# 可复用：在 kube-system 下确保 cloudflared-credentials Secret（key=TUNNEL_TOKEN）。
# 调用方传入 verify_tunnel_token（非空）；no_log，勿在日志中回显 token。
- name: Assert verify_tunnel_token for cloudflared secret
  ansible.builtin.assert:
    that:
      - verify_tunnel_token is defined
      - (verify_tunnel_token | trim | length) > 0
    fail_msg: "verify_common ensure-cloudflared-tunnel-secret：verify_tunnel_token 为空"

- name: Apply cloudflared-credentials Secret in kube-system
  ansible.builtin.shell: |
    set -euo pipefail
    KUBECONFIG={{ k3s_kubeconfig | default('/etc/rancher/k3s/k3s.yaml') }} kubectl -n kube-system create secret generic cloudflared-credentials \
      --from-literal=TUNNEL_TOKEN="$TUNNEL_TOKEN" \
      --dry-run=client -o yaml \
      | KUBECONFIG={{ k3s_kubeconfig | default('/etc/rancher/k3s/k3s.yaml') }} kubectl apply -f -
  environment:
    TUNNEL_TOKEN: "{{ verify_tunnel_token | trim }}"
  args:
    executable: /bin/bash
  changed_when: true
  no_log: true