fix(role): drive namespace lookup via kubectl, not kubernetes.core.k8s_info

The k8s_info module requires the optional Python 'kubernetes'
package on the controller, which is not installed in the project's
CI environment (and is not a documented prerequisite for users
either). The rest of this role already drives the cluster via
`kubectl ... --output=json` for the same reason.

Switch the cozy-system lookup to `kubectl get namespace ... \
--ignore-not-found --output=json` and parse the result with
from_json. `--ignore-not-found` returns an empty stdout (rather
than a non-zero exit) when the namespace is absent, so the same
length-check gate as before keeps the foreign-owner and adopt
tasks no-op'd on first install.

The unit tests are unchanged because they check task names and
when-clause structure, not the lookup module's internals.

Assisted-By: Claude <noreply@anthropic.com>
Signed-off-by: Aleksei Sviridkin <f@lex.la>

Author: lexfrei

roles/cozystack/tasks/main.yml

@@ -84,14 +84,20 @@
 # does not exist or already carries the right metadata. Refuses to
 # proceed if the namespace is owned by a *different* helm release —
 # that case requires operator intervention, not silent re-adoption.
+# Use `kubectl get` rather than `kubernetes.core.k8s_info` so the
+# role works on controllers without the optional `kubernetes` Python
+# package — the rest of this file already drives the cluster via
+# kubectl for the same reason.
 - name: Look up cozy-system namespace
-  kubernetes.core.k8s_info:
-    kubeconfig: "{{ cozystack_kubeconfig }}"
-    api_version: v1
-    kind: Namespace
-    name: cozy-system
+  ansible.builtin.command:
+    cmd: >-
+      kubectl --kubeconfig {{ cozystack_kubeconfig }}
+      get namespace cozy-system
+      --ignore-not-found
+      --output=json
   become: true
-  register: _cozystack_ns_info
+  changed_when: false
+  register: _cozystack_ns_lookup
   when: not ansible_check_mode
 
 - name: Refuse to overwrite cozy-system if owned by another helm release
@@ -106,7 +112,7 @@
       cozystack_release_name / cozystack_release_namespace with the
       existing owner.
   vars:
-    _ns: "{{ (_cozystack_ns_info.resources | default([]) | first) | default({}) }}"
+    _ns: "{{ (_cozystack_ns_lookup.stdout | default('') | length > 0) | ternary(_cozystack_ns_lookup.stdout | from_json, {}) }}"
     _labels: "{{ _ns.metadata.labels | default({}) }}"
     _annotations: "{{ _ns.metadata.annotations | default({}) }}"
     _release_name: "{{ _annotations.get('meta.helm.sh/release-name', '') }}"
@@ -116,7 +122,7 @@
   # prior install left annotations behind without the label.
   when:
     - not ansible_check_mode
-    - _cozystack_ns_info.resources | default([]) | length > 0
+    - _cozystack_ns_lookup.stdout | default('') | length > 0
     - >-
       (_labels.get('app.kubernetes.io/managed-by', '') == 'Helm'
        and (_release_name != cozystack_release_name
@@ -145,12 +151,12 @@
   register: _cozystack_ns_adopt
   changed_when: "'patched' in _cozystack_ns_adopt.stdout and '(no change)' not in _cozystack_ns_adopt.stdout"
   vars:
-    _ns: "{{ (_cozystack_ns_info.resources | default([]) | first) | default({}) }}"
+    _ns: "{{ (_cozystack_ns_lookup.stdout | default('') | length > 0) | ternary(_cozystack_ns_lookup.stdout | from_json, {}) }}"
     _labels: "{{ _ns.metadata.labels | default({}) }}"
     _annotations: "{{ _ns.metadata.annotations | default({}) }}"
   when:
     - not ansible_check_mode
-    - _cozystack_ns_info.resources | default([]) | length > 0
+    - _cozystack_ns_lookup.stdout | default('') | length > 0
     - _labels.get('app.kubernetes.io/managed-by', '') != 'Helm'
       or _annotations.get('meta.helm.sh/release-name', '') != cozystack_release_name
       or _annotations.get('meta.helm.sh/release-namespace', '') != cozystack_release_namespace