---
- name: Ensure OpenShift patch directory exists
  file: path="{{ ands_openshift_patch_path }}" state="directory" mode=0644 owner=root group=root

# No spaces in patch, otherwise escaping mess...
- name: Patch group range in project configuration
  include_role: name="openshift_resource" tasks_from="patch.yml" 
  vars:
    project: "{{ prj_item }}" 
    resource: "ns/{{ prj_item }}"
    patch: '{"metadata":{"annotations":{"openshift.io/sa.scc.supplemental-groups":"{{ands_openshift_gid_ranges[prj_item]}}"}}}'
    patch_path: "{{ ands_openshift_patch_path }}"
  with_items: "{{ (ands_openshift_gid_ranges | default({})).keys() }}"
  loop_control: 
    loop_var: prj_item

- name: Patch uid range in project configuration
  include_role: name="openshift_resource" tasks_from="patch.yml" 
  vars:
    project: "{{ prj_item }}" 
    resource: "ns/{{ prj_item }}"
    patch: '{"metadata":{"annotations":{"openshift.io/sa.scc.uid-range":"{{ands_openshift_uid_ranges[prj_item]}}"}}}'
    patch_path: "{{ ands_openshift_patch_path }}"
  with_items: "{{ (ands_openshift_uid_ranges | default({})).keys() }}"
  loop_control: 
    loop_var: prj_item

- name: Restrict supplementalGroups
  include_role: name="openshift_resource" tasks_from="patch.yml" 
  vars:
    project: "{{ prj_item }}" 
    resource: "scc/restricted"
    modes: "{{ ands_openshift_gid_mode | default({}) }}"
    mode: "{{ (modes[prj_item] is defined) | ternary(modes[prj_item], modes['ands_default'] | default(false)) }}"
    patch: '{"supplementalGroups":{"type":"{{mode}}"}}'
    patch_path: "{{ ands_openshift_patch_path }}"
  when: mode != false
  with_items: "{{ (ands_openshift_projects | default({})).keys() }}"
  loop_control: 
    loop_var: prj_item

- name: Configure runAsUser
  include_role: name="openshift_resource" tasks_from="patch.yml" 
  vars:
    project: "{{ prj_item }}" 
    resource: "scc/restricted"
    modes: "{{ ands_openshift_uid_mode | default({}) }}"
    mode: "{{ (modes[prj_item] is defined) | ternary(modes[prj_item], modes['ands_default'] | default(false)) }}"
    patch: '{"runAsUser":{"type":"{{mode}}"}}'
    patch_path: "{{ ands_openshift_patch_path }}"
  when: mode != false
  with_items: "{{ (ands_openshift_projects | default({})).keys() }}"
  loop_control: 
    loop_var: prj_item