Add Tailscale IPs to k3s TLS SANs for secure tailnet access

Changes: - Add tailscale_control_plane_ips list to k3s-server defaults - Include all 3 control plane Tailscale IPs (100.120.55.97, 100.108.90.123, 100.92.149.85) - Update primary k3s install to add Tailscale IPs to TLS certificates - Enables kubectl access via Tailscale without certificate errors After next deploy, cluster will be accessible via: - kubectl --server=https://100.120.55.97:6443 (or any CP tailscale IP) - kubectl --server=https://k8s-cluster-cp-1:6443 (via tailscale DNS)
2026-03-23 23:04:00 +00:00
parent 90d105e5ea
commit 4726db2b5b
2 changed files with 7 additions and 1 deletions
--- a/ansible/roles/k3s-server/defaults/main.yml
+++ b/ansible/roles/k3s-server/defaults/main.yml
@@ -8,3 +8,8 @@ k3s_disable_servicelb: true
 k3s_kubelet_cloud_provider_external: true
 # Load Balancer endpoint for HA cluster joins (set in inventory)
 kube_api_endpoint: ""
+# Tailscale IPs for control planes (to enable tailnet access)
+tailscale_control_plane_ips:
+  - "100.120.55.97"   # cp-1
+  - "100.108.90.123"  # cp-2
+  - "100.92.149.85"   # cp-3