---
# See repository **.env.sample** — copy to **.env** (gitignored).
- name: Stat repository .env for deploy secrets
  ansible.builtin.stat:
    path: "{{ noble_repo_root }}/.env"
  register: noble_deploy_env_file
  changed_when: false

- name: Create newt-pangolin-auth Secret from .env
  ansible.builtin.shell: |
    set -euo pipefail
    set -a
    . "{{ noble_repo_root }}/.env"
    set +a
    if [ -z "${PANGOLIN_ENDPOINT:-}" ] || [ -z "${NEWT_ID:-}" ] || [ -z "${NEWT_SECRET:-}" ]; then
      echo NO_VARS
      exit 0
    fi
    kubectl -n newt create secret generic newt-pangolin-auth \
      --from-literal=PANGOLIN_ENDPOINT="${PANGOLIN_ENDPOINT}" \
      --from-literal=NEWT_ID="${NEWT_ID}" \
      --from-literal=NEWT_SECRET="${NEWT_SECRET}" \
      --dry-run=client -o yaml | kubectl apply -f -
    echo APPLIED
  environment:
    KUBECONFIG: "{{ noble_kubeconfig }}"
  when: noble_deploy_env_file.stat.exists | default(false)
  no_log: true
  register: noble_newt_secret_from_env
  changed_when: "'APPLIED' in (noble_newt_secret_from_env.stdout | default(''))"