ansible/roles/csi/tasks/main.yml

---
- name: Create Hetzner CSI secret
  shell: |
    kubectl -n kube-system create secret generic hcloud \
      --from-literal=token='{{ hcloud_token }}' \
      --from-literal=network='{{ cluster_name }}-network' \
      --dry-run=client -o yaml | kubectl apply -f -
  no_log: true
  when: hcloud_token is defined
  changed_when: true

- name: Deploy Hetzner CSI
  command: kubectl apply -f {{ csi_manifest_url }}
  changed_when: true

- name: Wait for CSI controller rollout
  command: kubectl rollout status deployment/hcloud-csi-controller -n kube-system --timeout={{ csi_rollout_timeout_seconds }}s
  register: csi_controller_rollout
  until: csi_controller_rollout.rc == 0
  retries: "{{ csi_rollout_retries | int }}"
  delay: "{{ csi_rollout_delay_seconds | int }}"
  failed_when: false
  changed_when: false

- name: Show CSI controller status on failure
  command: kubectl -n kube-system get deployment hcloud-csi-controller -o wide
  register: csi_controller_deploy_status
  changed_when: false
  failed_when: false
  when: csi_controller_rollout.rc != 0

- name: Show CSI controller pods on failure
  command: kubectl -n kube-system get pods -l app=hcloud-csi-controller -o wide
  register: csi_controller_pods_status
  changed_when: false
  failed_when: false
  when: csi_controller_rollout.rc != 0

- name: Describe CSI controller deployment on failure
  command: kubectl -n kube-system describe deployment hcloud-csi-controller
  register: csi_controller_deploy_describe
  changed_when: false
  failed_when: false
  when: csi_controller_rollout.rc != 0

- name: Show CSI driver logs on failure
  command: kubectl -n kube-system logs deployment/hcloud-csi-controller -c hcloud-csi-driver --tail={{ csi_failure_log_tail_lines }}
  register: csi_driver_logs
  changed_when: false
  failed_when: false
  when: csi_controller_rollout.rc != 0

- name: Show recent kube-system events on failure
  command: kubectl -n kube-system get events --sort-by=.lastTimestamp
  register: csi_recent_events
  changed_when: false
  failed_when: false
  when: csi_controller_rollout.rc != 0

- name: Fail with CSI controller diagnostics
  fail:
    msg: |
      CSI controller rollout failed.
      Deployment status:
      {{ csi_controller_deploy_status.stdout | default('n/a') }}

      Pods status:
      {{ csi_controller_pods_status.stdout | default('n/a') }}

      Deployment describe:
      {{ csi_controller_deploy_describe.stdout | default('n/a') }}

      hcloud-csi-driver logs:
      {{ csi_driver_logs.stdout | default('n/a') }}

      Recent kube-system events:
      {{ csi_recent_events.stdout | default('n/a') }}
  when: csi_controller_rollout.rc != 0

- name: Wait for CSI node daemonset rollout
  command: kubectl rollout status daemonset/hcloud-csi-node -n kube-system --timeout={{ csi_rollout_timeout_seconds }}s
  register: csi_node_rollout
  until: csi_node_rollout.rc == 0
  retries: "{{ csi_rollout_retries | int }}"
  delay: "{{ csi_rollout_delay_seconds | int }}"
  failed_when: false
  changed_when: false

- name: Fail when CSI node daemonset rollout does not complete
  fail:
    msg: "CSI node daemonset rollout failed: {{ csi_node_rollout.stdout | default('') }} {{ csi_node_rollout.stderr | default('') }}"
  when: csi_node_rollout.rc != 0
feat: switch kubeconfig to tailnet endpoint and deploy Hetzner CSI 2026-03-01 17:12:12 +00:00			`---`
			`- name: Create Hetzner CSI secret`
			`shell: \|`
fix: create CSI credentials in expected hcloud secret 2026-03-01 17:28:59 +00:00			`kubectl -n kube-system create secret generic hcloud \`
feat: switch kubeconfig to tailnet endpoint and deploy Hetzner CSI 2026-03-01 17:12:12 +00:00			`--from-literal=token='{{ hcloud_token }}' \`
			`--from-literal=network='{{ cluster_name }}-network' \`
			`--dry-run=client -o yaml \| kubectl apply -f -`
			`no_log: true`
			`when: hcloud_token is defined`
			`changed_when: true`

			`- name: Deploy Hetzner CSI`
			`command: kubectl apply -f {{ csi_manifest_url }}`
			`changed_when: true`

			`- name: Wait for CSI controller rollout`
fix: make CSI rollout checks configurable and faster 2026-03-01 18:28:17 +00:00			`command: kubectl rollout status deployment/hcloud-csi-controller -n kube-system --timeout={{ csi_rollout_timeout_seconds }}s`
feat: switch kubeconfig to tailnet endpoint and deploy Hetzner CSI 2026-03-01 17:12:12 +00:00			`register: csi_controller_rollout`
			`until: csi_controller_rollout.rc == 0`
fix: make CSI rollout checks configurable and faster 2026-03-01 18:28:17 +00:00			`retries: "{{ csi_rollout_retries \| int }}"`
			`delay: "{{ csi_rollout_delay_seconds \| int }}"`
fix: surface CSI rollout diagnostics before failing 2026-03-01 18:42:03 +00:00			`failed_when: false`
feat: switch kubeconfig to tailnet endpoint and deploy Hetzner CSI 2026-03-01 17:12:12 +00:00			`changed_when: false`

fix: bound CSI rollout wait time and add failure diagnostics 2026-03-01 18:06:19 +00:00			`- name: Show CSI controller status on failure`
			`command: kubectl -n kube-system get deployment hcloud-csi-controller -o wide`
			`register: csi_controller_deploy_status`
			`changed_when: false`
			`failed_when: false`
fix: surface CSI rollout diagnostics before failing 2026-03-01 18:42:03 +00:00			`when: csi_controller_rollout.rc != 0`
fix: bound CSI rollout wait time and add failure diagnostics 2026-03-01 18:06:19 +00:00
			`- name: Show CSI controller pods on failure`
			`command: kubectl -n kube-system get pods -l app=hcloud-csi-controller -o wide`
			`register: csi_controller_pods_status`
			`changed_when: false`
			`failed_when: false`
fix: surface CSI rollout diagnostics before failing 2026-03-01 18:42:03 +00:00			`when: csi_controller_rollout.rc != 0`

			`- name: Describe CSI controller deployment on failure`
			`command: kubectl -n kube-system describe deployment hcloud-csi-controller`
			`register: csi_controller_deploy_describe`
			`changed_when: false`
			`failed_when: false`
			`when: csi_controller_rollout.rc != 0`
fix: bound CSI rollout wait time and add failure diagnostics 2026-03-01 18:06:19 +00:00
			`- name: Show CSI driver logs on failure`
fix: make CSI rollout checks configurable and faster 2026-03-01 18:28:17 +00:00			`command: kubectl -n kube-system logs deployment/hcloud-csi-controller -c hcloud-csi-driver --tail={{ csi_failure_log_tail_lines }}`
fix: bound CSI rollout wait time and add failure diagnostics 2026-03-01 18:06:19 +00:00			`register: csi_driver_logs`
			`changed_when: false`
			`failed_when: false`
fix: surface CSI rollout diagnostics before failing 2026-03-01 18:42:03 +00:00			`when: csi_controller_rollout.rc != 0`
fix: bound CSI rollout wait time and add failure diagnostics 2026-03-01 18:06:19 +00:00
fix: make CSI rollout checks configurable and faster 2026-03-01 18:28:17 +00:00			`- name: Show recent kube-system events on failure`
			`command: kubectl -n kube-system get events --sort-by=.lastTimestamp`
			`register: csi_recent_events`
			`changed_when: false`
			`failed_when: false`
fix: surface CSI rollout diagnostics before failing 2026-03-01 18:42:03 +00:00			`when: csi_controller_rollout.rc != 0`
fix: make CSI rollout checks configurable and faster 2026-03-01 18:28:17 +00:00
fix: bound CSI rollout wait time and add failure diagnostics 2026-03-01 18:06:19 +00:00			`- name: Fail with CSI controller diagnostics`
			`fail:`
			`msg: \|`
			`CSI controller rollout failed.`
			`Deployment status:`
			`{{ csi_controller_deploy_status.stdout \| default('n/a') }}`

			`Pods status:`
			`{{ csi_controller_pods_status.stdout \| default('n/a') }}`

fix: surface CSI rollout diagnostics before failing 2026-03-01 18:42:03 +00:00			`Deployment describe:`
			`{{ csi_controller_deploy_describe.stdout \| default('n/a') }}`

fix: bound CSI rollout wait time and add failure diagnostics 2026-03-01 18:06:19 +00:00			`hcloud-csi-driver logs:`
			`{{ csi_driver_logs.stdout \| default('n/a') }}`
fix: make CSI rollout checks configurable and faster 2026-03-01 18:28:17 +00:00
			`Recent kube-system events:`
			`{{ csi_recent_events.stdout \| default('n/a') }}`
fix: surface CSI rollout diagnostics before failing 2026-03-01 18:42:03 +00:00			`when: csi_controller_rollout.rc != 0`
fix: bound CSI rollout wait time and add failure diagnostics 2026-03-01 18:06:19 +00:00
feat: switch kubeconfig to tailnet endpoint and deploy Hetzner CSI 2026-03-01 17:12:12 +00:00			`- name: Wait for CSI node daemonset rollout`
fix: make CSI rollout checks configurable and faster 2026-03-01 18:28:17 +00:00			`command: kubectl rollout status daemonset/hcloud-csi-node -n kube-system --timeout={{ csi_rollout_timeout_seconds }}s`
feat: switch kubeconfig to tailnet endpoint and deploy Hetzner CSI 2026-03-01 17:12:12 +00:00			`register: csi_node_rollout`
			`until: csi_node_rollout.rc == 0`
fix: make CSI rollout checks configurable and faster 2026-03-01 18:28:17 +00:00			`retries: "{{ csi_rollout_retries \| int }}"`
			`delay: "{{ csi_rollout_delay_seconds \| int }}"`
fix: surface CSI rollout diagnostics before failing 2026-03-01 18:42:03 +00:00			`failed_when: false`
feat: switch kubeconfig to tailnet endpoint and deploy Hetzner CSI 2026-03-01 17:12:12 +00:00			`changed_when: false`
fix: surface CSI rollout diagnostics before failing 2026-03-01 18:42:03 +00:00
			`- name: Fail when CSI node daemonset rollout does not complete`
			`fail:`
			`msg: "CSI node daemonset rollout failed: {{ csi_node_rollout.stdout \| default('') }} {{ csi_node_rollout.stderr \| default('') }}"`
			`when: csi_node_rollout.rc != 0`