Remove duplicate playbook to remove confusion

Martin Jackson · Martin Jackson · commit fc8e80a8bcb6 · 2026-05-12T18:28:32.000-05:00
diff --git a/README.md b/README.md
@@ -54,13 +54,10 @@ already completed (duplicate inject is skipped).
   the configured backend.
 
 - **`playbooks/load_bootstrap_secrets.yml`**  
-  Convenience wrapper: `determine_pattern_dir`, `determine_pattern_name`, then imports `load_secrets.yml` (same behavior
-  as install).
-
-- **`playbooks/load_bootstrap_secrets_only.yml`**  
-  **Early bootstrap inject only**: same pattern discovery plays and `pattern_settings`, then only the Kubernetes inject
-  for bootstrap-tagged secrets in the primary file (with retries). **Fails** if no primary file exists or there are no
-  bootstrap-tagged v2 entries. Does **not** read `secretLoader.disabled` or load into Vault / primary backend.
+  **Early bootstrap inject only**: `determine_pattern_dir`, `determine_pattern_name`, `pattern_settings`, then only the
+  Kubernetes inject for bootstrap-tagged secrets in the primary file (with retries). **Fails** if no primary file exists
+  or there are no bootstrap-tagged v2 entries. Does **not** read `secretLoader.disabled` or load into Vault / primary
+  backend. For the full early-then-primary flow, use `load_secrets.yml` (or `install.yml`).
 
 - **`playbooks/display_secrets_info.yml`**  
   Loads and displays parsed secrets (using the backend from `values-global`). For v2 files with any bootstrap-tagged
@@ -82,7 +79,7 @@ Outer retries (parse plus Kubernetes apply) are controlled on the role defaults
 - `vp_secrets_bootstrap_retry_max` (default `20`)
 - `vp_secrets_bootstrap_retry_delay` (seconds between attempts, default `30`)
 
-These apply to the early inject path inside `load_secrets` and to `load_bootstrap_secrets_only.yml`.
+These apply to the early inject path inside `load_secrets` and to `load_bootstrap_secrets.yml`.
 
 Per-secret namespace readiness (before each `kubernetes.core.k8s` apply) uses role defaults on `k8s_secret_utils`:
 
@@ -95,8 +92,8 @@ all secret injections from the start.
 
 - `roles/load_secrets/tasks/main.yml` implements the **combined** flow (early inject from primary file, then primary
   backend load).
-- `roles/load_secrets/tasks/bootstrap_only.yml` is used only when you invoke the `load_secrets` role with
-  `tasks_from: bootstrap_only.yml` (as `load_bootstrap_secrets_only.yml` does).
+- `roles/load_secrets/tasks/bootstrap_only.yml` is used when you invoke the `load_secrets` role with
+  `tasks_from: bootstrap_only.yml` (as `playbooks/load_bootstrap_secrets.yml` does).
 - `roles/find_vp_secrets` resolves the primary file (`tasks/main.yml`).
 - v2 parsing and phase filters (`bootstrap_only`, `exclude_bootstrap`, `all`) are implemented in
   `plugins/module_utils/parse_secrets_v2.py` (single `bootstrap` normalizer: off / dual / early-only).
diff --git a/playbooks/determine_pattern_dir.yml b/playbooks/determine_pattern_dir.yml
@@ -1,6 +1,6 @@
 ---
 # Resolves pattern_dir the same way as the pattern_settings role (extra-vars, PATTERN_DIR, PWD, pwd),
-# then fails if still unset. Used by display_secrets_info, load_values_global, load_bootstrap_secrets*, etc.
+# then fails if still unset. Used by display_secrets_info, load_values_global, load_bootstrap_secrets, etc.
 - name: Determine pattern dir
   hosts: localhost
   connection: local
diff --git a/playbooks/load_bootstrap_secrets.yml b/playbooks/load_bootstrap_secrets.yml
@@ -1,12 +1,25 @@
 ---
-# Post-install alias: runs the same secrets load as load_secrets.yml (early bootstrap-tagged inject
-# from the primary file when present, then primary backend load).
+# Inject only bootstrap-tagged secrets from the primary values-secret file (none backend, with retries).
+# Does not load secrets into Vault or the primary Kubernetes backend. Does not honor
+# secretLoader.disabled from values-global. Fails if no primary file exists or there are no
+# bootstrap-tagged v2 entries.
 # Optional extra-vars: vp_secrets_bootstrap_retry_max, vp_secrets_bootstrap_retry_delay (seconds).
 - name: Determine pattern directory
   ansible.builtin.import_playbook: ./determine_pattern_dir.yml
 
 - name: Determine pattern name
   ansible.builtin.import_playbook: ./determine_pattern_name.yml
 
-- name: Load secrets (optional bootstrap then standard)
-  ansible.builtin.import_playbook: ./load_secrets.yml
+- name: Load bootstrap secrets
+  hosts: localhost
+  connection: local
+  gather_facts: false
+  become: false
+  roles:
+    - pattern_settings
+
+  tasks:
+    - name: Run bootstrap-only secrets load
+      ansible.builtin.include_role:
+        name: load_secrets
+        tasks_from: bootstrap_only.yml
diff --git a/playbooks/load_bootstrap_secrets_only.yml b/playbooks/load_bootstrap_secrets_only.yml
diff --git a/roles/vault_utils/README.md b/roles/vault_utils/README.md
@@ -70,7 +70,7 @@ The paths can be overridden by setting the environment variable `VALUES_SECRET`
 secret file.
 
 Optional **early bootstrap** behavior (Kubernetes inject for `bootstrap`-tagged v2 secrets in the **primary**
-values-secret file only), the early-then-primary loading order, `load_bootstrap_secrets_only.yml`, and
+values-secret file only), the early-then-primary loading order, `load_bootstrap_secrets.yml`, and
 `display_secrets_info.yml` are documented under **Secrets loading** in the collection `README.md` at the repository root.
 
 For **v2.0** primary files, each `secrets[]` entry may set `bootstrap`: use boolean `true` (or strings like `yes`,
