---
- name: Remove stale static pod manifest if present
  ansible.builtin.file:
    path: "{{ kube_vip_static_pod_path }}"
    state: absent
  become: true

- name: Ensure k3s server manifests directory exists
  ansible.builtin.file:
    path: "{{ kube_vip_manifests_dir }}"
    state: directory
    mode: "0755"
  become: true

- name: Deploy kube-vip RBAC manifest
  ansible.builtin.template:
    src: templates/kube-vip-rbac.yaml.j2
    dest: "{{ kube_vip_manifests_dir }}/kube-vip-rbac.yaml"
    owner: root
    group: root
    mode: "0644"
  become: true

- name: Deploy kube-vip DaemonSet manifest
  ansible.builtin.template:
    src: templates/kube-vip.yaml.j2
    dest: "{{ kube_vip_manifests_dir }}/kube-vip.yaml"
    owner: root
    group: root
    mode: "0644"
  become: true

- name: Ensure VIP is present in k3s TLS SANs config
  ansible.builtin.blockinfile:
    path: /etc/rancher/k3s/config.yaml
    create: true
    marker: "# {mark} ANSIBLE MANAGED kube-vip TLS SAN"
    block: |
      tls-san:
        - "{{ k3s_vip }}"
  become: true
  register: tls_san_added

- name: Stop k3s for certificate rotation
  ansible.builtin.systemd:
    name: k3s
    state: stopped
  become: true
  when: tls_san_added.changed

- name: Rotate k3s certificates to include VIP in SAN
  ansible.builtin.command: k3s certificate rotate
  become: true
  when: tls_san_added.changed

- name: Start k3s after certificate rotation
  ansible.builtin.systemd:
    name: k3s
    state: started
  become: true
  when: tls_san_added.changed