---
- name: Vault — manual steps (not automated)
  ansible.builtin.debug:
    msg: |
      1. kubectl -n vault get pods  (wait for Running)
      2. kubectl -n vault exec -it vault-0 -- vault operator init  (once; save keys)
      3. Unseal per clusters/noble/bootstrap/vault/README.md
      4. ./clusters/noble/bootstrap/vault/configure-kubernetes-auth.sh
      5. kubectl apply -f clusters/noble/bootstrap/external-secrets/examples/vault-cluster-secret-store.yaml

- name: Optional — apply Vault ClusterSecretStore for External Secrets
  ansible.builtin.command:
    argv:
      - kubectl
      - apply
      - -f
      - "{{ noble_repo_root }}/clusters/noble/bootstrap/external-secrets/examples/vault-cluster-secret-store.yaml"
  environment:
    KUBECONFIG: "{{ noble_kubeconfig }}"
  when: noble_apply_vault_cluster_secret_store | default(false) | bool
  changed_when: true

- name: Argo CD optional root Application (empty app-of-apps)
  ansible.builtin.debug:
    msg: >-
      Optional: kubectl apply -f clusters/noble/bootstrap/argocd/root-application.yaml
      after editing repoURL. Core workloads are not synced by Argo — see clusters/noble/apps/README.md