Use Tailscale DNS names instead of IPs for TLS SANs

Changed from hardcoded Tailscale IPs to DNS names:
- k8s-cluster-cp-1.silverside-gopher.ts.net
- k8s-cluster-cp-2.silverside-gopher.ts.net
- k8s-cluster-cp-3.silverside-gopher.ts.net

This is more robust since Tailscale IPs change on rebuild,
but DNS names remain consistent.

After next rebuild, cluster accessible via:
- kubectl --server=https://k8s-cluster-cp-1.silverside-gopher.ts.net:6443

ansible/roles/k3s-server/defaults/main.yml

@@ -8,8 +8,9 @@ k3s_disable_servicelb: true
 k3s_kubelet_cloud_provider_external: true
 # Load Balancer endpoint for HA cluster joins (set in inventory)
 kube_api_endpoint: ""
-# Tailscale IPs for control planes (to enable tailnet access)
-tailscale_control_plane_ips:
-  - "100.120.55.97"   # cp-1
-  - "100.108.90.123"  # cp-2
-  - "100.92.149.85"   # cp-3
+# Tailscale DNS names for control planes (to enable tailnet access)
+# Using DNS names instead of IPs since Tailscale IPs change on rebuild
+tailscale_control_plane_names:
+  - "k8s-cluster-cp-1.silverside-gopher.ts.net"
+  - "k8s-cluster-cp-2.silverside-gopher.ts.net"
+  - "k8s-cluster-cp-3.silverside-gopher.ts.net"

ansible/roles/k3s-server/tasks/main.yml

@@ -64,7 +64,7 @@
     --tls-san={{ k3s_primary_ip }}
     --tls-san={{ k3s_primary_public_ip }}
     --tls-san={{ kube_api_endpoint }}
-    {% for ip in tailscale_control_plane_ips %}--tls-san={{ ip }} {% endfor %}
+    {% for name in tailscale_control_plane_names %}--tls-san={{ name }} {% endfor %}
     {% if k3s_disable_embedded_ccm | bool %}--disable-cloud-controller{% endif %}
     {% if k3s_disable_servicelb | bool %}--disable=servicelb{% endif %}
     {% if k3s_kubelet_cloud_provider_external | bool %}--kubelet-arg=cloud-provider=external{% endif %}