ansible/roles/addon-secrets-bootstrap/tasks/main.yml

---
- name: Apply Hetzner cloud secret
  shell: >-
    kubectl -n kube-system create secret generic hcloud
    --from-literal=token='{{ hcloud_token }}'
    --from-literal=network='{{ cluster_name }}-network'
    --dry-run=client -o yaml | kubectl apply -f -
  changed_when: true
  no_log: true
  when: hcloud_token | default('') | length > 0

- name: Ensure Tailscale operator namespace exists
  command: >-
    kubectl create namespace {{ tailscale_operator_namespace | default('tailscale-system') }}
    --dry-run=client -o yaml
  register: tailscale_namespace_manifest
  changed_when: false
  when:
    - tailscale_oauth_client_id | default('') | length > 0
    - tailscale_oauth_client_secret | default('') | length > 0

- name: Apply Tailscale operator namespace
  command: kubectl apply -f -
  args:
    stdin: "{{ tailscale_namespace_manifest.stdout }}"
  changed_when: true
  when:
    - tailscale_oauth_client_id | default('') | length > 0
    - tailscale_oauth_client_secret | default('') | length > 0

- name: Apply Tailscale operator OAuth secret
  shell: >-
    kubectl -n {{ tailscale_operator_namespace | default('tailscale-system') }} create secret generic operator-oauth
    --from-literal=client_id='{{ tailscale_oauth_client_id }}'
    --from-literal=client_secret='{{ tailscale_oauth_client_secret }}'
    --dry-run=client -o yaml | kubectl apply -f -
  changed_when: true
  no_log: true
  when:
    - tailscale_oauth_client_id | default('') | length > 0
    - tailscale_oauth_client_secret | default('') | length > 0
feat: migrate core addons toward flux 2026-03-11 17:43:35 +00:00			`---`
			`- name: Apply Hetzner cloud secret`
			`shell: >-`
			`kubectl -n kube-system create secret generic hcloud`
			`--from-literal=token='{{ hcloud_token }}'`
			`--from-literal=network='{{ cluster_name }}-network'`
			`--dry-run=client -o yaml \| kubectl apply -f -`
			`changed_when: true`
			`no_log: true`
			`when: hcloud_token \| default('') \| length > 0`

fix: bootstrap tailscale namespace before secret 2026-03-20 09:24:35 +00:00			`- name: Ensure Tailscale operator namespace exists`
			`command: >-`
			`kubectl create namespace {{ tailscale_operator_namespace \| default('tailscale-system') }}`
			`--dry-run=client -o yaml`
			`register: tailscale_namespace_manifest`
			`changed_when: false`
			`when:`
			`- tailscale_oauth_client_id \| default('') \| length > 0`
			`- tailscale_oauth_client_secret \| default('') \| length > 0`

			`- name: Apply Tailscale operator namespace`
			`command: kubectl apply -f -`
			`args:`
			`stdin: "{{ tailscale_namespace_manifest.stdout }}"`
			`changed_when: true`
			`when:`
			`- tailscale_oauth_client_id \| default('') \| length > 0`
			`- tailscale_oauth_client_secret \| default('') \| length > 0`

feat: migrate core addons toward flux 2026-03-11 17:43:35 +00:00			`- name: Apply Tailscale operator OAuth secret`
			`shell: >-`
			`kubectl -n {{ tailscale_operator_namespace \| default('tailscale-system') }} create secret generic operator-oauth`
			`--from-literal=client_id='{{ tailscale_oauth_client_id }}'`
			`--from-literal=client_secret='{{ tailscale_oauth_client_secret }}'`
			`--dry-run=client -o yaml \| kubectl apply -f -`
			`changed_when: true`
			`no_log: true`
			`when:`
			`- tailscale_oauth_client_id \| default('') \| length > 0`
			`- tailscale_oauth_client_secret \| default('') \| length > 0`