---
- name: Ensure Doppler service token is provided
  assert:
    that:
      - doppler_hetznerterra_service_token | length > 0
    fail_msg: doppler_hetznerterra_service_token must be provided for External Secrets bootstrap.

- name: Ensure external-secrets namespace exists
  shell: kubectl create namespace external-secrets --dry-run=client -o yaml | kubectl apply -f -
  changed_when: true

- name: Apply Doppler service token secret
  shell: >-
    kubectl -n external-secrets create secret generic doppler-hetznerterra-service-token
    --from-literal=dopplerToken='{{ doppler_hetznerterra_service_token }}'
    --dry-run=client -o yaml | kubectl apply -f -
  changed_when: true

- name: Check for ClusterSecretStore CRD
  command: kubectl get crd clustersecretstores.external-secrets.io
  register: doppler_clustersecretstore_crd
  changed_when: false
  failed_when: false

- name: Apply Doppler ClusterSecretStore
  shell: |
    cat <<'EOF' | kubectl apply -f -
    apiVersion: external-secrets.io/v1
    kind: ClusterSecretStore
    metadata:
      name: doppler-hetznerterra
    spec:
      provider:
        doppler:
          auth:
            secretRef:
              dopplerToken:
                name: doppler-hetznerterra-service-token
                key: dopplerToken
                namespace: external-secrets
    EOF
  changed_when: true
  when: doppler_clustersecretstore_crd.rc == 0

- name: Note pending Doppler ClusterSecretStore bootstrap
  debug:
    msg: >-
      Skipping Doppler ClusterSecretStore bootstrap because the External Secrets CRD
      is not available yet. Re-run after External Secrets is installed.
  when: doppler_clustersecretstore_crd.rc != 0