From 0e52d8f1591908be9685c72fd26b981532de1248 Mon Sep 17 00:00:00 2001
From: MichaelFisher1997 <contact@michaelfisher.tech>
Date: Mon, 23 Mar 2026 23:50:48 +0000
Subject: [PATCH] Use Tailscale DNS names instead of IPs for TLS SANs

Changed from hardcoded Tailscale IPs to DNS names:
- k8s-cluster-cp-1.silverside-gopher.ts.net
- k8s-cluster-cp-2.silverside-gopher.ts.net
- k8s-cluster-cp-3.silverside-gopher.ts.net

This is more robust since Tailscale IPs change on rebuild,
but DNS names remain consistent.

After next rebuild, cluster accessible via:
- kubectl --server=https://k8s-cluster-cp-1.silverside-gopher.ts.net:6443
---
 ansible/roles/k3s-server/defaults/main.yml | 11 ++++++-----
 ansible/roles/k3s-server/tasks/main.yml    |  2 +-
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/ansible/roles/k3s-server/defaults/main.yml b/ansible/roles/k3s-server/defaults/main.yml
index c4af9bb..a156ceb 100644
--- a/ansible/roles/k3s-server/defaults/main.yml
+++ b/ansible/roles/k3s-server/defaults/main.yml
@@ -8,8 +8,9 @@ k3s_disable_servicelb: true
 k3s_kubelet_cloud_provider_external: true
 # Load Balancer endpoint for HA cluster joins (set in inventory)
 kube_api_endpoint: ""
-# Tailscale IPs for control planes (to enable tailnet access)
-tailscale_control_plane_ips:
-  - "100.120.55.97"   # cp-1
-  - "100.108.90.123"  # cp-2
-  - "100.92.149.85"   # cp-3
+# Tailscale DNS names for control planes (to enable tailnet access)
+# Using DNS names instead of IPs since Tailscale IPs change on rebuild
+tailscale_control_plane_names:
+  - "k8s-cluster-cp-1.silverside-gopher.ts.net"
+  - "k8s-cluster-cp-2.silverside-gopher.ts.net"
+  - "k8s-cluster-cp-3.silverside-gopher.ts.net"
diff --git a/ansible/roles/k3s-server/tasks/main.yml b/ansible/roles/k3s-server/tasks/main.yml
index 9a14138..0be4883 100644
--- a/ansible/roles/k3s-server/tasks/main.yml
+++ b/ansible/roles/k3s-server/tasks/main.yml
@@ -64,7 +64,7 @@
     --tls-san={{ k3s_primary_ip }}
     --tls-san={{ k3s_primary_public_ip }}
     --tls-san={{ kube_api_endpoint }}
-    {% for ip in tailscale_control_plane_ips %}--tls-san={{ ip }} {% endfor %}
+    {% for name in tailscale_control_plane_names %}--tls-san={{ name }} {% endfor %}
     {% if k3s_disable_embedded_ccm | bool %}--disable-cloud-controller{% endif %}
     {% if k3s_disable_servicelb | bool %}--disable=servicelb{% endif %}
     {% if k3s_kubelet_cloud_provider_external | bool %}--kubelet-arg=cloud-provider=external{% endif %}