Add a default (empty) value for supplementary_addresses_in_ssl_keys (#12761 )

Most variables should have a default instead of relying on the default filter. (Note that the variable is misnomed, this should be certs and not keys, but it's not worth breaking compat).
Simplify collection of SubjectAlternativeNames for apiserver (#12507 )
2025-12-13 21:34:40 +03:00 · 2025-12-04 05:28:57 -08:00 · 2025-12-04 02:06:57 -08:00
4 changed files with 18 additions and 14 deletions
--- a/roles/kubernetes/control-plane/defaults/main/main.yml
+++ b/roles/kubernetes/control-plane/defaults/main/main.yml
@@ -240,6 +240,10 @@ auto_renew_certificates_systemd_calendar: "Mon *-*-1,2,3,4,5,6,7 03:00:00"
 # we can opt out from the default behavior by setting kubeadm_upgrade_auto_cert_renewal to false
 kubeadm_upgrade_auto_cert_renewal: true

+# Add Subject Alternative Names to the Kubernetes apiserver certificates.
+# Useful if you access the API from multiples load balancers, for instance.
+supplementary_addresses_in_ssl_keys: []
+
 # Bash alias of kubectl to interact with Kubernetes cluster much easier
 # kubectl_alias: k

--- a/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml
+++ b/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml
@@ -25,9 +25,9 @@

 - name: Kubeadm | aggregate all SANs
  set_fact:
-    apiserver_sans: "{{ (sans_base + groups['kube_control_plane'] + sans_lb + sans_lb_ip + sans_supp + sans_access_ip + sans_ip + sans_ipv4_address + sans_ipv6_address + sans_override + sans_hostname + sans_fqdn + sans_kube_vip_address) | unique }}"
+    apiserver_sans: "{{ _apiserver_sans | flatten | select | unique }}"
  vars:
-    sans_base:
+    _apiserver_sans:
      - "kubernetes"
      - "kubernetes.default"
      - "kubernetes.default.svc"
@@ -36,17 +36,17 @@
      - "localhost"
      - "127.0.0.1"
      - "::1"
-    sans_lb: "{{ [apiserver_loadbalancer_domain_name] if apiserver_loadbalancer_domain_name is defined else [] }}"
-    sans_lb_ip: "{{ [loadbalancer_apiserver.address] if loadbalancer_apiserver is defined and loadbalancer_apiserver.address is defined else [] }}"
-    sans_supp: "{{ supplementary_addresses_in_ssl_keys if supplementary_addresses_in_ssl_keys is defined else [] }}"
-    sans_access_ip: "{{ groups['kube_control_plane'] | map('extract', hostvars, 'main_access_ip') | list | select('defined') | list }}"
-    sans_ip: "{{ groups['kube_control_plane'] | map('extract', hostvars, 'main_ip') | list | select('defined') | list }}"
-    sans_ipv4_address: "{{ groups['kube_control_plane'] | map('extract', hostvars, ['ansible_default_ipv4', 'address']) | list | select('defined') | list }}"
-    sans_ipv6_address: "{{ groups['kube_control_plane'] | map('extract', hostvars, ['ansible_default_ipv6', 'address']) | list | select('defined') | list }}"
-    sans_override: "{{ [kube_override_hostname] if kube_override_hostname else [] }}"
-    sans_hostname: "{{ groups['kube_control_plane'] | map('extract', hostvars, ['ansible_hostname']) | list | select('defined') | list }}"
-    sans_fqdn: "{{ groups['kube_control_plane'] | map('extract', hostvars, ['ansible_fqdn']) | list | select('defined') | list }}"
-    sans_kube_vip_address: "{{ [kube_vip_address] if kube_vip_address is defined and kube_vip_address else [] }}"
+      - "{{ apiserver_loadbalancer_domain_name }}"
+      - "{{ loadbalancer_apiserver.address | d('') }}"
+      - "{{ supplementary_addresses_in_ssl_keys }}"
+      - "{{ groups['kube_control_plane'] | map('extract', hostvars, 'main_access_ip') }}"
+      - "{{ groups['kube_control_plane'] | map('extract', hostvars, 'main_ip') }}"
+      - "{{ groups['kube_control_plane'] | map('extract', hostvars, ['ansible_default_ipv4', 'address']) | select('defined') }}"
+      - "{{ groups['kube_control_plane'] | map('extract', hostvars, ['ansible_default_ipv6', 'address']) | select('defined') }}"
+      - "{{ groups['kube_control_plane'] | map('extract', hostvars, 'ansible_hostname') }}"
+      - "{{ groups['kube_control_plane'] | map('extract', hostvars, 'ansible_fqdn') }}"
+      - "{{ kube_override_hostname }}"
+      - "{{ kube_vip_address }}"
  tags: facts

 - name: Create audit-policy directory
--- a/roles/kubernetes/node/defaults/main.yml
+++ b/roles/kubernetes/node/defaults/main.yml
@@ -80,7 +80,6 @@ kube_vip_bgp_peeraddress:
 kube_vip_bgp_peerpass:
 kube_vip_bgp_peeras: 65000
 kube_vip_bgppeers:
-kube_vip_address:
 kube_vip_enableServicesElection: false
 kube_vip_lb_enable: false
 kube_vip_leasename: plndr-cp-lock
--- a/roles/kubespray_defaults/defaults/main/main.yml
+++ b/roles/kubespray_defaults/defaults/main/main.yml
@@ -96,6 +96,7 @@ ignore_assert_errors: false
 # kube-vip
 kube_vip_enabled: false
 kube_vip_lb_fwdmethod: local
+kube_vip_address:

 # nginx-proxy configure
 nginx_config_dir: "/etc/nginx"