From 2740c13c0c9660ee12199b582fc7e817de42592f Mon Sep 17 00:00:00 2001 From: Max Gautier Date: Thu, 15 Jan 2026 16:05:42 +0100 Subject: [PATCH 1/2] Do not use apiserver LB in etcd certificates etcd does not use the apiserver load balancer, there is no reason to include it's DNS into etcd certificates. --- roles/etcd/templates/openssl.conf.j2 | 3 --- 1 file changed, 3 deletions(-) diff --git a/roles/etcd/templates/openssl.conf.j2 b/roles/etcd/templates/openssl.conf.j2 index 9e99086fd..04965ea81 100644 --- a/roles/etcd/templates/openssl.conf.j2 +++ b/roles/etcd/templates/openssl.conf.j2 @@ -32,9 +32,6 @@ DNS.{{ counter["dns"] }} = {{ hostvars[host]['etcd_access_address'] }}{{ increme {# This will always expand to inventory_hostname, which can be a completely arbitrary name, that etcd will not know or care about, hence this line is (probably) redundant. #} DNS.{{ counter["dns"] }} = {{ host }}{{ increment(counter, 'dns') }} {% endfor %} -{% if apiserver_loadbalancer_domain_name is defined %} -DNS.{{ counter["dns"] }} = {{ apiserver_loadbalancer_domain_name }}{{ increment(counter, 'dns') }} -{% endif %} {% for etcd_alt_name in etcd_cert_alt_names %} DNS.{{ counter["dns"] }} = {{ etcd_alt_name }}{{ increment(counter, 'dns') }} {% endfor %} From 6b5cc5bdfbd25f15756f280b63655d21bf07b85b Mon Sep 17 00:00:00 2001 From: Max Gautier Date: Fri, 16 Jan 2026 12:23:30 +0100 Subject: [PATCH 2/2] Fix defaults for apiserver_loadbalancer_domain_name Since we're not longer injecting pseudo DNS into /etc/hosts, 'lb-apiserver.kubernetes.local' (the previous default) won't resolve to anything. Instead, default to the loadbalancer IP if defined, or to the node local loadbalancer if it's in use. Make the necessary adjustements in use site to deal with ip addresses as well as hostnames. --- roles/kubernetes/control-plane/tasks/kubeadm-setup.yml | 2 +- roles/kubespray_defaults/defaults/main/main.yml | 6 +++--- roles/network_facts/tasks/no_proxy.yml | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml b/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml index de3d96dfc..e373a553b 100644 --- a/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml +++ b/roles/kubernetes/control-plane/tasks/kubeadm-setup.yml @@ -90,7 +90,7 @@ # Nginx LB(default), If kubeadm_config_api_fqdn is defined, use other LB by kubeadm controlPlaneEndpoint. - name: Set kubeadm_config_api_fqdn define set_fact: - kubeadm_config_api_fqdn: "{{ apiserver_loadbalancer_domain_name | default('lb-apiserver.kubernetes.local') }}" + kubeadm_config_api_fqdn: "{{ apiserver_loadbalancer_domain_name }}" when: loadbalancer_apiserver is defined - name: Kubeadm | Create kubeadm config diff --git a/roles/kubespray_defaults/defaults/main/main.yml b/roles/kubespray_defaults/defaults/main/main.yml index 56031e5cc..2f006fcb2 100644 --- a/roles/kubespray_defaults/defaults/main/main.yml +++ b/roles/kubespray_defaults/defaults/main/main.yml @@ -643,10 +643,10 @@ first_kube_control_plane_address: "{{ hostvars[groups['kube_control_plane'][0]][ loadbalancer_apiserver_localhost: "{{ loadbalancer_apiserver is not defined }}" loadbalancer_apiserver_type: "nginx" # applied if only external loadbalancer_apiserver is defined, otherwise ignored -apiserver_loadbalancer_domain_name: "lb-apiserver.kubernetes.local" +apiserver_loadbalancer_domain_name: "{{ 'localhost' if loadbalancer_apiserver_localhost else (loadbalancer_apiserver.address | d(undef())) }}" kube_apiserver_global_endpoint: |- {% if loadbalancer_apiserver is defined -%} - https://{{ apiserver_loadbalancer_domain_name }}:{{ loadbalancer_apiserver.port | default(kube_apiserver_port) }} + https://{{ apiserver_loadbalancer_domain_name | ansible.utils.ipwrap }}:{{ loadbalancer_apiserver.port | default(kube_apiserver_port) }} {%- elif loadbalancer_apiserver_localhost -%} https://localhost:{{ loadbalancer_apiserver_port | default(kube_apiserver_port) }} {%- else -%} @@ -654,7 +654,7 @@ kube_apiserver_global_endpoint: |- {%- endif %} kube_apiserver_endpoint: |- {% if loadbalancer_apiserver is defined -%} - https://{{ apiserver_loadbalancer_domain_name }}:{{ loadbalancer_apiserver.port | default(kube_apiserver_port) }} + https://{{ apiserver_loadbalancer_domain_name | ansible.utils.ipwrap }}:{{ loadbalancer_apiserver.port | default(kube_apiserver_port) }} {%- elif ('kube_control_plane' not in group_names) and loadbalancer_apiserver_localhost -%} https://localhost:{{ loadbalancer_apiserver_port | default(kube_apiserver_port) }} {%- elif 'kube_control_plane' in group_names -%} diff --git a/roles/network_facts/tasks/no_proxy.yml b/roles/network_facts/tasks/no_proxy.yml index 56b9446d8..b2ad83d3d 100644 --- a/roles/network_facts/tasks/no_proxy.yml +++ b/roles/network_facts/tasks/no_proxy.yml @@ -4,7 +4,7 @@ # noqa: jinja[spacing] no_proxy_prepare: >- {%- if loadbalancer_apiserver is defined -%} - {{ apiserver_loadbalancer_domain_name | default('') }}, + {{ apiserver_loadbalancer_domain_name }}, {{ loadbalancer_apiserver.address | default('') }}, {%- endif -%} {%- if no_proxy_exclude_workers | default(false) -%} @@ -32,7 +32,7 @@ - name: Populates no_proxy to all hosts set_fact: - no_proxy: "{{ hostvars.localhost.no_proxy_prepare }}" + no_proxy: "{{ hostvars.localhost.no_proxy_prepare | select }}" # noqa: jinja[spacing] proxy_env: "{{ proxy_env | combine({ 'no_proxy': hostvars.localhost.no_proxy_prepare,