From afe7d927c91af2683c484d6b9d629b8912659fe6 Mon Sep 17 00:00:00 2001
From: Max Gautier <mg@max.gautier.name>
Date: Thu, 15 Jan 2026 16:05:42 +0100
Subject: [PATCH 1/2] Do not use apiserver LB in etcd certificates

etcd does not use the apiserver load balancer, there is no reason to
include it's DNS into etcd certificates.
---
 roles/etcd/templates/openssl.conf.j2 | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/roles/etcd/templates/openssl.conf.j2 b/roles/etcd/templates/openssl.conf.j2
index 4186aaa5e..64e4d7a9d 100644
--- a/roles/etcd/templates/openssl.conf.j2
+++ b/roles/etcd/templates/openssl.conf.j2
@@ -32,9 +32,6 @@ DNS.{{ counter["dns"] }} = {{ hostvars[host]['etcd_access_address'] }}{{ increme
 {# This will always expand to inventory_hostname, which can be a completely arbitrary name, that etcd will not know or care about, hence this line is (probably) redundant. #}
 DNS.{{ counter["dns"] }} = {{ host }}{{ increment(counter, 'dns') }}
 {% endfor %}
-{% if apiserver_loadbalancer_domain_name is defined %}
-DNS.{{ counter["dns"] }} = {{ apiserver_loadbalancer_domain_name }}{{ increment(counter, 'dns') }}
-{% endif %}
 {% for etcd_alt_name in etcd_cert_alt_names %}
 DNS.{{ counter["dns"] }} = {{ etcd_alt_name }}{{ increment(counter, 'dns') }}
 {% endfor %}

From 051d03ead70492490eac637ff07a35201a14e858 Mon Sep 17 00:00:00 2001
From: Max Gautier <mg@max.gautier.name>
Date: Fri, 16 Jan 2026 12:23:30 +0100
Subject: [PATCH 2/2] Fix defaults for  apiserver_loadbalancer_domain_name

Since we're not longer injecting pseudo DNS into /etc/hosts,
'lb-apiserver.kubernetes.local' (the previous default) won't resolve to
anything.

Instead, default to the loadbalancer IP if defined, or to the node local
loadbalancer if it's in use.

Make the necessary adjustements in use site to deal with ip addresses as
well as hostnames.
---
 roles/kubernetes/control-plane/tasks/kubeadm-setup.yml | 2 +-
 roles/kubespray_defaults/defaults/main/main.yml        | 6 +++---
 roles/network_facts/tasks/no_proxy.yml                 | 4 ++--
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml b/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml
index 96c347033..579d684b8 100644
--- a/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml
+++ b/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml
@@ -90,7 +90,7 @@
 # Nginx LB(default), If kubeadm_config_api_fqdn is defined, use other LB by kubeadm controlPlaneEndpoint.
 - name: Set kubeadm_config_api_fqdn define
   set_fact:
-    kubeadm_config_api_fqdn: "{{ apiserver_loadbalancer_domain_name | default('lb-apiserver.kubernetes.local') }}"
+    kubeadm_config_api_fqdn: "{{ apiserver_loadbalancer_domain_name }}"
   when: loadbalancer_apiserver is defined
 
 - name: Kubeadm | Create kubeadm config
diff --git a/roles/kubespray_defaults/defaults/main/main.yml b/roles/kubespray_defaults/defaults/main/main.yml
index cd318180c..3431867ad 100644
--- a/roles/kubespray_defaults/defaults/main/main.yml
+++ b/roles/kubespray_defaults/defaults/main/main.yml
@@ -640,10 +640,10 @@ first_kube_control_plane_address: "{{ hostvars[groups['kube_control_plane'][0]][
 loadbalancer_apiserver_localhost: "{{ loadbalancer_apiserver is not defined }}"
 loadbalancer_apiserver_type: "nginx"
 # applied if only external loadbalancer_apiserver is defined, otherwise ignored
-apiserver_loadbalancer_domain_name: "lb-apiserver.kubernetes.local"
+apiserver_loadbalancer_domain_name: "{{ 'localhost' if loadbalancer_apiserver_localhost else (loadbalancer_apiserver.address | d(undef())) }}"
 kube_apiserver_global_endpoint: |-
   {% if loadbalancer_apiserver is defined -%}
-      https://{{ apiserver_loadbalancer_domain_name }}:{{ loadbalancer_apiserver.port | default(kube_apiserver_port) }}
+      https://{{ apiserver_loadbalancer_domain_name | ansible.utils.ipwrap }}:{{ loadbalancer_apiserver.port | default(kube_apiserver_port) }}
   {%- elif loadbalancer_apiserver_localhost and (loadbalancer_apiserver_port is not defined or loadbalancer_apiserver_port == kube_apiserver_port) -%}
       https://localhost:{{ kube_apiserver_port }}
   {%- else -%}
@@ -651,7 +651,7 @@ kube_apiserver_global_endpoint: |-
   {%- endif %}
 kube_apiserver_endpoint: |-
   {% if loadbalancer_apiserver is defined -%}
-      https://{{ apiserver_loadbalancer_domain_name }}:{{ loadbalancer_apiserver.port | default(kube_apiserver_port) }}
+      https://{{ apiserver_loadbalancer_domain_name | ansible.utils.ipwrap }}:{{ loadbalancer_apiserver.port | default(kube_apiserver_port) }}
   {%- elif ('kube_control_plane' not in group_names) and loadbalancer_apiserver_localhost -%}
       https://localhost:{{ loadbalancer_apiserver_port | default(kube_apiserver_port) }}
   {%- elif 'kube_control_plane' in group_names -%}
diff --git a/roles/network_facts/tasks/no_proxy.yml b/roles/network_facts/tasks/no_proxy.yml
index 56b9446d8..b2ad83d3d 100644
--- a/roles/network_facts/tasks/no_proxy.yml
+++ b/roles/network_facts/tasks/no_proxy.yml
@@ -4,7 +4,7 @@
     # noqa: jinja[spacing]
     no_proxy_prepare: >-
       {%- if loadbalancer_apiserver is defined -%}
-      {{ apiserver_loadbalancer_domain_name | default('') }},
+      {{ apiserver_loadbalancer_domain_name }},
       {{ loadbalancer_apiserver.address | default('') }},
       {%- endif -%}
       {%- if no_proxy_exclude_workers | default(false) -%}
@@ -32,7 +32,7 @@
 
 - name: Populates no_proxy to all hosts
   set_fact:
-    no_proxy: "{{ hostvars.localhost.no_proxy_prepare }}"
+    no_proxy: "{{ hostvars.localhost.no_proxy_prepare | select }}"
     # noqa: jinja[spacing]
     proxy_env: "{{ proxy_env | combine({
         'no_proxy': hostvars.localhost.no_proxy_prepare,