---
# Helm --wait on the operator does not guarantee the first policyvalidate call from apiserver succeeds.
- name: Wait for Kyverno admission controller Deployment rollout
  ansible.builtin.command:
    argv:
      - kubectl
      - rollout
      - status
      - deployment/kyverno-admission-controller
      - -n
      - kyverno
      - --timeout=300s
  environment:
    KUBECONFIG: "{{ noble_kubeconfig }}"
  changed_when: false

- name: Wait for Kyverno webhook Service (kyverno-svc) to have endpoints
  ansible.builtin.command:
    argv:
      - kubectl
      - get
      - endpoints
      - kyverno-svc
      - -n
      - kyverno
      - -o
      - 'jsonpath={range .subsets[*].addresses[*]}{.ip}{"\n"}{end}'
  environment:
    KUBECONFIG: "{{ noble_kubeconfig }}"
  register: noble_kyverno_policies_ep
  until: (noble_kyverno_policies_ep.stdout | default('') | trim | length) > 0
  retries: "{{ noble_kyverno_policies_endpoint_wait_retries }}"
  delay: "{{ noble_kyverno_policies_endpoint_wait_delay }}"
  changed_when: false

- name: Install Kyverno policy chart (PSS baseline, Audit)
  ansible.builtin.command:
    argv:
      - helm
      - upgrade
      - --install
      - kyverno-policies
      - kyverno/kyverno-policies
      - -n
      - kyverno
      - --version
      - "3.7.1"
      - -f
      - "{{ noble_repo_root }}/clusters/noble/bootstrap/kyverno/policies-values.yaml"
      - --force-conflicts
      - --wait
      - --timeout
      - 10m
  environment:
    KUBECONFIG: "{{ noble_kubeconfig }}"
  register: noble_kyverno_policies_helm
  retries: "{{ noble_kyverno_policies_helm_retries }}"
  delay: "{{ noble_kyverno_policies_helm_delay }}"
  until: noble_kyverno_policies_helm.rc == 0
  changed_when: true