ansible/roles/ccm/tasks/main.yml

---
- name: Check if Hetzner CCM is already deployed
  command: kubectl -n kube-system get deployment hcloud-cloud-controller-manager
  register: ccm_namespace
  failed_when: false
  changed_when: false

- name: Create Hetzner cloud secret
  shell: |
    kubectl -n kube-system create secret generic hcloud \
      --from-literal=token='{{ hcloud_token }}' \
      --from-literal=network='{{ cluster_name }}-network' \
      --dry-run=client -o yaml | kubectl apply -f -
  no_log: true
  when: hcloud_token is defined
  changed_when: true

- name: Deploy Hetzner CCM
  command: kubectl apply -f https://raw.githubusercontent.com/hetznercloud/hcloud-cloud-controller-manager/main/deploy/ccm-networks.yaml
  changed_when: true

- name: Detect CCM workload kind
  shell: |
    if kubectl -n kube-system get deployment hcloud-cloud-controller-manager >/dev/null 2>&1; then
      echo deployment
    elif kubectl -n kube-system get daemonset hcloud-cloud-controller-manager >/dev/null 2>&1; then
      echo daemonset
    else
      echo missing
    fi
  register: ccm_workload_kind
  changed_when: false

- name: Wait for CCM deployment rollout
  command: kubectl rollout status deployment/hcloud-cloud-controller-manager -n kube-system
  register: ccm_rollout_deploy
  until: ccm_rollout_deploy.rc == 0
  changed_when: false
  retries: 30
  delay: 10
  when: ccm_workload_kind.stdout == "deployment"

- name: Wait for CCM daemonset rollout
  command: kubectl rollout status daemonset/hcloud-cloud-controller-manager -n kube-system
  register: ccm_rollout_ds
  until: ccm_rollout_ds.rc == 0
  changed_when: false
  retries: 30
  delay: 10
  when: ccm_workload_kind.stdout == "daemonset"

- name: Set default Hetzner load balancer location for Traefik service
  command: kubectl -n kube-system annotate service traefik load-balancer.hetzner.cloud/location={{ hcloud_lb_location }} --overwrite
  register: traefik_annotation
  changed_when: true
  failed_when: false

- name: Show Traefik service when annotation patch fails
  command: kubectl -n kube-system get service traefik -o yaml
  register: traefik_service_dump
  changed_when: false
  failed_when: false
  when: traefik_annotation.rc != 0

- name: Fail when Traefik load balancer annotation cannot be set
  fail:
    msg: |
      Failed to set Hetzner load balancer location annotation on kube-system/traefik service.
      Command output:
      {{ traefik_annotation.stderr | default(traefik_annotation.stdout) }}

      Service dump:
      {{ traefik_service_dump.stdout | default('n/a') }}
  when: traefik_annotation.rc != 0

- name: Show CCM namespace objects when workload missing
  command: kubectl -n kube-system get all | grep hcloud-cloud-controller-manager || true
  register: ccm_ns_objects
  changed_when: false
  when: ccm_workload_kind.stdout == "missing"

- name: Fail when CCM workload is missing
  fail:
    msg: |
      hcloud-cloud-controller-manager workload not found after applying manifest.
      Namespace objects:
      {{ ccm_ns_objects.stdout | default('n/a') }}
  when: ccm_workload_kind.stdout == "missing"
feat: Add HA Kubernetes cluster with Terraform + Ansible - 3x CX23 control plane nodes (HA) - 4x CX33 worker nodes - k3s with embedded etcd - Hetzner CCM for load balancers - Gitea CI/CD workflows - Backblaze B2 for Terraform state 2026-02-28 20:24:55 +00:00			`---`
			`- name: Check if Hetzner CCM is already deployed`
fix: deploy Hetzner CCM resources in kube-system namespace 2026-03-01 03:44:36 +00:00			`command: kubectl -n kube-system get deployment hcloud-cloud-controller-manager`
feat: Add HA Kubernetes cluster with Terraform + Ansible - 3x CX23 control plane nodes (HA) - 4x CX33 worker nodes - k3s with embedded etcd - Hetzner CCM for load balancers - Gitea CI/CD workflows - Backblaze B2 for Terraform state 2026-02-28 20:24:55 +00:00			`register: ccm_namespace`
			`failed_when: false`
			`changed_when: false`

			`- name: Create Hetzner cloud secret`
fix: deploy CCM via kubectl to avoid remote python kubernetes dependency 2026-03-01 03:13:33 +00:00			`shell: \|`
fix: deploy Hetzner CCM resources in kube-system namespace 2026-03-01 03:44:36 +00:00			`kubectl -n kube-system create secret generic hcloud \`
fix: deploy CCM via kubectl to avoid remote python kubernetes dependency 2026-03-01 03:13:33 +00:00			`--from-literal=token='{{ hcloud_token }}' \`
			`--from-literal=network='{{ cluster_name }}-network' \`
			`--dry-run=client -o yaml \| kubectl apply -f -`
feat: Add HA Kubernetes cluster with Terraform + Ansible - 3x CX23 control plane nodes (HA) - 4x CX33 worker nodes - k3s with embedded etcd - Hetzner CCM for load balancers - Gitea CI/CD workflows - Backblaze B2 for Terraform state 2026-02-28 20:24:55 +00:00			`no_log: true`
			`when: hcloud_token is defined`
fix: deploy CCM via kubectl to avoid remote python kubernetes dependency 2026-03-01 03:13:33 +00:00			`changed_when: true`
feat: Add HA Kubernetes cluster with Terraform + Ansible - 3x CX23 control plane nodes (HA) - 4x CX33 worker nodes - k3s with embedded etcd - Hetzner CCM for load balancers - Gitea CI/CD workflows - Backblaze B2 for Terraform state 2026-02-28 20:24:55 +00:00
			`- name: Deploy Hetzner CCM`
fix: deploy CCM via kubectl to avoid remote python kubernetes dependency 2026-03-01 03:13:33 +00:00			`command: kubectl apply -f https://raw.githubusercontent.com/hetznercloud/hcloud-cloud-controller-manager/main/deploy/ccm-networks.yaml`
			`changed_when: true`
feat: Add HA Kubernetes cluster with Terraform + Ansible - 3x CX23 control plane nodes (HA) - 4x CX33 worker nodes - k3s with embedded etcd - Hetzner CCM for load balancers - Gitea CI/CD workflows - Backblaze B2 for Terraform state 2026-02-28 20:24:55 +00:00
fix: support CCM deployment or daemonset rollout checks 2026-03-01 03:37:08 +00:00			`- name: Detect CCM workload kind`
			`shell: \|`
fix: deploy Hetzner CCM resources in kube-system namespace 2026-03-01 03:44:36 +00:00			`if kubectl -n kube-system get deployment hcloud-cloud-controller-manager >/dev/null 2>&1; then`
fix: support CCM deployment or daemonset rollout checks 2026-03-01 03:37:08 +00:00			`echo deployment`
fix: deploy Hetzner CCM resources in kube-system namespace 2026-03-01 03:44:36 +00:00			`elif kubectl -n kube-system get daemonset hcloud-cloud-controller-manager >/dev/null 2>&1; then`
fix: support CCM deployment or daemonset rollout checks 2026-03-01 03:37:08 +00:00			`echo daemonset`
			`else`
			`echo missing`
			`fi`
			`register: ccm_workload_kind`
			`changed_when: false`

			`- name: Wait for CCM deployment rollout`
fix: deploy Hetzner CCM resources in kube-system namespace 2026-03-01 03:44:36 +00:00			`command: kubectl rollout status deployment/hcloud-cloud-controller-manager -n kube-system`
fix: support CCM deployment or daemonset rollout checks 2026-03-01 03:37:08 +00:00			`register: ccm_rollout_deploy`
			`until: ccm_rollout_deploy.rc == 0`
			`changed_when: false`
			`retries: 30`
			`delay: 10`
			`when: ccm_workload_kind.stdout == "deployment"`

			`- name: Wait for CCM daemonset rollout`
fix: deploy Hetzner CCM resources in kube-system namespace 2026-03-01 03:44:36 +00:00			`command: kubectl rollout status daemonset/hcloud-cloud-controller-manager -n kube-system`
fix: support CCM deployment or daemonset rollout checks 2026-03-01 03:37:08 +00:00			`register: ccm_rollout_ds`
			`until: ccm_rollout_ds.rc == 0`
feat: Add HA Kubernetes cluster with Terraform + Ansible - 3x CX23 control plane nodes (HA) - 4x CX33 worker nodes - k3s with embedded etcd - Hetzner CCM for load balancers - Gitea CI/CD workflows - Backblaze B2 for Terraform state 2026-02-28 20:24:55 +00:00			`changed_when: false`
			`retries: 30`
			`delay: 10`
fix: support CCM deployment or daemonset rollout checks 2026-03-01 03:37:08 +00:00			`when: ccm_workload_kind.stdout == "daemonset"`

feat: add CSI smoke test and default Traefik LB location 2026-03-01 19:52:14 +00:00			`- name: Set default Hetzner load balancer location for Traefik service`
			`command: kubectl -n kube-system annotate service traefik load-balancer.hetzner.cloud/location={{ hcloud_lb_location }} --overwrite`
			`register: traefik_annotation`
			`changed_when: true`
			`failed_when: false`

			`- name: Show Traefik service when annotation patch fails`
			`command: kubectl -n kube-system get service traefik -o yaml`
			`register: traefik_service_dump`
			`changed_when: false`
			`failed_when: false`
			`when: traefik_annotation.rc != 0`

			`- name: Fail when Traefik load balancer annotation cannot be set`
			`fail:`
			`msg: \|`
			`Failed to set Hetzner load balancer location annotation on kube-system/traefik service.`
			`Command output:`
			`{{ traefik_annotation.stderr \| default(traefik_annotation.stdout) }}`

			`Service dump:`
			`{{ traefik_service_dump.stdout \| default('n/a') }}`
			`when: traefik_annotation.rc != 0`

fix: support CCM deployment or daemonset rollout checks 2026-03-01 03:37:08 +00:00			`- name: Show CCM namespace objects when workload missing`
fix: deploy Hetzner CCM resources in kube-system namespace 2026-03-01 03:44:36 +00:00			`command: kubectl -n kube-system get all \| grep hcloud-cloud-controller-manager \|\| true`
fix: support CCM deployment or daemonset rollout checks 2026-03-01 03:37:08 +00:00			`register: ccm_ns_objects`
			`changed_when: false`
			`when: ccm_workload_kind.stdout == "missing"`

			`- name: Fail when CCM workload is missing`
			`fail:`
			`msg: \|`
			`hcloud-cloud-controller-manager workload not found after applying manifest.`
			`Namespace objects:`
			`{{ ccm_ns_objects.stdout \| default('n/a') }}`
			`when: ccm_workload_kind.stdout == "missing"`