From 4726db2b5b21f5dc2da5d8281991f6ac18f0ad59 Mon Sep 17 00:00:00 2001
From: MichaelFisher1997 <contact@michaelfisher.tech>
Date: Mon, 23 Mar 2026 23:04:00 +0000
Subject: [PATCH] Add Tailscale IPs to k3s TLS SANs for secure tailnet access

Changes:
- Add tailscale_control_plane_ips list to k3s-server defaults
- Include all 3 control plane Tailscale IPs (100.120.55.97, 100.108.90.123, 100.92.149.85)
- Update primary k3s install to add Tailscale IPs to TLS certificates
- Enables kubectl access via Tailscale without certificate errors

After next deploy, cluster will be accessible via:
- kubectl --server=https://100.120.55.97:6443 (or any CP tailscale IP)
- kubectl --server=https://k8s-cluster-cp-1:6443 (via tailscale DNS)
---
 ansible/roles/k3s-server/defaults/main.yml | 5 +++++
 ansible/roles/k3s-server/tasks/main.yml    | 3 ++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/ansible/roles/k3s-server/defaults/main.yml b/ansible/roles/k3s-server/defaults/main.yml
index 251c9f5..c4af9bb 100644
--- a/ansible/roles/k3s-server/defaults/main.yml
+++ b/ansible/roles/k3s-server/defaults/main.yml
@@ -8,3 +8,8 @@ k3s_disable_servicelb: true
 k3s_kubelet_cloud_provider_external: true
 # Load Balancer endpoint for HA cluster joins (set in inventory)
 kube_api_endpoint: ""
+# Tailscale IPs for control planes (to enable tailnet access)
+tailscale_control_plane_ips:
+  - "100.120.55.97"   # cp-1
+  - "100.108.90.123"  # cp-2
+  - "100.92.149.85"   # cp-3
diff --git a/ansible/roles/k3s-server/tasks/main.yml b/ansible/roles/k3s-server/tasks/main.yml
index a224e66..9a14138 100644
--- a/ansible/roles/k3s-server/tasks/main.yml
+++ b/ansible/roles/k3s-server/tasks/main.yml
@@ -64,10 +64,11 @@
     --tls-san={{ k3s_primary_ip }}
     --tls-san={{ k3s_primary_public_ip }}
     --tls-san={{ kube_api_endpoint }}
+    {% for ip in tailscale_control_plane_ips %}--tls-san={{ ip }} {% endfor %}
     {% if k3s_disable_embedded_ccm | bool %}--disable-cloud-controller{% endif %}
     {% if k3s_disable_servicelb | bool %}--disable=servicelb{% endif %}
     {% if k3s_kubelet_cloud_provider_external | bool %}--kubelet-arg=cloud-provider=external{% endif %}
-  when: 
+  when:
     - k3s_install_needed
     - k3s_primary | default(false)