Deploy-Laboratory/ansible/playbooks/verify/03-04.yml

---
# 探针 URL：CF_TUNNEL_TEST_URL（完整 HTTPS）与 CF_TUNNEL_TEST_HOST（仅主机名 → https://HOST/）二选一
- name: Deploy 03-04 Cloudflare Tunnel (cloudflared)
  hosts: k3s_server
  become: true
  run_once: true
  vars:
    k3s_kubeconfig: /etc/rancher/k3s/k3s.yaml
    manifest_src: "{{ playbook_dir }}/../../files/03-04/cloudflared.yaml"
    manifest_dest: /tmp/cloudflared-deploy.yaml
    tunnel_token: "{{ lookup('env', 'TUNNEL_TOKEN') | default('', true) }}"
    _cf_tunnel_url_raw: "{{ lookup('env', 'CF_TUNNEL_TEST_URL') | default('', true) | trim }}"
    _cf_tunnel_host_raw: "{{ lookup('env', 'CF_TUNNEL_TEST_HOST') | default('', true) | trim }}"
    cf_tunnel_probe_url: >-
      {{ (_cf_tunnel_url_raw | length > 0) | ternary(_cf_tunnel_url_raw,
      ((_cf_tunnel_host_raw | length > 0) | ternary('https://' ~ (_cf_tunnel_host_raw | regex_replace('^https?://', '') | regex_replace('/.*$', '') | regex_replace('/+$', '')) ~ '/', ''))) }}
  tasks:
    - name: "Gate - tunnel probe URL required (CF_TUNNEL_TEST_URL or CF_TUNNEL_TEST_HOST)"
      when: cf_tunnel_probe_url | trim == ""
      ansible.builtin.include_role:
        name: verify_common
        tasks_from: gate-debug-end-play.yml
      vars:
        verify_gate_message: "[GATE] skipped doc_id=03-04 reason=missing_env missing=CF_TUNNEL_TEST_URL_or_CF_TUNNEL_TEST_HOST skip_scope=03-04 tunnel http probe"

    - name: Check cloudflared-credentials secret exists
      ansible.builtin.shell: |
        set -euo pipefail
        KUBECONFIG={{ k3s_kubeconfig }} kubectl -n kube-system get secret cloudflared-credentials
      args:
        executable: /bin/bash
      register: cloudflared_secret_check
      changed_when: false
      failed_when: false

    - name: "Gate - no TUNNEL_TOKEN and secret missing"
      when: cloudflared_secret_check.rc != 0 and (tunnel_token | trim | length) == 0
      ansible.builtin.include_role:
        name: verify_common
        tasks_from: gate-debug-end-play.yml
      vars:
        verify_gate_message: "[GATE] skipped doc_id=03-04 reason=missing_dependency missing=cloudflared-credentials/TUNNEL_TOKEN skip_scope=03-04 cloudflared deploy"

    - name: Ensure cloudflared tunnel Secret from TUNNEL_TOKEN
      when: (tunnel_token | trim | length) > 0
      ansible.builtin.include_role:
        name: verify_common
        tasks_from: ensure-cloudflared-tunnel-secret.yml
      vars:
        verify_tunnel_token: "{{ tunnel_token | trim }}"

    - name: Copy cloudflared Deployment manifest
      ansible.builtin.copy:
        src: "{{ manifest_src }}"
        dest: "{{ manifest_dest }}"
        mode: "0644"

    - name: Apply cloudflared Deployment
      ansible.builtin.shell: |
        set -euo pipefail
        KUBECONFIG={{ k3s_kubeconfig }} kubectl apply -f {{ manifest_dest }}
      args:
        executable: /bin/bash
      changed_when: true

- name: Verify 03-04 Cloudflare Tunnel (rollout + HTTPS probe)
  hosts: k3s_server
  become: true
  run_once: true
  vars:
    k3s_kubeconfig: /etc/rancher/k3s/k3s.yaml
    tunnel_token: "{{ lookup('env', 'TUNNEL_TOKEN') | default('', true) }}"
    _cf_tunnel_url_raw: "{{ lookup('env', 'CF_TUNNEL_TEST_URL') | default('', true) | trim }}"
    _cf_tunnel_host_raw: "{{ lookup('env', 'CF_TUNNEL_TEST_HOST') | default('', true) | trim }}"
    cf_tunnel_probe_url: >-
      {{ (_cf_tunnel_url_raw | length > 0) | ternary(_cf_tunnel_url_raw,
      ((_cf_tunnel_host_raw | length > 0) | ternary('https://' ~ (_cf_tunnel_host_raw | regex_replace('^https?://', '') | regex_replace('/.*$', '') | regex_replace('/+$', '')) ~ '/', ''))) }}
  tasks:
    - name: "Gate - skip verify when tunnel probe URL missing"
      when: cf_tunnel_probe_url | trim == ""
      ansible.builtin.include_role:
        name: verify_common
        tasks_from: gate-debug-end-play.yml
      vars:
        verify_gate_message: "[GATE] skipped doc_id=03-04 reason=missing_env missing=CF_TUNNEL_TEST_URL_or_CF_TUNNEL_TEST_HOST skip_scope=03-04 tunnel http probe"

    - name: Ensure cloudflared tunnel Secret from TUNNEL_TOKEN (idempotent)
      when: (tunnel_token | trim | length) > 0
      ansible.builtin.include_role:
        name: verify_common
        tasks_from: ensure-cloudflared-tunnel-secret.yml
      vars:
        verify_tunnel_token: "{{ tunnel_token | trim }}"

    - name: Check cloudflared-credentials secret exists
      ansible.builtin.shell: |
        set -euo pipefail
        KUBECONFIG={{ k3s_kubeconfig }} kubectl -n kube-system get secret cloudflared-credentials
      args:
        executable: /bin/bash
      register: cloudflared_secret_check
      changed_when: false
      failed_when: false

    - name: "Gate - no TUNNEL_TOKEN and secret missing"
      when: cloudflared_secret_check.rc != 0 and (tunnel_token | trim | length) == 0
      ansible.builtin.include_role:
        name: verify_common
        tasks_from: gate-debug-end-play.yml
      vars:
        verify_gate_message: "[GATE] skipped doc_id=03-04 reason=missing_dependency missing=cloudflared-credentials/TUNNEL_TOKEN skip_scope=03-04 cloudflared verify"

    - name: Fail when secret missing but TUNNEL_TOKEN was set
      when: cloudflared_secret_check.rc != 0 and (tunnel_token | trim | length) > 0
      ansible.builtin.fail:
        msg: "已设置 TUNNEL_TOKEN 但 cloudflared-credentials Secret 仍不可用，请检查 apiserver 与 kube-system 权限"

    - name: Rollout status cloudflared (kube-system)
      ansible.builtin.include_role:
        name: verify_common
        tasks_from: kubectl-rollout-status.yml
      vars:
        verify_rollout_ref: deployment/cloudflared
        verify_rollout_namespace: kube-system
        verify_rollout_timeout_s: 240

    - name: HTTPS probe via Tunnel (CF_TUNNEL_TEST_URL / CF_TUNNEL_TEST_HOST)
      ansible.builtin.include_role:
        name: verify_common
        tasks_from: http-curl-expect.yml
      vars:
        verify_http_url: "{{ cf_tunnel_probe_url | trim }}"
        verify_http_expected_code: 200
        verify_http_connect_timeout: 5
        verify_http_max_time: 15
        verify_http_retries: 12
        verify_http_retry_sleep: 3
        verify_http_assertion_label: cf_tunnel_03_04_https
        verify_http_tls_insecure: "{{ (lookup('env', 'CF_TUNNEL_CURL_INSECURE') | default('0', true) | trim) == '1' }}"

- name: Teardown 03-04 Cloudflare Tunnel (optional)
  hosts: k3s_server
  become: true
  run_once: true
  vars:
    k3s_kubeconfig: /etc/rancher/k3s/k3s.yaml
    verify_teardown: "{{ (VERIFY_TEARDOWN | default('1')) | string }}"
    _cf_tunnel_url_raw: "{{ lookup('env', 'CF_TUNNEL_TEST_URL') | default('', true) | trim }}"
    _cf_tunnel_host_raw: "{{ lookup('env', 'CF_TUNNEL_TEST_HOST') | default('', true) | trim }}"
    cf_tunnel_probe_url: >-
      {{ (_cf_tunnel_url_raw | length > 0) | ternary(_cf_tunnel_url_raw,
      ((_cf_tunnel_host_raw | length > 0) | ternary('https://' ~ (_cf_tunnel_host_raw | regex_replace('^https?://', '') | regex_replace('/.*$', '') | regex_replace('/+$', '')) ~ '/', ''))) }}
  tasks:
    - name: Skip teardown when 03-04 verify path not engaged
      when: cf_tunnel_probe_url | trim == ""
      meta: end_play

    - name: Delete cloudflared Deployment and credentials when VERIFY_TEARDOWN=1
      when: verify_teardown == "1"
      ansible.builtin.shell: |
        set -euo pipefail
        KUBECONFIG={{ k3s_kubeconfig }} kubectl delete deployment cloudflared -n kube-system --ignore-not-found=true
        KUBECONFIG={{ k3s_kubeconfig }} kubectl delete secret cloudflared-credentials -n kube-system --ignore-not-found=true
      args:
        executable: /bin/bash
      changed_when: true