From b475a1fcd7a9535d41c0afccf9d71d5607755469 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Thu, 19 Feb 2026 07:25:24 -0800
Subject: [PATCH] Fix 1Password secret tasks always reporting changed in
 ringtail playbook (#213)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

## Summary
- Replace `changed_when: true` with `register` + output inspection on the two 1Password secret tasks in `ringtail.yml`
- Tasks now correctly report `ok` when the secret content hasn't changed, and `changed` only when `kubectl apply` outputs `configured` or `created`

## Test plan
- [ ] Run `mise run provision-ringtail` twice — second run should show both tasks as `ok` not `changed`

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/213
---
 ansible/playbooks/ringtail.yml                              | 6 ++++--
 .../fix-ringtail-1password-secrets-idempotent.bugfix.md     | 1 +
 2 files changed, 5 insertions(+), 2 deletions(-)
 create mode 100644 docs/changelog.d/fix-ringtail-1password-secrets-idempotent.bugfix.md

diff --git a/ansible/playbooks/ringtail.yml b/ansible/playbooks/ringtail.yml
index 74c4f54..b05d67a 100644
--- a/ansible/playbooks/ringtail.yml
+++ b/ansible/playbooks/ringtail.yml
@@ -100,7 +100,8 @@
             --from-literal=1password-credentials.json='{{ _op_credentials.stdout }}' \
             --dry-run=client -o yaml | k3s kubectl apply -f -
         executable: /run/current-system/sw/bin/bash
-      changed_when: true
+      register: _op_credentials_apply
+      changed_when: "'configured' in _op_credentials_apply.stdout or 'created' in _op_credentials_apply.stdout"
       no_log: true
 
     - name: Create or update onepassword-token secret
@@ -112,5 +113,6 @@
             --from-literal=token={{ _op_token.stdout }} \
             --dry-run=client -o yaml | k3s kubectl apply -f -
         executable: /run/current-system/sw/bin/bash
-      changed_when: true
+      register: _op_token_apply
+      changed_when: "'configured' in _op_token_apply.stdout or 'created' in _op_token_apply.stdout"
       no_log: true
diff --git a/docs/changelog.d/fix-ringtail-1password-secrets-idempotent.bugfix.md b/docs/changelog.d/fix-ringtail-1password-secrets-idempotent.bugfix.md
new file mode 100644
index 0000000..6269f2d
--- /dev/null
+++ b/docs/changelog.d/fix-ringtail-1password-secrets-idempotent.bugfix.md
@@ -0,0 +1 @@
+Make 1Password secret tasks in ringtail playbook idempotent by checking kubectl apply output instead of always reporting changed.