---
- name: Create cert-manager namespace
  ansible.builtin.command:
    argv:
      - kubectl
      - apply
      - -f
      - "{{ noble_repo_root }}/clusters/noble/bootstrap/cert-manager/namespace.yaml"
  environment:
    KUBECONFIG: "{{ noble_kubeconfig }}"
  changed_when: true

- name: Install cert-manager
  ansible.builtin.command:
    argv:
      - helm
      - upgrade
      - --install
      - cert-manager
      - jetstack/cert-manager
      - --namespace
      - cert-manager
      - --version
      - v1.20.0
      - -f
      - "{{ noble_repo_root }}/clusters/noble/bootstrap/cert-manager/values.yaml"
      - --wait
  environment:
    KUBECONFIG: "{{ noble_kubeconfig }}"
  changed_when: true

- name: Apply secrets from repository .env (optional)
  ansible.builtin.include_tasks: from_env.yml

- name: Check Cloudflare DNS API token Secret (required for ClusterIssuers)
  ansible.builtin.command:
    argv:
      - kubectl
      - -n
      - cert-manager
      - get
      - secret
      - cloudflare-dns-api-token
  environment:
    KUBECONFIG: "{{ noble_kubeconfig }}"
  register: noble_cf_secret
  failed_when: false
  changed_when: false

- name: Warn when Cloudflare Secret is missing
  ansible.builtin.debug:
    msg: >-
      Secret cert-manager/cloudflare-dns-api-token not found.
      Create it per clusters/noble/bootstrap/cert-manager/README.md before ClusterIssuers can succeed.
  when:
    - noble_cert_manager_require_cloudflare_secret | default(true) | bool
    - noble_cf_secret.rc != 0

- name: Apply ClusterIssuers (staging + prod)
  ansible.builtin.command:
    argv:
      - kubectl
      - apply
      - -k
      - "{{ noble_repo_root }}/clusters/noble/bootstrap/cert-manager"
  environment:
    KUBECONFIG: "{{ noble_kubeconfig }}"
  changed_when: true