---
- name: Ensure Doppler service token is provided
  assert:
    that:
      - doppler_hetznerterra_service_token | length > 0
    fail_msg: doppler_hetznerterra_service_token must be provided for External Secrets bootstrap.

- name: Ensure GHCR pull credentials are provided
  assert:
    that:
      - ghcr_username | default("") | length > 0
      - ghcr_read_token | default("") | length > 0
    fail_msg: ghcr_username and ghcr_read_token must be provided for private MicroServices image pulls.

- name: Ensure OpenStaticFish MicroServices Doppler token is provided
  assert:
    that:
      - doppler_openstaticfish_microservices_service_token | default("") | length > 0
    fail_msg: doppler_openstaticfish_microservices_service_token must be provided for MicroServices runtime secrets.

- name: Ensure external-secrets namespace exists
  shell: kubectl create namespace external-secrets --dry-run=client -o yaml | kubectl apply -f -
  changed_when: true

- name: Ensure microservices namespace exists
  shell: kubectl create namespace microservices --dry-run=client -o yaml | kubectl apply -f -
  changed_when: true

- name: Apply Doppler service token secret
  shell: >-
    kubectl -n external-secrets create secret generic doppler-hetznerterra-service-token
    --from-literal=dopplerToken='{{ doppler_hetznerterra_service_token }}'
    --dry-run=client -o yaml | kubectl apply -f -
  changed_when: true
  no_log: true

- name: Apply OpenStaticFish MicroServices Doppler service token secret
  shell: >-
    kubectl -n external-secrets create secret generic doppler-openstaticfish-microservices-service-token
    --from-literal=dopplerToken='{{ doppler_openstaticfish_microservices_service_token | default("") }}'
    --dry-run=client -o yaml | kubectl apply -f -
  changed_when: true
  no_log: true

- name: Apply GHCR pull secret for private MicroServices images
  shell: >-
    kubectl -n microservices create secret docker-registry ghcr-pull-secret
    --docker-server=ghcr.io
    --docker-username='{{ ghcr_username | default("") }}'
    --docker-password='{{ ghcr_read_token | default("") }}'
    --dry-run=client -o yaml | kubectl apply -f -
  changed_when: true
  no_log: true
  when:
    - ghcr_username | default("") | length > 0
    - ghcr_read_token | default("") | length > 0

- name: Note pending Doppler ClusterSecretStore bootstrap
  debug:
    msg: >-
      Doppler service token secret is bootstrapped. The deploy workflow creates the
      ClusterSecretStore after External Secrets CRDs and webhook endpoints are ready.