---
  - name: check if private key exists
    ansible.builtin.command: kubectl get secrets sealed-secrets-key9mpfq -n kube-system
    register: key
    ignore_errors: yes
    changed_when: false

  - name: Template private key file
    ansible.builtin.template:
      src: private.key.j2
      dest: /root/private.key
      owner: root
      group: root
      mode: '0400'
    when: key.rc not in [ 0 ]
    no_log: True

  - name: apply private key
    ansible.builtin.command: kubectl apply -f /root/private.key
    when: key.rc not in [ 0 ]

  - name: remove old pod
    ansible.builtin.command: kubectl delete pod -n kube-system -l name=sealed-secrets-controller
    when: key.rc not in [ 0 ]

  - name: remove private key file
    ansible.builtin.file:
      path: /root/private.key
      state: absent