feat(k8s_secret_utils): bootstrap inject summary and change counts

Per early-phase inject run: reset counters, increment on real k8s namespace/secret
changes, then debug counts only (no secret values). kubernetes.core.k8s
tasks stay no_log; recap still reflects module changed state.

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: Martin Jackson

roles/k8s_secret_utils/defaults/main.yml

@@ -1,3 +1,4 @@
 ---
 # secrets_install_phase: early|late — set by load_secrets/process_secrets include_role vars, or by parse_secrets in this role.
+# bootstrap_phase_*_changed: counts for early-phase summary (set during inject_k8s_secrets; not secret material).
 secrets_ns: 'validated-patterns-secrets'

roles/k8s_secret_utils/tasks/ensure_one_bootstrap_namespace.yml

@@ -16,3 +16,13 @@
       kind: Namespace
       metadata:
         name: "{{ bootstrap_target_namespace }}"
+  register: _bootstrap_ns_create_result
+
+- name: Record bootstrap namespace change count
+  ansible.builtin.set_fact:
+    bootstrap_phase_namespaces_changed: "{{ (bootstrap_phase_namespaces_changed | default(0)) | int + 1 }}"
+  when:
+    - (secrets_install_phase | default(secrets_phase | default('late'))) == 'early'
+    - _bootstrap_ns_create_result is defined
+    - not (_bootstrap_ns_create_result.skipped | default(false))
+    - _bootstrap_ns_create_result.changed | default(false)

roles/k8s_secret_utils/tasks/inject_k8s_secret.yml

@@ -14,3 +14,13 @@
   no_log: '{{ hide_sensitive_output | default(True) }}'
   kubernetes.core.k8s:
     definition: '{{ _k8s_secret_object }}'
+  register: _k8s_secret_apply_result
+
+- name: Record bootstrap secret change count
+  ansible.builtin.set_fact:
+    bootstrap_phase_secrets_changed: "{{ (bootstrap_phase_secrets_changed | default(0)) | int + 1 }}"
+  when:
+    - (secrets_install_phase | default(secrets_phase | default('late'))) == 'early'
+    - _k8s_secret_apply_result is defined
+    - not (_k8s_secret_apply_result.skipped | default(false))
+    - _k8s_secret_apply_result.changed | default(false)

roles/k8s_secret_utils/tasks/inject_k8s_secrets.yml

@@ -2,6 +2,18 @@
 # Early phase only: create each bootstrap secret target namespace if absent (never replace an existing NS).
 # Late phase expects namespaces from the pattern/operator; inject_k8s_secret.yml waits until they exist.
 # secrets_install_phase is passed from load_secrets/process_secrets or set in parse_secrets for this role.
+- name: Initialize bootstrap phase change counters for this inject run
+  ansible.builtin.set_fact:
+    bootstrap_phase_namespaces_changed: 0
+    bootstrap_phase_secrets_changed: 0
+  when: (secrets_install_phase | default(secrets_phase | default('late'))) == 'early'
+
+- name: Clear bootstrap phase counters before late-phase inject
+  ansible.builtin.set_fact:
+    bootstrap_phase_namespaces_changed: 0
+    bootstrap_phase_secrets_changed: 0
+  when: (secrets_install_phase | default(secrets_phase | default('late'))) != 'early'
+
 - name: Create missing bootstrap target namespaces
   ansible.builtin.include_tasks: ensure_one_bootstrap_namespace.yml
   loop: "{{ kubernetes_secret_objects | map(attribute='metadata') | map(attribute='namespace') | unique | list }}"
@@ -18,3 +30,11 @@
   loop_control:
     loop_var: _k8s_secret_object
     label: "{{ _k8s_secret_object.metadata.namespace }}/{{ _k8s_secret_object.metadata.name }}"
+
+- name: Report bootstrap phase Kubernetes apply summary (counts only)
+  ansible.builtin.debug:
+    msg: >-
+      Bootstrap phase: {{ bootstrap_phase_namespaces_changed | default(0) }} namespace(s) created or updated,
+      {{ bootstrap_phase_secrets_changed | default(0) }} secret(s) created or updated in the cluster.
+  when: (secrets_install_phase | default(secrets_phase | default('late'))) == 'early'
+  changed_when: false