---
# No spaces in patch, otherwise escaping mess...
- name: Patch group range in project configuration
  include_role: name="openshift_resource" tasks_from="patch.yml" 
  vars:
    project: "{{ item.key }}" 
    resource: "ns/{{ item.key }}"
    patch: '{"metadata":{"annotations":{"openshift.io/sa.scc.supplemental-groups":"{{ item.value }}"}}}'
  with_dict: "{{ ands_openshift_gid_ranges | default({}) }}"

- name: Patch uid range in project configuration
  include_role: name="openshift_resource" tasks_from="patch.yml" 
  vars:
    project: "{{ item.key }}" 
    resource: "ns/{{ item.key }}"
    patch: '{"metadata":{"annotations":{"openshift.io/sa.scc.uid-range":"{{ item.value }}"}}}'
  with_dict: "{{ ands_openshift_uid_ranges | default({}) }}"

- name: Restrict supplementalGroups
  include_role: name="openshift_resource" tasks_from="patch.yml" 
  vars:
    project: "default" 
    resource: "securitycontextconstraints/restricted"
    mode: "{{ ands_openshift_groups_mode | default(false) }}"
    patch: '{"supplementalGroups":{"type":"{{mode}}"}}'
  when: mode != false

- name: Restrict fsGroup
  include_role: name="openshift_resource" tasks_from="patch.yml" 
  vars:
    project: "default" 
    resource: "securitycontextconstraints/restricted"
    mode: "{{ ands_openshift_gid_mode | default(false) }}"
    patch: '{"fsGroup":{"type":"{{mode}}"}}'
  when: mode != false

- name: Configure runAsUser
  include_role: name="openshift_resource" tasks_from="patch.yml" 
  vars:
    project: "default" 
    resource: "securitycontextconstraints/restricted"
    mode: "{{ ands_openshift_uid_mode | default(false) }}"
    patch: '{"runAsUser":{"type":"{{mode}}"}}'
  when: mode != false