From 8cd4bd5b2d03e7d8b6bf649fd288e6715014f9f6 Mon Sep 17 00:00:00 2001
From: Simon Cornet <simon@simoncor.net>
Date: Wed, 28 Jan 2026 09:46:23 +0100
Subject: [PATCH] feat(k3s): add custom tls-san snippets

---
 docs/k3s/install.md | 43 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)
 create mode 100644 docs/k3s/install.md

diff --git a/docs/k3s/install.md b/docs/k3s/install.md
new file mode 100644
index 0000000..ee6e828
--- /dev/null
+++ b/docs/k3s/install.md
@@ -0,0 +1,43 @@
+# K3s
+
+This guide assumes 3 nodes which are already setup with a minimal OS installation and network connectivity. Also make
+sure DNS entries are in place for all nodes.
+
+Our examples bellow use the following nodes:
+
+| Node | Role | FQDN | IP Address ^ |
+|---|---|---|---|
+| proxy | HAProxy loadbalancer | proxy.k3s.siempie.internal | 192.168.10.230 |
+| node01 | Master + Worker | node01.k3s.siempie.internal | 192.168.10.231 |
+| node02 | Master + Worker | node02.k3s.siempie.internal | 192.168.10.232 |
+| node03 | Master + Worker | node03.k3s.siempie.internal | 192.168.10.233 |
+
+Our API and HTTP workloads will be proxied via the HAProxy loadbalancer. The k3s api server will be accessible at
+`https://workload.k3s.siempie.internal:6443`. The HAProxy configuration is found
+[here](<https://docs.simoncor.net/linux/haproxy>).
+
+## Boostrap k3s with a custom TLS SAN
+
+```bash
+# Node 1 (first master)
+curl -sfL https://get.k3s.io | sh -s - server \
+  --cluster-init \
+  --tls-san workload.k3s.siempie.internal \
+  --tls-san node01 \
+  --tls-san node01.k3s.siempie.internal
+
+# Save token for other nodes
+cat /var/lib/rancher/k3s/server/node-token
+```
+
+## Join other masters
+
+```bash
+# Node 2 and 3 (other masters)
+curl -sfL https://get.k3s.io | sh -s - server \
+  --server https://node01:6443 \
+  --token <token-from-node01> \
+  --tls-san workload.k3s.siempie.internal \
+  --tls-san node02 \
+  --tls-san node02.k3s.siempie.internal
+```