Fix certificate validation when api_endpoint differs from hostname

guiand888 · guiand888 · commit d6440ced58c5 · 2025-08-23T22:36:20.000+08:00
- Auto-add --tls-san={{ api_endpoint }} when it differs from ansible_hostname
- Prevents 'x509: certificate is valid for hostname, not FQDN' errors
- Ensures first server generates certificate with all required SANs
- Maintains backward compatibility with existing configurations
- Fixes HA cluster bootstrap issues when using FQDNs in inventory

Closes certificate validation failures in multi-server setups where
api_endpoint (FQDN) differs from the detected hostname.
diff --git a/roles/k3s_server/defaults/main.yml b/roles/k3s_server/defaults/main.yml
@@ -9,3 +9,6 @@ server_group: server  # noqa var-naming[no-role-prefix]
 agent_group: agent  # noqa var-naming[no-role-prefix]
 use_external_database: false # noqa var-naming[no-role-prefix]
 extra_server_args: "" # noqa var-naming[no-role-prefix]
+# Auto-computed TLS SANs to prevent certificate validation issues
+_computed_tls_sans: "{% if api_endpoint is defined and api_endpoint != ansible_hostname %}--tls-san={{ api_endpoint }}{% endif %}"
+_final_server_args: "{{ extra_server_args }} {{ _computed_tls_sans }}"
diff --git a/roles/k3s_server/templates/k3s-cluster-init.service.j2 b/roles/k3s_server/templates/k3s-cluster-init.service.j2
@@ -25,4 +25,4 @@ Restart=always
 RestartSec=5s
 ExecStartPre=-/sbin/modprobe br_netfilter
 ExecStartPre=-/sbin/modprobe overlay
-ExecStart=/usr/local/bin/k3s server --cluster-init --data-dir {{ k3s_server_location }} {{ extra_server_args }} 
+ExecStart=/usr/local/bin/k3s server --cluster-init --data-dir {{ k3s_server_location }} {{ _final_server_args }}
diff --git a/roles/k3s_server/templates/k3s-ha.service.j2 b/roles/k3s_server/templates/k3s-ha.service.j2
@@ -25,4 +25,4 @@ Restart=always
 RestartSec=5s
 ExecStartPre=-/sbin/modprobe br_netfilter
 ExecStartPre=-/sbin/modprobe overlay
-ExecStart=/usr/local/bin/k3s server --data-dir {{ k3s_server_location }} --server https://{{ api_endpoint }}:{{ api_port }} {{ extra_server_args }} 
+ExecStart=/usr/local/bin/k3s server --data-dir {{ k3s_server_location }} --server https://{{ api_endpoint }}:{{ api_port }} {{ _final_server_args }}
diff --git a/roles/k3s_server/templates/k3s-single.service.j2 b/roles/k3s_server/templates/k3s-single.service.j2
@@ -25,4 +25,4 @@ Restart=always
 RestartSec=5s
 ExecStartPre=-/sbin/modprobe br_netfilter
 ExecStartPre=-/sbin/modprobe overlay
-ExecStart=/usr/local/bin/k3s server --data-dir {{ k3s_server_location }} {{ extra_server_args }} 
+ExecStart=/usr/local/bin/k3s server --data-dir {{ k3s_server_location }} {{ _final_server_args }}
