Automatically inject tls-san when api_endpoint differs from hostname (#434)

guiand888 · web-flow · commit f2aed3ba4716 · 2025-09-15T11:21:20.000-07:00
* Auto-add --tls-san={{ api_endpoint }} when it differs from ansible_hostname
* Ensures first server generates certificate with all required SANs
* Add .ansible/ and PR_DESCRIPTION.md to gitignore

Signed-off-by: Guillaume Andre &lt;mail@guillaumea.fr&gt;
diff --git a/.gitignore b/.gitignore
@@ -3,4 +3,6 @@ venv
 .vscode
 .vagrant
 inventory.yml
-playbook/debug.yml
+playbook/debug.yml
+.ansible/
+PR_DESCRIPTION.md
diff --git a/roles/k3s_agent/tasks/main.yml b/roles/k3s_agent/tasks/main.yml
@@ -41,6 +41,28 @@
         }) }}
       changed_when: true
 
+- name: Compute final agent arguments
+  ansible.builtin.set_fact:
+    _api_endpoint_in_agent_config: >-
+      {% if agent_config_yaml is defined and api_endpoint is defined and agent_config_yaml | regex_search('tls-san:.*' + api_endpoint | regex_escape(), ignorecase=True) %}
+      true
+      {% else %}
+      false
+      {% endif %}
+    _api_endpoint_in_agent_args: >-
+      {% if api_endpoint is defined and extra_agent_args | regex_search('--tls-san[=\s]+' + api_endpoint | regex_escape(), ignorecase=True) %}
+      true
+      {% else %}
+      false
+      {% endif %}
+
+- name: Add TLS SAN to agent arguments if needed
+  ansible.builtin.set_fact:
+    opt_tls_san: >-
+      {% if api_endpoint is defined and api_endpoint != ansible_hostname and _api_endpoint_in_agent_config | bool == false and _api_endpoint_in_agent_args | bool == false %}
+      --tls-san={{ api_endpoint }}
+      {% endif %}
+
 - name: Setup optional config file
   when: agent_config_yaml is defined
   block:
diff --git a/roles/k3s_agent/templates/k3s-agent.service.j2 b/roles/k3s_agent/templates/k3s-agent.service.j2
@@ -26,4 +26,4 @@ RestartSec=5s
 ExecStartPre=/bin/sh -xc '! /usr/bin/systemctl is-enabled --quiet nm-cloud-setup.service'
 ExecStartPre=-/sbin/modprobe br_netfilter
 ExecStartPre=-/sbin/modprobe overlay
-ExecStart=/usr/local/bin/k3s agent --data-dir {{ k3s_server_location }} --server https://{{ api_endpoint }}:{{ api_port }} {{ extra_agent_args }}
+ExecStart=/usr/local/bin/k3s agent --data-dir {{ k3s_server_location }} --server https://{{ api_endpoint }}:{{ api_port }} {{ opt_tls_san }} {{ extra_agent_args }}
diff --git a/roles/k3s_server/tasks/main.yml b/roles/k3s_server/tasks/main.yml
@@ -46,6 +46,29 @@
     regexp: '\.\s+<\(k3s completion bash\)'
     line: ". <(k3s completion bash)  # Added by k3s-ansible"
 
+- name: Compute final server arguments
+  ansible.builtin.set_fact:
+    _api_endpoint_in_config: >-
+      {% if server_config_yaml is defined and api_endpoint is defined and server_config_yaml | regex_search('tls-san:.*' + api_endpoint | regex_escape(), ignorecase=True) %}
+      true
+      {% else %}
+      false
+      {% endif %}
+    _api_endpoint_in_args: >-
+      {% if api_endpoint is defined and extra_server_args | regex_search('--tls-san[=\s]+' + api_endpoint | regex_escape(), ignorecase=True) %}
+      true
+      {% else %}
+      false
+      {% endif %}
+
+- name: Add TLS SAN to server arguments if needed
+  ansible.builtin.set_fact:
+    final_server_args: >-
+      {{ extra_server_args }}
+      {% if api_endpoint is defined and api_endpoint != ansible_hostname and _api_endpoint_in_config | bool == false and _api_endpoint_in_args | bool == false %}
+      --tls-san={{ api_endpoint }}
+      {% endif %}
+
 - name: Setup optional config file
   when: server_config_yaml is defined
   block:
diff --git a/roles/k3s_server/templates/k3s-cluster-init.service.j2 b/roles/k3s_server/templates/k3s-cluster-init.service.j2
@@ -25,4 +25,4 @@ Restart=always
 RestartSec=5s
 ExecStartPre=-/sbin/modprobe br_netfilter
 ExecStartPre=-/sbin/modprobe overlay
-ExecStart=/usr/local/bin/k3s server --cluster-init --data-dir {{ k3s_server_location }} {{ extra_server_args }} 
+ExecStart=/usr/local/bin/k3s server --cluster-init --data-dir {{ k3s_server_location }} {{ final_server_args }}
diff --git a/roles/k3s_server/templates/k3s-ha.service.j2 b/roles/k3s_server/templates/k3s-ha.service.j2
@@ -25,4 +25,4 @@ Restart=always
 RestartSec=5s
 ExecStartPre=-/sbin/modprobe br_netfilter
 ExecStartPre=-/sbin/modprobe overlay
-ExecStart=/usr/local/bin/k3s server --data-dir {{ k3s_server_location }} --server https://{{ api_endpoint }}:{{ api_port }} {{ extra_server_args }} 
+ExecStart=/usr/local/bin/k3s server --data-dir {{ k3s_server_location }} --server https://{{ api_endpoint }}:{{ api_port }} {{ final_server_args }}
diff --git a/roles/k3s_server/templates/k3s-single.service.j2 b/roles/k3s_server/templates/k3s-single.service.j2
@@ -25,4 +25,4 @@ Restart=always
 RestartSec=5s
 ExecStartPre=-/sbin/modprobe br_netfilter
 ExecStartPre=-/sbin/modprobe overlay
-ExecStart=/usr/local/bin/k3s server --data-dir {{ k3s_server_location }} {{ extra_server_args }} 
+ExecStart=/usr/local/bin/k3s server --data-dir {{ k3s_server_location }} {{ final_server_args }}
