ansible-role-k8s/tasks/shared/secrets.yml

---
- name: begining chart deployments
  run_once: true
  no_log: true
  tags: 
    - k8s
    - k8s-apply-secrets
  block:

  # this could be adapted to allow for any encrypted manifest type files
  - name: apply locally stored secrets
    delegate_to: localhost
    connection: local
    become: false
    ansible.builtin.shell: "{{ role_path }}/files/scripts/get-secret.sh"
    args:
      chdir: "{{ playbook_dir }}"
    environment:
      PLAYBOOK_DIR: "{{ playbook_dir }}"
      KUBECONTEXT: "{{ k8s_cluster_name }}"
      SECRET: "{{ item.source | default(item.name + '.yaml') }}"
    loop: "{{ k8s_secrets }}"
    when:
      - item.type is undefined or item.type == "file"
      - item.values is defined

  - name: apply template based secrets
    ansible.builtin.template:
      src: "templates/shared/secret.yaml.j2"
      dest: "{{ k8s_manifests_path }}/{{ item.name }}-secret.yaml"
      mode: 0600
    loop: "{{ k8s_secrets }}"
    when:
      - item.type is defined and item.type == "template"
      - item.values is defined