password }}&grant_type=password"
    validate_certs: no
  register: keycloak_auth_response
  until: keycloak_auth_response.status == 200
  retries: 5
  delay: 2

- name: 1. Determine if realm exists
  ansible.builtin.uri:
    url: "{{ keycloak_url }}{{ keycloak_context }}/admin/realms/{{ keycloak_realm }}"
    method: GET
    status_code:
      - 200
      - 404
    headers:
      Accept: "application/json"
      Authorization: "Bearer {{ keycloak_auth_response.json.access_token }}"
  register: keycloak_realm_exists


- name: 2. update a keycloak realm
  community.general.keycloak_realm:
    auth_client_id: "{{ keycloak_auth_client }}"
    auth_keycloak_url: "{{ keycloak_url }}{{ keycloak_context }}"
    auth_realm: "{{ keycloak_auth_realm }}"
    auth_username: "{{ keycloak_admin_user }}"
    auth_password: "{{ keycloak_admin_password }}"
    realm: "{{ item.realm }}"
    login_theme: "{{ keycloak_login_theme }}"
  loop: "{{ keycloak_clients | flatten }}"

- name: 3. Validate Keycloak clients
  ansible.builtin.assert:
    that:
      - item.name is defined and item.name | length > 0
      - (item.client_id is defined and item.client_id | length > 0) or (item.id is defined and item.id | length > 0)
    fail_msg: "For each keycloak client, attributes `name` and either `id` or `client_id` is required"
    quiet: True
  loop: "{{ keycloak_clients | flatten }}"
  loop_control:
    label: "{{ item.name | default('unnamed client') }}"


- name: 4. update a Keycloak client
  community.general.keycloak_client:
    auth_client_id: "{{ keycloak_auth_client }}"
    auth_keycloak_url: "{{ keycloak_url }}{{ keycloak_context }}"
    auth_realm: "{{ keycloak_auth_realm }}"
    auth_username: "{{ keycloak_admin_user }}"
    auth_password: "{{ keycloak_admin_password }}"
    realm: "{{ item.realm }}"
    default_roles: "{{ item.roles | default(omit) }}"
    client_id: "{{ item.client_id | default(omit) }}"
    id: "{{ item.id | default(omit) }}"
    name: "{{ item.name | default(omit) }}"
    description: "{{ item.description | default(omit) }}"
    root_url: "{{ item.root_url | default('') }}"
    admin_url: "{{ item.admin_url | default('') }}"
    base_url: "{{ item.base_url | default('') }}"
    enabled: "{{ item.enabled | default(True) }}"
    redirect_uris: "{{ item.redirect_uris | default(omit) }}"
    web_origins: "{{ item.web_origins | default('+') }}"
    bearer_only: "{{ item.bearer_only | default(omit) }}"
    standard_flow_enabled: "{{ item.standard_flow_enabled | default(omit) }}"
    implicit_flow_enabled: "{{ item.implicit_flow_enabled | default(omit) }}"
    direct_access_grants_enabled: "{{ item.direct_access_grants_enabled | default(omit) }}"
    service_accounts_enabled: "{{ item.service_accounts_enabled | default(omit) }}"
    public_client: "{{ item.public_client | default(False) }}"
    protocol: "{{ item.protocol | default(omit) }}"
    state: present
  register: create_client_result
  loop: "{{ keycloak_clients | flatten }}"
  when: (item.name is defined and item.client_id is defined) or (item.name is defined and item.id is defined)

- name: 5. Dependency deploy scale down
  command: "kubectl -n {{ cmoa_namespace }} scale --replicas=0 deploy imxc-api noti-server auth-server zuul-deployment"

- name: 6. Dependency deploy scale up
  command: "kubectl -n {{ cmoa_namespace }} scale --replicas=1 deploy imxc-api noti-server auth-server zuul-deployment"
  register: restart

- debug:
    msg: "{{restart.stdout_lines}}"