From 952a80a7429431594e1e59b7941b065fe1884d42 Mon Sep 17 00:00:00 2001 From: MichaelFisher1997 Date: Mon, 23 Mar 2026 02:56:41 +0000 Subject: [PATCH] Fix HA cluster join via Load Balancer private IP Changes: - Use LB private IP (10.0.1.5) instead of public IP for cluster joins - Add LB private IP to k3s TLS SANs on primary control plane - This allows secondary CPs and workers to verify certificates when joining via LB Fixes x509 certificate validation error when joining via LB public IP. --- ansible/roles/k3s-server/tasks/main.yml | 1 + ansible/site.yml | 1 + terraform/outputs.tf | 4 ++-- 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/ansible/roles/k3s-server/tasks/main.yml b/ansible/roles/k3s-server/tasks/main.yml index bae699c..a224e66 100644 --- a/ansible/roles/k3s-server/tasks/main.yml +++ b/ansible/roles/k3s-server/tasks/main.yml @@ -63,6 +63,7 @@ --node-ip={{ k3s_node_ip }} --tls-san={{ k3s_primary_ip }} --tls-san={{ k3s_primary_public_ip }} + --tls-san={{ kube_api_endpoint }} {% if k3s_disable_embedded_ccm | bool %}--disable-cloud-controller{% endif %} {% if k3s_disable_servicelb | bool %}--disable=servicelb{% endif %} {% if k3s_kubelet_cloud_provider_external | bool %}--kubelet-arg=cloud-provider=external{% endif %} diff --git a/ansible/site.yml b/ansible/site.yml index b9b1bad..8ab61b0 100644 --- a/ansible/site.yml +++ b/ansible/site.yml @@ -24,6 +24,7 @@ k3s_primary_public_ip: "{{ ansible_host }}" k3s_primary_ip: "{{ k3s_private_ip }}" k3s_node_ip: "{{ k3s_private_ip }}" + kube_api_endpoint: "{{ kube_api_endpoint }}" roles: - k3s-server diff --git a/terraform/outputs.tf b/terraform/outputs.tf index d3f026b..a8f987f 100644 --- a/terraform/outputs.tf +++ b/terraform/outputs.tf @@ -65,6 +65,6 @@ output "kubeconfig_command" { } output "kube_api_lb_ip" { - description = "Load Balancer IP for Kubernetes API" - value = hcloud_load_balancer.kube_api.ipv4 + description = "Load Balancer private IP for Kubernetes API (used for cluster joins)" + value = hcloud_load_balancer_network.kube_api.ip }