From b703cb269be6549713a62c10a321ddde4788db1b Mon Sep 17 00:00:00 2001
From: MichaelFisher1997 <contact@michaelfisher.tech>
Date: Sun, 1 Mar 2026 02:45:00 +0000
Subject: [PATCH] fix: bootstrap k3s HA on private network with dual SANs

---
 ansible/roles/k3s-server/defaults/main.yml |  1 +
 ansible/roles/k3s-server/tasks/main.yml    |  2 +-
 ansible/site.yml                           | 14 +++++++++-----
 3 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/ansible/roles/k3s-server/defaults/main.yml b/ansible/roles/k3s-server/defaults/main.yml
index 50928ba..b6397b4 100644
--- a/ansible/roles/k3s-server/defaults/main.yml
+++ b/ansible/roles/k3s-server/defaults/main.yml
@@ -2,3 +2,4 @@
 k3s_version: latest
 k3s_token: ""
 k3s_node_ip: ""
+k3s_primary_public_ip: ""
diff --git a/ansible/roles/k3s-server/tasks/main.yml b/ansible/roles/k3s-server/tasks/main.yml
index 500871a..75cff87 100644
--- a/ansible/roles/k3s-server/tasks/main.yml
+++ b/ansible/roles/k3s-server/tasks/main.yml
@@ -61,7 +61,7 @@
   environment:
     INSTALL_K3S_VERSION: "{{ k3s_version if k3s_version != 'latest' else '' }}"
     K3S_TOKEN: "{{ k3s_token }}"
-  command: /tmp/install-k3s.sh server --cluster-init --advertise-address={{ k3s_primary_ip }} --node-ip={{ k3s_node_ip }} --tls-san={{ k3s_primary_ip }}
+  command: /tmp/install-k3s.sh server --cluster-init --advertise-address={{ k3s_primary_ip }} --node-ip={{ k3s_node_ip }} --tls-san={{ k3s_primary_ip }} --tls-san={{ k3s_primary_public_ip }}
   when: 
     - k3s_install_needed
     - k3s_primary | default(false)
diff --git a/ansible/site.yml b/ansible/site.yml
index 983e6fa..211c7a6 100644
--- a/ansible/site.yml
+++ b/ansible/site.yml
@@ -20,7 +20,9 @@
   vars:
     k3s_primary: true
     k3s_token: "{{ lookup('password', '/dev/null length=32 chars=ascii_letters,digits') }}"
-    k3s_primary_ip: "{{ ansible_default_ipv4.address }}"
+    k3s_primary_private_ip: "{{ ansible_all_ipv4_addresses | select('match', '^10\\.') | first }}"
+    k3s_primary_public_ip: "{{ ansible_default_ipv4.address }}"
+    k3s_primary_ip: "{{ ansible_all_ipv4_addresses | select('match', '^10\\.') | first }}"
     k3s_node_ip: "{{ ansible_all_ipv4_addresses | select('match', '^10\\.') | first }}"
 
   roles:
@@ -38,7 +40,8 @@
     - name: Set join token fact
       set_fact:
         k3s_token: "{{ node_token.stdout }}"
-        k3s_primary_ip: "{{ ansible_default_ipv4.address }}"
+        k3s_primary_private_ip: "{{ ansible_all_ipv4_addresses | select('match', '^10\\.') | first }}"
+        k3s_primary_public_ip: "{{ ansible_default_ipv4.address }}"
 
     - name: Fetch kubeconfig
       fetch:
@@ -53,7 +56,8 @@
   vars:
     k3s_primary: false
     k3s_token: "{{ hostvars[groups['control_plane'][0]]['k3s_token'] }}"
-    k3s_primary_ip: "{{ hostvars[groups['control_plane'][0]]['k3s_primary_ip'] }}"
+    k3s_primary_ip: "{{ hostvars[groups['control_plane'][0]]['k3s_primary_private_ip'] }}"
+    k3s_primary_public_ip: "{{ hostvars[groups['control_plane'][0]]['k3s_primary_public_ip'] }}"
     k3s_node_ip: "{{ ansible_all_ipv4_addresses | select('match', '^10\\.') | first }}"
 
   roles:
@@ -65,7 +69,7 @@
 
   vars:
     k3s_token: "{{ hostvars[groups['control_plane'][0]]['k3s_token'] }}"
-    k3s_server_url: "https://{{ hostvars[groups['control_plane'][0]]['k3s_primary_ip'] }}:6443"
+    k3s_server_url: "https://{{ hostvars[groups['control_plane'][0]]['k3s_primary_private_ip'] }}:6443"
     k3s_node_ip: "{{ ansible_all_ipv4_addresses | select('match', '^10\\.') | first }}"
 
   roles:
@@ -84,7 +88,7 @@
   tasks:
     - name: Update kubeconfig server address
       command: |
-        sed -i 's/127.0.0.1/{{ hostvars[groups["control_plane"][0]]["ansible_default_ipv4"]["address"] }}/g' ../outputs/kubeconfig
+        sed -i 's/127.0.0.1/{{ hostvars[groups["control_plane"][0]]["k3s_primary_public_ip"] }}/g' ../outputs/kubeconfig
       changed_when: true
 
     - name: Display success message