---
# Populates template variables from Secrets + Headlamp token (no_log on kubectl to avoid leaking into Ansible stdout).
- name: Fetch Argo CD initial admin password (base64)
  ansible.builtin.command:
    argv:
      - kubectl
      - -n
      - argocd
      - get
      - secret
      - argocd-initial-admin-secret
      - -o
      - jsonpath={.data.password}
  environment:
    KUBECONFIG: "{{ noble_kubeconfig }}"
  register: noble_fetch_argocd_pw_b64
  failed_when: false
  changed_when: false
  no_log: true

- name: Fetch Grafana admin user (base64)
  ansible.builtin.command:
    argv:
      - kubectl
      - -n
      - monitoring
      - get
      - secret
      - kube-prometheus-grafana
      - -o
      - jsonpath={.data.admin-user}
  environment:
    KUBECONFIG: "{{ noble_kubeconfig }}"
  register: noble_fetch_grafana_user_b64
  failed_when: false
  changed_when: false
  no_log: true

- name: Fetch Grafana admin password (base64)
  ansible.builtin.command:
    argv:
      - kubectl
      - -n
      - monitoring
      - get
      - secret
      - kube-prometheus-grafana
      - -o
      - jsonpath={.data.admin-password}
  environment:
    KUBECONFIG: "{{ noble_kubeconfig }}"
  register: noble_fetch_grafana_pw_b64
  failed_when: false
  changed_when: false
  no_log: true

- name: Create Headlamp ServiceAccount token (for UI sign-in)
  ansible.builtin.command:
    argv:
      - kubectl
      - -n
      - headlamp
      - create
      - token
      - headlamp
      - "--duration={{ noble_landing_urls_headlamp_token_duration | default('48h') }}"
  environment:
    KUBECONFIG: "{{ noble_kubeconfig }}"
  register: noble_fetch_headlamp_token
  failed_when: false
  changed_when: false
  no_log: true