---
- name: Check if Hetzner CCM is already deployed
  command: kubectl -n kube-system get deployment hcloud-cloud-controller-manager
  register: ccm_namespace
  failed_when: false
  changed_when: false

- name: Create Hetzner cloud secret
  shell: |
    kubectl -n kube-system create secret generic hcloud \
      --from-literal=token='{{ hcloud_token }}' \
      --from-literal=network='{{ cluster_name }}-network' \
      --dry-run=client -o yaml | kubectl apply -f -
  no_log: true
  when: hcloud_token is defined
  changed_when: true

- name: Deploy Hetzner CCM
  command: kubectl apply -f https://raw.githubusercontent.com/hetznercloud/hcloud-cloud-controller-manager/main/deploy/ccm-networks.yaml
  changed_when: true

- name: Detect CCM workload kind
  shell: |
    if kubectl -n kube-system get deployment hcloud-cloud-controller-manager >/dev/null 2>&1; then
      echo deployment
    elif kubectl -n kube-system get daemonset hcloud-cloud-controller-manager >/dev/null 2>&1; then
      echo daemonset
    else
      echo missing
    fi
  register: ccm_workload_kind
  changed_when: false

- name: Wait for CCM deployment rollout
  command: kubectl rollout status deployment/hcloud-cloud-controller-manager -n kube-system
  register: ccm_rollout_deploy
  until: ccm_rollout_deploy.rc == 0
  changed_when: false
  retries: 30
  delay: 10
  when: ccm_workload_kind.stdout == "deployment"

- name: Wait for CCM daemonset rollout
  command: kubectl rollout status daemonset/hcloud-cloud-controller-manager -n kube-system
  register: ccm_rollout_ds
  until: ccm_rollout_ds.rc == 0
  changed_when: false
  retries: 30
  delay: 10
  when: ccm_workload_kind.stdout == "daemonset"

- name: Set default Hetzner load balancer location for Traefik service
  command: kubectl -n kube-system annotate service traefik load-balancer.hetzner.cloud/location={{ hcloud_lb_location }} --overwrite
  register: traefik_annotation
  changed_when: true
  failed_when: false

- name: Show Traefik service when annotation patch fails
  command: kubectl -n kube-system get service traefik -o yaml
  register: traefik_service_dump
  changed_when: false
  failed_when: false
  when: traefik_annotation.rc != 0

- name: Fail when Traefik load balancer annotation cannot be set
  fail:
    msg: |
      Failed to set Hetzner load balancer location annotation on kube-system/traefik service.
      Command output:
      {{ traefik_annotation.stderr | default(traefik_annotation.stdout) }}

      Service dump:
      {{ traefik_service_dump.stdout | default('n/a') }}
  when: traefik_annotation.rc != 0

- name: Show CCM namespace objects when workload missing
  command: kubectl -n kube-system get all | grep hcloud-cloud-controller-manager || true
  register: ccm_ns_objects
  changed_when: false
  when: ccm_workload_kind.stdout == "missing"

- name: Fail when CCM workload is missing
  fail:
    msg: |
      hcloud-cloud-controller-manager workload not found after applying manifest.
      Namespace objects:
      {{ ccm_ns_objects.stdout | default('n/a') }}
  when: ccm_workload_kind.stdout == "missing"