package io.quarkiverse.operatorsdk.deployment;

import io.dekorate.kubernetes.decorator.Decorator;
import io.dekorate.kubernetes.decorator.ResourceProvidingDecorator;
import io.fabric8.kubernetes.api.model.HasMetadata;
import io.fabric8.kubernetes.api.model.KubernetesListBuilder;
import io.fabric8.kubernetes.api.model.rbac.ClusterRoleBindingBuilder;
import io.fabric8.kubernetes.api.model.rbac.RoleBindingBuilder;
import io.quarkiverse.operatorsdk.runtime.QuarkusControllerConfiguration;
import io.quarkus.kubernetes.deployment.AddNamespaceDecorator;
import java.util.Map;
import java.util.Optional;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
import org.eclipse.microprofile.config.ConfigProvider;

/* loaded from: input_file:io/quarkiverse/operatorsdk/deployment/AddRoleBindingsDecorator.class */
public class AddRoleBindingsDecorator extends ResourceProvidingDecorator<KubernetesListBuilder> {
    protected static final String RBAC_AUTHORIZATION_GROUP = "rbac.authorization.k8s.io";
    protected static final String CLUSTER_ROLE = "ClusterRole";
    protected static final String SERVICE_ACCOUNT = "ServiceAccount";
    private final Map<String, QuarkusControllerConfiguration> configs;
    private final boolean validateCRDs;
    private static final ConcurrentMap<String, Object> alreadyLogged = new ConcurrentHashMap();
    private static final Optional<String> deployNamespace = ConfigProvider.getConfig().getOptionalValue("quarkus.kubernetes.namespace", String.class);

    public AddRoleBindingsDecorator(Map<String, QuarkusControllerConfiguration> map, boolean z) {
        this.configs = map;
        this.validateCRDs = z;
    }

    public void visit(KubernetesListBuilder kubernetesListBuilder) {
        String name = getMandatoryDeploymentMetadata(kubernetesListBuilder).getName();
        for (Map.Entry<String, QuarkusControllerConfiguration> entry : this.configs.entrySet()) {
            String key = entry.getKey();
            QuarkusControllerConfiguration value = entry.getValue();
            if (value.watchCurrentNamespace()) {
                kubernetesListBuilder.addToItems(new HasMetadata[]{((RoleBindingBuilder) new RoleBindingBuilder().withNewMetadata().withName(key + "-role-binding").endMetadata()).withNewRoleRef(RBAC_AUTHORIZATION_GROUP, CLUSTER_ROLE, AddClusterRolesDecorator.getClusterRoleName(key)).addNewSubject((String) null, SERVICE_ACCOUNT, name, (String) null).build()});
            } else if (value.watchAllNamespaces()) {
                handleClusterRoleBinding(kubernetesListBuilder, name, key, key + "-cluster-role-binding", "watch all namespaces", AddClusterRolesDecorator.getClusterRoleName(key));
            } else {
                value.getEffectiveNamespaces().forEach(str -> {
                    kubernetesListBuilder.addToItems(new HasMetadata[]{((RoleBindingBuilder) new RoleBindingBuilder().withNewMetadata().withName(key + "-role-binding").withNamespace(str).endMetadata()).withNewRoleRef(RBAC_AUTHORIZATION_GROUP, CLUSTER_ROLE, AddClusterRolesDecorator.getClusterRoleName(key)).addNewSubject((String) null, SERVICE_ACCOUNT, name, deployNamespace.orElse(null)).build()});
                });
            }
            if (this.validateCRDs) {
                handleClusterRoleBinding(kubernetesListBuilder, name, key, key + "-crd-validating-role-binding", "validate CRDs", "josdk-crd-validating-cluster-role");
            }
        }
    }

    private void handleClusterRoleBinding(KubernetesListBuilder kubernetesListBuilder, String str, String str2, String str3, String str4, String str5) {
        outputWarningIfNeeded(str2, str3, str4);
        kubernetesListBuilder.addToItems(new HasMetadata[]{((ClusterRoleBindingBuilder) ((ClusterRoleBindingBuilder) new ClusterRoleBindingBuilder().withNewMetadata().withName(str3).endMetadata()).withNewRoleRef(RBAC_AUTHORIZATION_GROUP, CLUSTER_ROLE, str5).addNewSubject().withKind(SERVICE_ACCOUNT).withName(str).withNamespace(deployNamespace.orElse(null)).endSubject()).build()});
    }

    private void outputWarningIfNeeded(String str, String str2, String str3) {
        if (deployNamespace.isEmpty() && alreadyLogged.putIfAbsent(str + str2, new Object()) == null) {
            OperatorSDKProcessor.log.warnv("''{0}'' controller is configured to " + str3 + ", this requires a ClusterRoleBinding for which we MUST specify the namespace of the operator ServiceAccount. This can be specified by setting the ''quarkus.kubernetes.namespace'' property. However, as this property is not set, we are leaving the namespace blank to be provided by the user by editing the ''{1}'' ClusterRoleBinding to provide the namespace in which the operator will be deployed.", str, str2);
        }
    }

    public Class<? extends Decorator>[] after() {
        return new Class[]{AddNamespaceDecorator.class};
    }
}
