Trying to access k3s using Tailscale - ERROR: failed to verify certificate: x509

[plsnotracking]

Hi folks,

I have my k3s cluster running locally, and then my primary (or master) node has k3s deployed to it.

While creating the master node, I added a --tls-san flag to enable Tailscale IPs to be accessible as well.

Here's what the configuration was set while installing k3s.

export INSTALL_K3S_EXEC=" \
    --disable servicelb \
    --disable traefik \
    --etcd-expose-metrics \
    --tls-san 100.0.0.0 \
    --snapshotter=stargz

But when I try to kubectl my cluster, it fails with the following error (telling me that my IP was not included in the cert generated, which I disagree with).

❯ kubectl --kubeconfig=/Users/me/.kube/config-k3s get pods -A
E0322 17:00:16.029666   66503 memcache.go:265] couldn't get current server API group list: Get "https://100.22.117.32:6443/api?timeout=32s": tls: failed to verify certificate: x509: certificate is valid for 10.43.0.1, 100.0.0.0, 127.0.0.1, 192.168.1.2, not 100.22.117.32

If you see closely, the --tls-san has an entry for 100.0.0.0 which practically allows any IP from my tailscaleto access my node (transitively, my cluster) because I can SSH onto it just fine. Can someone please assist me in telling me what I'm doing incorrectly?

Thank you, good day!

[brandond]

That is not how TLS SANs work. It is NOT a CIDR mask or wildcard. It is a list of hostnames or IP addresses that the certificate is valid for. You need to list each specific hostname or IP that you want added to the cert - so in this case, 100.22.117.32.

You also appear to be under the impression that the --tls-san list somehow affects the tailscale ACLs? It does not impact that in any way. All it does is add additional entries to the certificate.

[plsnotracking]

Oh lol, I thought so, okay, got it, so each IP can be added as a separate --tls-san flag entry
for example:

--tls-san ip1
--tls-san ip2

OR

--tls-san ip1,ip2,ip3

Thank you for the help.