How to add tls-san to a running k3os

[andrescaroc]

k3os version v0.21.5-k3s2r1
5.4.0-88-generic #99 SMP Tue Oct 5 16:53:38 UTC 2021
x86_64

Describe the bug

• I have a k3os ami that I use to start k3os instances in aws ec2 instances.
• I want to manage those k3os instances from outside (from my machine) using kubectl so I copy the kubeconfig file from each k3os to my machine and set the KUBECONFIG env variable acordingly.
• Next step change the server IP address in the kubeconfig file to match the ec2 instance IP.

The previous steps work when the ec2 has an elastic IP created beforehand, and that ip is used in the --tls-san=<ip> flag of the k3s_args section of the cloud-init file during creation.

But when the ec2 instance does not have an elastic IP, and --tls-san=<ip> is not used during creation... How do you add --tls-san=<ip> for a running k3os?

To Reproduce
Start a k3os instance in aws with a cloud-init file without --tls-san=<ip> flag, and then try to add the external ip of that ec2 instance to the Subject Alternative Names of the k3os cluster to be managed from outside usign kubectl

Expected behavior
If I create/modify a config.yaml file, lets say /var/lib/rancher/k3os/config.yaml adding the --tls-san=<ip> flag with the external IP (Not elastic) and restart the service sudo rc-service k3s-service restart the new ip get added to the SAN of the certificate

Actual behavior
If I create the file /var/lib/rancher/k3os/config.yaml adding the --tls-san=<ip> flag with the external IP (Not elastic) and restart the service sudo rc-service k3s-service restart the new ip is NOT added to the SAN of the certificate, I can't manage the k3os instance from outside

[r0b2g1t]

Did you tried to edit the secret k3s-serving?

kubectl -n kube-system edit secrets/k3s-serving

That works for me after creating the cluster.