日常更新

ansible/roles/verify_common/tasks/ensure-cloudflared-tunnel-secret.yml

@@ -0,0 +1,22 @@
+# 可复用：在 kube-system 下确保 cloudflared-credentials Secret（key=TUNNEL_TOKEN）。
+# 调用方传入 verify_tunnel_token（非空）；no_log，勿在日志中回显 token。
+- name: Assert verify_tunnel_token for cloudflared secret
+  ansible.builtin.assert:
+    that:
+      - verify_tunnel_token is defined
+      - (verify_tunnel_token | trim | length) > 0
+    fail_msg: "verify_common ensure-cloudflared-tunnel-secret：verify_tunnel_token 为空"
+
+- name: Apply cloudflared-credentials Secret in kube-system
+  ansible.builtin.shell: |
+    set -euo pipefail
+    KUBECONFIG={{ k3s_kubeconfig | default('/etc/rancher/k3s/k3s.yaml') }} kubectl -n kube-system create secret generic cloudflared-credentials \
+      --from-literal=TUNNEL_TOKEN="$TUNNEL_TOKEN" \
+      --dry-run=client -o yaml \
+      | KUBECONFIG={{ k3s_kubeconfig | default('/etc/rancher/k3s/k3s.yaml') }} kubectl apply -f -
+  environment:
+    TUNNEL_TOKEN: "{{ verify_tunnel_token | trim }}"
+  args:
+    executable: /bin/bash
+  changed_when: true
+  no_log: true