---
# Argo CD (Helm source + SSA) or raw kubectl can leave Trivy objects without **meta.helm.sh/** ownership.
# Namespace-scoped resources go away when **trivy-system** is deleted; **ClusterRole** / **ClusterRoleBinding** /
# **ClusterComplianceReport** do not. If there is no Helm release **trivy-operator**, reset namespace + cluster scope
# so **helm upgrade --install** can adopt cleanly.
- name: Check whether trivy-operator Helm release exists in trivy-system
  ansible.builtin.command:
    argv:
      - helm
      - status
      - trivy-operator
      - -n
      - trivy-system
  environment:
    KUBECONFIG: "{{ noble_kubeconfig }}"
  register: noble_trivy_helm_release_status
  failed_when: false
  changed_when: false

- name: Remove trivy-system namespace when Helm release is absent (orphan SSA / kubectl vs Ansible Helm)
  ansible.builtin.command:
    argv:
      - kubectl
      - delete
      - namespace
      - trivy-system
      - --ignore-not-found=true
      - --wait=true
  environment:
    KUBECONFIG: "{{ noble_kubeconfig }}"
  when: noble_trivy_helm_release_status.rc != 0
  register: noble_trivy_ns_reset
  changed_when: "'deleted' in (noble_trivy_ns_reset.stdout | default(''))"

- name: Remove orphan Trivy cluster-scoped resources when Helm release is absent
  ansible.builtin.shell: |
    set -euo pipefail
    # Prefer label selector (matches chart); then explicit names for objects Argo may have created without labels.
    kubectl delete clusterrolebinding -l app.kubernetes.io/instance=trivy-operator --ignore-not-found=true --wait=true 2>/dev/null || true
    kubectl delete clusterrolebinding trivy-operator --ignore-not-found=true --wait=true
    kubectl delete clusterrole -l app.kubernetes.io/instance=trivy-operator --ignore-not-found=true --wait=true 2>/dev/null || true
    kubectl delete clusterrole trivy-operator aggregate-config-audit-reports-view aggregate-exposed-secret-reports-view aggregate-vulnerability-reports-view --ignore-not-found=true --wait=true
    if kubectl api-resources --api-group=aquasecurity.github.io -o name 2>/dev/null | grep -q '^clustercompliancereports\.'; then
      kubectl delete clustercompliancereports.aquasecurity.github.io -l app.kubernetes.io/instance=trivy-operator --ignore-not-found=true --wait=true 2>/dev/null || true
      kubectl delete clustercompliancereports.aquasecurity.github.io k8s-cis-1.23 k8s-nsa-1.0 k8s-pss-baseline-0.1 k8s-pss-restricted-0.1 --ignore-not-found=true --wait=true 2>/dev/null || true
    fi
  environment:
    KUBECONFIG: "{{ noble_kubeconfig }}"
  when: noble_trivy_helm_release_status.rc != 0
  register: noble_trivy_cluster_reset
  changed_when: "'deleted' in (noble_trivy_cluster_reset.stdout | default(''))"

- name: Apply trivy-system namespace (PSA)
  ansible.builtin.command:
    argv:
      - kubectl
      - apply
      - -f
      - "{{ noble_repo_root }}/clusters/noble/bootstrap/trivy/namespace.yaml"
  environment:
    KUBECONFIG: "{{ noble_kubeconfig }}"
  changed_when: true

- name: Install Trivy Operator
  ansible.builtin.command:
    argv:
      - helm
      - upgrade
      - --install
      - trivy-operator
      - aqua/trivy-operator
      - -n
      - trivy-system
      - --version
      - "{{ noble_trivy_chart_version }}"
      - -f
      - "{{ noble_repo_root }}/clusters/noble/bootstrap/trivy/values.yaml"
      - --force-conflicts
      - --wait
      - --timeout
      - "{{ noble_helm_trivy_wait_timeout }}"
  environment:
    KUBECONFIG: "{{ noble_kubeconfig }}"
  changed_when: true