k3s tls-san: add kai-server.local so fleet-readout.sh can drop skip-tls-verify #303

Open
opened 2026-06-12 08:40:36 +00:00 by coilysiren · 0 comments
Owner

coilysiren/coilysiren scripts/fleet-readout.sh carries a kubectl workaround: the kubeconfig default https://kai-server:6443 answers Bad Gateway, so the script points at kai-server.local and passes --insecure-skip-tls-verify because the k3s API cert has no kai-server.local SAN.

Removal condition, stated in the script comment: add kai-server.local to the k3s tls-san list, then drop the skip-tls-verify flag from the script.

Two parts:

  • infrastructure - add kai-server.local to the k3s server tls-san config and roll the cert.
  • coilysiren/coilysiren - remove --insecure-skip-tls-verify (and ideally the --server override) from scripts/fleet-readout.sh once the SAN lands.

Filed so the workaround's removal condition has a tracking ref instead of living only in a script comment.

`coilysiren/coilysiren` `scripts/fleet-readout.sh` carries a kubectl workaround: the kubeconfig default `https://kai-server:6443` answers Bad Gateway, so the script points at `kai-server.local` and passes `--insecure-skip-tls-verify` because the k3s API cert has no `kai-server.local` SAN. Removal condition, stated in the script comment: add `kai-server.local` to the k3s `tls-san` list, then drop the skip-tls-verify flag from the script. Two parts: * infrastructure - add `kai-server.local` to the k3s server `tls-san` config and roll the cert. * coilysiren/coilysiren - remove `--insecure-skip-tls-verify` (and ideally the `--server` override) from `scripts/fleet-readout.sh` once the SAN lands. Filed so the workaround's removal condition has a tracking ref instead of living only in a script comment.
coilysiren added
P3
and removed
P2
labels 2026-06-17 08:39:29 +00:00
coilyco-ops added
P4
and removed
P3
labels 2026-07-10 09:00:14 +00:00
Sign in to join this conversation.
No description provided.