# 可复用：在 kube-system 下确保 cloudflare-api-token Secret（key=api-token）。
# 必填环境/变量：调用方须将 token 传入 verify_cf_api_token（非空则 apply；不要在日志中回显）。
- name: Assert verify_cf_api_token for secret creation
  ansible.builtin.assert:
    that:
      - verify_cf_api_token is defined
      - (verify_cf_api_token | trim | length) > 0
    fail_msg: "verify_common ensure-cloudflare-api-token-secret：verify_cf_api_token 为空"

- name: Apply cloudflare-api-token Secret in kube-system
  ansible.builtin.shell: |
    set -euo pipefail
    KUBECONFIG={{ k3s_kubeconfig | default('/etc/rancher/k3s/k3s.yaml') }} kubectl -n kube-system create secret generic cloudflare-api-token \
      --from-literal=api-token="$CF_API_TOKEN" \
      --dry-run=client -o yaml \
      | KUBECONFIG={{ k3s_kubeconfig | default('/etc/rancher/k3s/k3s.yaml') }} kubectl apply -f -
  environment:
    CF_API_TOKEN: "{{ verify_cf_api_token | trim }}"
  args:
    executable: /bin/bash
  changed_when: true
  no_log: true