feat: switch kubeconfig to tailnet endpoint and deploy Hetzner CSI

.gitea/workflows/deploy.yml

@@ -225,6 +225,7 @@ jobs:
           ansible-playbook site.yml \
             -e "hcloud_token=${{ secrets.HCLOUD_TOKEN }}" \
             -e "tailscale_auth_key=${{ secrets.TAILSCALE_AUTH_KEY }}" \
+            -e "tailscale_tailnet=${{ secrets.TAILSCALE_TAILNET }}" \
             -e "cluster_name=k8s-cluster"
         env:
           ANSIBLE_HOST_KEY_CHECKING: "False"

README.md

@@ -10,7 +10,7 @@ Production-ready Kubernetes cluster on Hetzner Cloud using Terraform and Ansible
 | **Workers** | 4x CX33 |
 | **Total Cost** | €28.93/mo |
 | **K8s** | k3s (latest, HA) |
-| **Addons** | Hetzner CCM (load balancers) |
+| **Addons** | Hetzner CCM + CSI |
 | **Access** | SSH/API restricted to Tailnet |
 | **Bootstrap** | Terraform + Ansible |
 
@@ -143,6 +143,8 @@ export KUBECONFIG=$(pwd)/outputs/kubeconfig
 kubectl get nodes
 ```
 
+Kubeconfig endpoint is rewritten to the primary control-plane tailnet hostname (`k8s-cluster-cp-1.<your-tailnet>`).
+
 ## Gitea CI/CD
 
 This repository includes Gitea workflows for:
@@ -189,7 +191,8 @@ Set these in your Gitea repository settings (**Settings** → **Secrets** → **
 │   │   ├── common/
 │   │   ├── k3s-server/
 │   │   ├── k3s-agent/
-│   │   └── ccm/
+│   │   ├── ccm/
+│   │   └── csi/
 │   └── ansible.cfg
 ├── .gitea/
 │   └── workflows/

ansible/roles/csi/defaults/main.yml

@@ -0,0 +1,4 @@
+---
+hcloud_token: ""
+cluster_name: "k8s-cluster"
+csi_manifest_url: "https://raw.githubusercontent.com/hetznercloud/csi-driver/v2.12.0/deploy/kubernetes/hcloud-csi.yml"

ansible/roles/csi/tasks/main.yml

@@ -0,0 +1,30 @@
+---
+- name: Create Hetzner CSI secret
+  shell: |
+    kubectl -n kube-system create secret generic hcloud-csi \
+      --from-literal=token='{{ hcloud_token }}' \
+      --from-literal=network='{{ cluster_name }}-network' \
+      --dry-run=client -o yaml | kubectl apply -f -
+  no_log: true
+  when: hcloud_token is defined
+  changed_when: true
+
+- name: Deploy Hetzner CSI
+  command: kubectl apply -f {{ csi_manifest_url }}
+  changed_when: true
+
+- name: Wait for CSI controller rollout
+  command: kubectl rollout status deployment/hcloud-csi-controller -n kube-system
+  register: csi_controller_rollout
+  until: csi_controller_rollout.rc == 0
+  retries: 30
+  delay: 10
+  changed_when: false
+
+- name: Wait for CSI node daemonset rollout
+  command: kubectl rollout status daemonset/hcloud-csi-node -n kube-system
+  register: csi_node_rollout
+  until: csi_node_rollout.rc == 0
+  retries: 30
+  delay: 10
+  changed_when: false

ansible/site.yml

@@ -82,13 +82,20 @@
   roles:
     - ccm
 
+- name: Deploy Hetzner CSI
+  hosts: control_plane[0]
+  become: true
+
+  roles:
+    - csi
+
 - name: Finalize
   hosts: localhost
   connection: local
   tasks:
     - name: Update kubeconfig server address
       command: |
-        sed -i 's/127.0.0.1/{{ hostvars[groups["control_plane"][0]]["k3s_primary_public_ip"] }}/g' ../outputs/kubeconfig
+        sed -i 's/127.0.0.1/{{ groups["control_plane"][0] }}.{{ tailscale_tailnet }}/g' ../outputs/kubeconfig
       changed_when: true
 
     - name: Display success message