playbooks/roles/vhosts/k3s_platform_addon/tasks/main.yml

- name: Install external-secrets directly with Helm
  ansible.builtin.shell: |
    set -euo pipefail
    export KUBECONFIG="{{ k3s_platform_kubeconfig_path }}"
    chart_dir="$(mktemp -d /tmp/external-secrets.XXXXXX)"
    cleanup() {
      rm -rf "$chart_dir"
    }
    trap cleanup EXIT

    attempt=1
    max_attempts=6
    while true; do
      rm -rf "$chart_dir"/*
      if helm pull --repo "https://charts.external-secrets.io" \
        --version "{{ k3s_platform_external_secrets_chart_version }}" \
        --untar \
        --untardir "$chart_dir" \
        external-secrets; then
        break
      fi
      if [ "$attempt" -ge "$max_attempts" ]; then
        echo "failed to download external-secrets after $attempt attempts" >&2
        exit 1
      fi
      sleep "$((attempt * 30))"
      attempt=$((attempt + 1))
    done

    helm upgrade --install external-secrets "$chart_dir/external-secrets" \
      --namespace platform \
      --create-namespace \
      --version "{{ k3s_platform_external_secrets_chart_version }}" \
      --set installCRDs=true \
      --wait \
      --timeout 10m    
  args:
    executable: /bin/bash
  when:
    - k3s_platform_values.components.externalSecrets.enabled | default(true)

- name: Ensure GHCR pull secret for PostgreSQL chart exists
  ansible.builtin.shell: |
    set -euo pipefail
    export KUBECONFIG="{{ k3s_platform_kubeconfig_path }}"
    kubectl -n database create secret docker-registry postgresql-ghcr-pull \
      --docker-server="{{ k3s_platform_ghcr_registry }}" \
      --docker-username="{{ k3s_platform_ghcr_username }}" \
      --docker-password="{{ k3s_platform_ghcr_token }}" \
      --dry-run=client -o yaml | kubectl apply -f -    
  args:
    executable: /bin/bash
  when:
    - k3s_platform_ghcr_username | length > 0
    - k3s_platform_ghcr_token | length > 0

- name: Install reloader directly with Helm
  ansible.builtin.shell: |
    set -euo pipefail
    export KUBECONFIG="{{ k3s_platform_kubeconfig_path }}"
    helm upgrade --install reloader stakater/reloader \
      --namespace platform \
      --create-namespace \
      --version "{{ k3s_platform_reloader_chart_version }}" \
      --wait \
      --timeout 10m    
  args:
    executable: /bin/bash
  when:
    - k3s_platform_values.components.reloader.enabled | default(true)

- name: Install caddy directly with Helm
  ansible.builtin.shell: |
    set -euo pipefail
    export KUBECONFIG="{{ k3s_platform_kubeconfig_path }}"
    chart_dir="$(mktemp -d /tmp/caddy-ingress-controller.XXXXXX)"
    cleanup() {
      rm -rf "$chart_dir"
    }
    trap cleanup EXIT

    attempt=1
    max_attempts=6
    while true; do
      rm -rf "$chart_dir"/*
      if helm pull --repo "https://caddyserver.github.io/ingress/" \
        --version "{{ k3s_platform_caddy_chart_version }}" \
        --untar \
        --untardir "$chart_dir" \
        caddy-ingress-controller; then
        break
      fi
      if [ "$attempt" -ge "$max_attempts" ]; then
        echo "failed to download caddy-ingress-controller after $attempt attempts" >&2
        exit 1
      fi
      sleep "$((attempt * 30))"
      attempt=$((attempt + 1))
    done

    helm upgrade --install "{{ k3s_platform_values.components.caddy.releaseName }}" "$chart_dir/caddy-ingress-controller" \
      --namespace platform \
      --create-namespace \
      --version "{{ k3s_platform_caddy_chart_version }}" \
      -f /tmp/platform-caddy-values.yaml \
      --wait \
      --timeout 10m    
  args:
    executable: /bin/bash
  when:
    - k3s_platform_values.components.caddy.enabled | default(false)

- name: Install apisix directly with Helm
  ansible.builtin.shell: |
    set -euo pipefail
    export KUBECONFIG="{{ k3s_platform_kubeconfig_path }}"
    helm upgrade --install "{{ k3s_platform_values.components.apisix.releaseName }}" apisix/apisix \
      --namespace platform \
      --create-namespace \
      --version "{{ k3s_platform_apisix_chart_version }}" \
      -f /tmp/platform-apisix-values.yaml \
      --wait \
      --timeout 10m    
  args:
    executable: /bin/bash
  when:
    - k3s_platform_values.components.apisix.enabled | default(false)

- name: Install external-dns directly with Helm
  ansible.builtin.shell: |
    set -euo pipefail
    export KUBECONFIG="{{ k3s_platform_kubeconfig_path }}"
    chart_dir="$(mktemp -d /tmp/external-dns.XXXXXX)"
    cleanup() {
      rm -rf "$chart_dir"
    }
    trap cleanup EXIT

    attempt=1
    max_attempts=6
    while true; do
      rm -rf "$chart_dir"/*
      if helm pull --repo "{{ k3s_platform_external_dns_chart_repo_url }}" \
        --version "{{ k3s_platform_external_dns_chart_version }}" \
        --untar \
        --untardir "$chart_dir" \
        external-dns; then
        break
      fi
      if [ "$attempt" -ge "$max_attempts" ]; then
        echo "failed to download external-dns after $attempt attempts" >&2
        exit 1
      fi
      sleep "$((attempt * 30))"
      attempt=$((attempt + 1))
    done

    helm upgrade --install "{{ k3s_platform_values.components.externalDns.releaseName }}" "$chart_dir/external-dns" \
      --namespace platform \
      --create-namespace \
      --version "{{ k3s_platform_external_dns_chart_version }}" \
      -f /tmp/platform-external-dns-values.yaml \
      --wait \
      --timeout 10m    
  args:
    executable: /bin/bash
  when:
    - k3s_platform_values.components.externalDns.enabled | default(false)