Add Tailscale IPs to k3s TLS SANs for secure tailnet access

Changes:
- Add tailscale_control_plane_ips list to k3s-server defaults
- Include all 3 control plane Tailscale IPs (100.120.55.97, 100.108.90.123, 100.92.149.85)
- Update primary k3s install to add Tailscale IPs to TLS certificates
- Enables kubectl access via Tailscale without certificate errors

After next deploy, cluster will be accessible via:
- kubectl --server=https://100.120.55.97:6443 (or any CP tailscale IP)
- kubectl --server=https://k8s-cluster-cp-1:6443 (via tailscale DNS)

ansible/roles/k3s-server/defaults/main.yml

@@ -8,3 +8,8 @@ k3s_disable_servicelb: true
 k3s_kubelet_cloud_provider_external: true
 # Load Balancer endpoint for HA cluster joins (set in inventory)
 kube_api_endpoint: ""
+# Tailscale IPs for control planes (to enable tailnet access)
+tailscale_control_plane_ips:
+  - "100.120.55.97"   # cp-1
+  - "100.108.90.123"  # cp-2
+  - "100.92.149.85"   # cp-3

ansible/roles/k3s-server/tasks/main.yml

@@ -64,10 +64,11 @@
     --tls-san={{ k3s_primary_ip }}
     --tls-san={{ k3s_primary_public_ip }}
     --tls-san={{ kube_api_endpoint }}
+    {% for ip in tailscale_control_plane_ips %}--tls-san={{ ip }} {% endfor %}
     {% if k3s_disable_embedded_ccm | bool %}--disable-cloud-controller{% endif %}
     {% if k3s_disable_servicelb | bool %}--disable=servicelb{% endif %}
     {% if k3s_kubelet_cloud_provider_external | bool %}--kubelet-arg=cloud-provider=external{% endif %}
-  when: 
+  when:
     - k3s_install_needed
     - k3s_primary | default(false)