- name: test if service accounts exists
  command: >
      {{ openshift.common.client_binary }} get sa {{ item }} -n {{ openshift_serviceaccounts_namespace }}
  with_items: openshift_serviceaccounts_names
  failed_when: false
  changed_when: false
  register: account_test

- name: create the service account
  shell: >
       echo {{ lookup('template', '../templates/serviceaccount.j2')
               | from_yaml | to_json | quote }} | {{ openshift.common.client_binary }}  create -f -
  when: item.1.rc != 0
  with_together:
  - openshift_serviceaccounts_names
  - account_test.results

- name: test if scc needs to be updated
  command: >
      {{ openshift.common.client_binary }} get scc {{ item }} -o yaml
  changed_when: false
  failed_when: false
  register: scc_test
  with_items: openshift_serviceaccounts_sccs

- name: Grant the user access to the privileged scc
  command: >
      {{ openshift.common.admin_binary }} policy add-scc-to-user
      privileged system:serviceaccount:{{ openshift_serviceaccounts_namespace }}:{{ item.0 }}
  when: "openshift.common.version_gte_3_1_or_1_1 and item.1.rc == 0 and 'system:serviceaccount:{{ openshift_serviceaccounts_namespace }}:{{ item.0 }}' not in {{ (item.1.stdout | from_yaml).users }}"
  with_nested:
  - openshift_serviceaccounts_names
  - scc_test.results

####
#
# Support for 3.0.z
#
####

- name: tmp dir for openshift
  file:
    path: /tmp/openshift
    state: directory
    owner: root
    mode: 700
  when: not openshift.common.version_gte_3_1_or_1_1

- name: Create service account configs
  template:
    src: serviceaccount.j2
    dest: "/tmp/openshift/{{ item }}-serviceaccount.yaml"
  with_items: openshift_serviceaccounts_names
  when: not openshift.common.version_gte_3_1_or_1_1

- name: Get current security context constraints
  shell: >
    {{ openshift.common.client_binary }} get scc privileged -o yaml
    --output-version=v1 > /tmp/openshift/scc.yaml
  changed_when: false
  when: not openshift.common.version_gte_3_1_or_1_1

- name: Add security context constraint for {{ item }}
  lineinfile:
    dest: /tmp/openshift/scc.yaml
    line: "- system:serviceaccount:{{ openshift_serviceaccounts_namespace }}:{{ item }}"
    insertafter: "^users:$"
  with_items: openshift_serviceaccounts_names
  when: not openshift.common.version_gte_3_1_or_1_1

- name: Apply new scc rules for service accounts
  command: "{{ openshift.common.client_binary }} update -f /tmp/openshift/scc.yaml --api-version=v1"
  when: not openshift.common.version_gte_3_1_or_1_1