Fix 1Password secret tasks always reporting changed in ringtail playbook

Replace `changed_when: true` with output inspection so the tasks correctly report unchanged when the secret content hasn't changed. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-19 07:24:48 -08:00 · 2026-02-19 07:24:48 -08:00 · ede8255be2
commit ede8255be2
parent 8f89239c78
2 changed files with 5 additions and 2 deletions
--- a/ansible/playbooks/ringtail.yml
+++ b/ansible/playbooks/ringtail.yml
@ -100,7 +100,8 @@
            --from-literal=1password-credentials.json='{{ _op_credentials.stdout }}' \
            --dry-run=client -o yaml | k3s kubectl apply -f -
        executable: /run/current-system/sw/bin/bash
-      changed_when: true
+      register: _op_credentials_apply
+      changed_when: "'configured' in _op_credentials_apply.stdout or 'created' in _op_credentials_apply.stdout"
      no_log: true

    - name: Create or update onepassword-token secret
@ -112,5 +113,6 @@
            --from-literal=token={{ _op_token.stdout }} \
            --dry-run=client -o yaml | k3s kubectl apply -f -
        executable: /run/current-system/sw/bin/bash
-      changed_when: true
+      register: _op_token_apply
+      changed_when: "'configured' in _op_token_apply.stdout or 'created' in _op_token_apply.stdout"
      no_log: true
--- a/docs/changelog.d/fix-ringtail-1password-secrets-idempotent.bugfix.md
+++ b/docs/changelog.d/fix-ringtail-1password-secrets-idempotent.bugfix.md
@ -0,0 +1 @@
+Make 1Password secret tasks in ringtail playbook idempotent by checking kubectl apply output instead of always reporting changed.
				`@ -0,0 +1 @@`
				`Make 1Password secret tasks in ringtail playbook idempotent by checking kubectl apply output instead of always reporting changed.`