How to regenerate certificate apiserver.crt #12760
Description
What happened?
I am running v2.29.0 release of kubespray on bare metal. I am trying to add new SAN name in certificate. I have added following
in file nventory/k8s/group_vars/all/all.yml
supplementary_addresses_in_ssl_keys:
- "k8s-public.example.com"
Run run ansible using but that didn't do anything. How to force regenerate cert?
cluster.yml -e -e upgrade_cluster_setup=true
What did you expect to happen?
Cert is not getting regenerate
How can we reproduce it (as minimally and precisely as possible)?
add following
supplementary_addresses_in_ssl_keys:
- "k8s-public.example.com"
re-run ansible cluster.yml
OS
Ubuntu 22
Version of Ansible
ansible [core 2.17.14]
config file = /opt/kubespray/ansible.cfg
configured module search path = ['/opt/kubespray/library']
ansible python module location = /opt/venv-kubespray/lib/python3.10/site-packages/ansible
ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
executable location = /opt/venv-kubespray/bin/ansible
python version = 3.10.12 (main, Aug 15 2025, 14:32:43) [GCC 11.4.0] (/opt/venv-kubespray/bin/python3)
jinja version = 3.1.6
libyaml = True
Version of Python
2.17.14
Version of Kubespray (commit)
2.29.0
Network plugin used
calico
Full inventory with variables
[kube_control_plane]
k8s-eng-m01 ansible_host=10.0.27.1 etcd_member_name=etcd1
k8s-eng-m02 ansible_host=10.0.27.2 etcd_member_name=etcd2
k8s-eng-m03 ansible_host=10.0.27.3 etcd_member_name=etcd3
[etcd:children]
kube_control_plane
[kube_node]
k8s-eng-w01 ansible_host=10.0.27.11
Command used to invoke ansible
ansible-playbook -i /opt/kubespray/inventory/eng-k8s/inventory.ini --become --become-user=root --tags cert-renew cluster.yml
Output of ansible run
none
Anything else we need to know
No response