Fix certificate validation when api_endpoint differs from hostname

.gitignore

@@ -3,4 +3,6 @@ venv
 .vscode
 .vagrant
 inventory.yml
-playbook/debug.yml
+playbook/debug.yml
+.ansible/
+PR_DESCRIPTION.md

roles/k3s_agent/tasks/main.yml

@@ -1,11 +1,11 @@
 ---
 - name: Get k3s installed version
   ansible.builtin.command: k3s --version
   register: k3s_version_output
   changed_when: false
   ignore_errors: true
 
 - name: Set k3s installed version
   when: not ansible_check_mode and k3s_version_output.rc == 0
   ansible.builtin.set_fact:
     installed_k3s_version: "{{ k3s_version_output.stdout_lines[0].split(' ')[2] }}"
@@ -41,6 +41,28 @@
         }) }}
       changed_when: true
 
+- name: Compute final agent arguments
+  ansible.builtin.set_fact:
+    _api_endpoint_in_agent_config: >-
+      {% if agent_config_yaml is defined and api_endpoint is defined and agent_config_yaml | regex_search('tls-san:.*' + api_endpoint | regex_escape(), ignorecase=True) %}
+      true
+      {% else %}
+      false
+      {% endif %}
+    _api_endpoint_in_agent_args: >-
+      {% if api_endpoint is defined and extra_agent_args | regex_search('--tls-san[=\s]+' + api_endpoint | regex_escape(), ignorecase=True) %}
+      true
+      {% else %}
+      false
+      {% endif %}
+
+- name: Add TLS SAN to agent arguments if needed
+  ansible.builtin.set_fact:
+    opt_tls_san: >-
+      {% if api_endpoint is defined and api_endpoint != ansible_hostname and _api_endpoint_in_agent_config | bool == false and _api_endpoint_in_agent_args | bool == false %}
+      --tls-san={{ api_endpoint }}
+      {% endif %}
+
 - name: Setup optional config file
   when: agent_config_yaml is defined
   block:
@@ -49,14 +71,14 @@
         path: "/etc/rancher/k3s"
         mode: "0755"
         state: directory
     - name: Copy config values
       ansible.builtin.copy:
         content: "{{ agent_config_yaml }}"
         dest: "/etc/rancher/k3s/config.yaml"
         mode: "0644"
       register: _agent_config_result
 
 - name: Get the token from the first server
   ansible.builtin.set_fact:
     token: "{{ hostvars[groups[server_group][0]].token }}"
 

roles/k3s_agent/templates/k3s-agent.service.j2

@@ -26,4 +26,4 @@ RestartSec=5s
 ExecStartPre=/bin/sh -xc '! /usr/bin/systemctl is-enabled --quiet nm-cloud-setup.service'
 ExecStartPre=-/sbin/modprobe br_netfilter
 ExecStartPre=-/sbin/modprobe overlay
-ExecStart=/usr/local/bin/k3s agent --data-dir {{ k3s_server_location }} --server https://{{ api_endpoint }}:{{ api_port }} {{ extra_agent_args }}
+ExecStart=/usr/local/bin/k3s agent --data-dir {{ k3s_server_location }} --server https://{{ api_endpoint }}:{{ api_port }} {{ opt_tls_san }} {{ extra_agent_args }}

roles/k3s_server/tasks/main.yml

@@ -46,6 +46,29 @@
     regexp: '\.\s+<\(k3s completion bash\)'
     line: ". <(k3s completion bash)  # Added by k3s-ansible"
 
+- name: Compute final server arguments
+  ansible.builtin.set_fact:
+    _api_endpoint_in_config: >-
+      {% if server_config_yaml is defined and api_endpoint is defined and server_config_yaml | regex_search('tls-san:.*' + api_endpoint | regex_escape(), ignorecase=True) %}
+      true
+      {% else %}
+      false
+      {% endif %}
+    _api_endpoint_in_args: >-
+      {% if api_endpoint is defined and extra_server_args | regex_search('--tls-san[=\s]+' + api_endpoint | regex_escape(), ignorecase=True) %}
+      true
+      {% else %}
+      false
+      {% endif %}
+
+- name: Add TLS SAN to server arguments if needed
+  ansible.builtin.set_fact:
+    final_server_args: >-
+      {{ extra_server_args }}
+      {% if api_endpoint is defined and api_endpoint != ansible_hostname and _api_endpoint_in_config | bool == false and _api_endpoint_in_args | bool == false %}
+      --tls-san={{ api_endpoint }}
+      {% endif %}
+
 - name: Setup optional config file
   when: server_config_yaml is defined
   block:

roles/k3s_server/templates/k3s-cluster-init.service.j2

@@ -25,4 +25,4 @@ Restart=always
 RestartSec=5s
 ExecStartPre=-/sbin/modprobe br_netfilter
 ExecStartPre=-/sbin/modprobe overlay
-ExecStart=/usr/local/bin/k3s server --cluster-init --data-dir {{ k3s_server_location }} {{ extra_server_args }} 
+ExecStart=/usr/local/bin/k3s server --cluster-init --data-dir {{ k3s_server_location }} {{ final_server_args }}

roles/k3s_server/templates/k3s-ha.service.j2

@@ -25,4 +25,4 @@ Restart=always
 RestartSec=5s
 ExecStartPre=-/sbin/modprobe br_netfilter
 ExecStartPre=-/sbin/modprobe overlay
-ExecStart=/usr/local/bin/k3s server --data-dir {{ k3s_server_location }} --server https://{{ api_endpoint }}:{{ api_port }} {{ extra_server_args }} 
+ExecStart=/usr/local/bin/k3s server --data-dir {{ k3s_server_location }} --server https://{{ api_endpoint }}:{{ api_port }} {{ final_server_args }}

roles/k3s_server/templates/k3s-single.service.j2

@@ -25,4 +25,4 @@ Restart=always
 RestartSec=5s
 ExecStartPre=-/sbin/modprobe br_netfilter
 ExecStartPre=-/sbin/modprobe overlay
-ExecStart=/usr/local/bin/k3s server --data-dir {{ k3s_server_location }} {{ extra_server_args }} 
+ExecStart=/usr/local/bin/k3s server --data-dir {{ k3s_server_location }} {{ final_server_args }}