When the cluster bootstrapped by CAPI and by using MAAS, it gives error for the API server certificate as it is missing the FQDN in the SAN list #1878
Description
Summary
Hi Team,
I am trying to bootstrap a cluster by using CAPI and MAAS. After applying the cluster.yaml file, it first gave an error for the FQDN like the following:
2025-10-01T06:26:20Z ERROR Reconciler error {"controller": "ck8scontrolplane", "controllerGroup": "controlplane.cluster.x-k8s.io", "controllerKind": "CK8sControlPlane", "CK8sControlPlane": {"name":"mycank8scluster-control-plane","namespace":"default"}, "namespace": "default", "name": "mycank8scluster-control-plane", "reconcileID": "676d625f-5347-4376-b1b5-a93c1cc1e964", "error": "failed to get API group resources: unable to retrieve the complete list of server APIs: v1: Get \"https://mycank8scluster-b22d77.maas:6443/api/v1?timeout=30s\": dial tcp: lookup mycank8scluster-b22d77.maas on 10.152.183.207:53: dial udp 10.152.183.207:53: connect: operation not permitted", "errorCauses": [{"error": "failed to get API group resources: unable to retrieve the complete list of server APIs: v1: Get \"https://mycank8scluster-b22d77.maas:6443/api/v1?timeout=30s\": dial tcp: lookup mycank8scluster-b22d77.maas on 10.152.183.207:53: dial udp 10.152.183.207:53: connect: operation not permitted"}]}
It was because of the coredns was not able to resolve the API FQDN "mycank8scluster-b22d77.maas". Because coredns by default configured to forward the queries to "/etc/resolv.conf" of the machine of the management cluster and this machine was using a different nameserver than MAAS. I set the coredns upstream dns server with the MAAS IP:
sudo k8s set dns.upstream-nameservers=192.168.122.105
However, this time it is giving the following error in the pod "cacpck-controller-manager-76f4cdf957-r6sq7":
2025-10-01T06:57:37Z ERROR Reconciler error {"controller": "ck8scontrolplane", "controllerGroup": "controlplane.cluster.x-k8s.io", "controllerKind": "CK8sControlPlane", "CK8sControlPlane": {"name":"mycank8scluster-control-plane","namespace":"default"}, "namespace": "default", "name": "mycank8scluster-control-plane", "reconcileID": "393b4ca2-d34e-4918-9b6d-aeef35484980", "error": "failed to get API group resources: unable to retrieve the complete list of server APIs: v1: Get \"https://mycank8scluster-b22d77.maas:6443/api/v1?timeout=30s\": tls: failed to verify certificate: x509: certificate is valid for kubernetes, kubernetes.default, kubernetes.default.svc, kubernetes.default.svc.cluster, kubernetes.default.svc.cluster.local, not mycank8scluster-b22d77.maas", "errorCauses": [{"error": "failed to get API group resources: unable to retrieve the complete list of server APIs: v1: Get \"https://mycank8scluster-b22d77.maas:6443/api/v1?timeout=30s\": tls: failed to verify certificate: x509: certificate is valid for kubernetes, kubernetes.default, kubernetes.default.svc, kubernetes.default.svc.cluster, kubernetes.default.svc.cluster.local, not mycank8scluster-b22d77.maas"}]}
When I check the API server certificate on the control plane, it seems "mycank8scluster-b22d77.maas" not added to SAN list:
# openssl x509 -in /etc/kubernetes/pki/apiserver.crt -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
24:7d:d7:bc:d5:b1:25:da:80:86:f7:5e:74:34:b2:38
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = kubernetes-ca
Validity
Not Before: Aug 20 13:35:29 2025 GMT
Not After : Aug 20 13:35:29 2045 GMT
Subject: CN = kube-apiserver
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c0:a1:56:98:a6:2f:9a:8f:29:58:9e:01:93:d9:
76:bd:d5:26:7d:c3:53:2b:b3:06:5a:93:fc:bd:b4:
fc:24:63:e0:d4:dc:d9:c9:41:6d:79:e2:eb:35:f4:
d0:ee:09:5c:28:c9:cd:46:64:45:29:4d:c4:40:db:
fd:03:e8:10:53:22:07:51:3d:34:80:52:61:91:37:
80:51:4f:29:ed:1b:b0:ff:de:5b:e8:0a:08:d0:cd:
73:48:d9:d0:42:42:ca:44:8a:36:fd:51:5a:b7:fb:
6e:d8:1e:44:c4:f4:6a:9f:4f:a5:a0:0d:99:5a:a9:
13:fb:1f:10:e6:c4:c3:67:6c:4c:63:47:5b:46:3f:
dc:db:0e:79:97:5b:17:71:b8:a9:10:a7:63:67:3f:
5b:0f:92:a7:f8:08:3d:8c:6c:bf:20:44:a2:36:61:
41:8b:62:1d:ac:fe:38:2f:ab:68:de:30:cd:36:1b:
a0:cb:9a:c0:39:bd:ad:9e:b1:84:a1:17:ce:f5:15:
6d:1a:0d:39:66:06:9e:be:3f:c0:2e:05:6a:88:0a:
f1:42:db:66:16:f7:fc:0d:8c:af:bd:a9:63:cc:bf:
70:e7:26:2f:3d:0a:78:15:c5:eb:a3:e0:63:e0:34:
c1:11:b9:e0:4b:ce:e9:41:56:57:9b:fe:07:a9:be:
2a:f1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment, Data Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Authority Key Identifier:
CD:7C:17:F5:AC:E4:72:CF:45:3E:02:50:62:73:73:F7:A8:28:C3:1A
X509v3 Subject Alternative Name:
DNS:kubernetes, DNS:kubernetes.default, DNS:kubernetes.default.svc, DNS:kubernetes.default.svc.cluster, DNS:kubernetes.default.svc.cluster.local, IP Address:192.168.100.166, IP Address:10.152.183.1, IP Address:127.0.0.1, IP Address:192.168.100.166, IP Address:0:0:0:0:0:0:0:1, IP Address:FE80:0:0:0:5054:FF:FE3F:8758
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
55:4d:9d:65:78:1b:90:76:7b:ce:f9:a5:24:66:4c:31:cd:ba:
da:08:8b:e9:df:52:de:61:b5:95:62:0a:e4:b0:1a:95:3c:d2:
36:ae:5d:c7:b5:cc:5c:f5:23:e2:67:ad:dc:37:ca:2b:e6:54:
ff:d0:7c:fa:6a:07:1d:25:41:f5:f1:51:98:90:f9:51:55:fe:
57:1f:88:ff:9d:dd:e9:d1:83:ef:0e:a5:e1:47:aa:01:3b:a7:
e1:72:ed:88:a2:78:db:88:3e:a4:c9:5b:53:5f:e7:76:df:51:
c0:08:ec:64:2d:42:eb:4b:52:33:ae:99:cf:57:73:93:7f:14:
e3:8e:b6:d8:46:27:17:0a:62:82:03:4c:5a:8c:47:d4:4b:f4:
a6:e4:79:e5:bd:a4:04:55:f9:40:c8:26:e6:9d:54:4f:5b:5a:
53:6b:cd:af:91:d0:33:8a:f9:ea:34:39:24:38:3e:8c:49:5a:
7e:db:ec:19:6f:6d:18:3e:ca:d6:3e:ab:a3:90:a0:e3:c5:a0:
1a:2b:d9:52:47:c8:04:fa:e6:b5:63:81:b5:4b:52:5a:33:17:
86:c1:7e:9b:d1:c2:d5:8f:4d:7c:7a:2d:e8:69:24:82:fa:9f:
d0:35:c8:47:f0:61:68:3c:79:62:ed:be:94:78:e7:63:83:9b:
7e:b9:60:f8
-----BEGIN CERTIFICATE-----
MIID5zCCAs+gAwIBAgIQJH3XvNWxJdqAhvdedDSyODANBgkqhkiG9w0BAQsFADAY
MRYwFAYDVQQDEw1rdWJlcm5ldGVzLWNhMB4XDTI1MDgyMDEzMzUyOVoXDTQ1MDgy
MDEzMzUyOVowGTEXMBUGA1UEAxMOa3ViZS1hcGlzZXJ2ZXIwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQDAoVaYpi+ajylYngGT2Xa91SZ9w1MrswZak/y9
tPwkY+DU3NnJQW154us19NDuCVwoyc1GZEUpTcRA2/0D6BBTIgdRPTSAUmGRN4BR
TyntG7D/3lvoCgjQzXNI2dBCQspEijb9UVq3+27YHkTE9GqfT6WgDZlaqRP7HxDm
xMNnbExjR1tGP9zbDnmXWxdxuKkQp2NnP1sPkqf4CD2MbL8gRKI2YUGLYh2s/jgv
q2jeMM02G6DLmsA5va2esYShF871FW0aDTlmBp6+P8AuBWqICvFC22YW9/wNjK+9
qWPMv3DnJi89CngVxeuj4GPgNMERueBLzulBVleb/gepvirxAgMBAAGjggEqMIIB
JjAOBgNVHQ8BAf8EBAMCBLAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMB
MAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUzXwX9azkcs9FPgJQYnNz96gowxow
gcUGA1UdEQSBvTCBuoIKa3ViZXJuZXRlc4ISa3ViZXJuZXRlcy5kZWZhdWx0ghZr
dWJlcm5ldGVzLmRlZmF1bHQuc3Zjgh5rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNs
dXN0ZXKCJGt1YmVybmV0ZXMuZGVmYXVsdC5zdmMuY2x1c3Rlci5sb2NhbIcEwKhk
pocECpi3AYcEfwAAAYcEwKhkpocQAAAAAAAAAAAAAAAAAAAAAYcQ/oAAAAAAAABQ
VAD//j+HWDANBgkqhkiG9w0BAQsFAAOCAQEAVU2dZXgbkHZ7zvmlJGZMMc262giL
6d9S3mG1lWIK5LAalTzSNq5dx7XMXPUj4met3DfKK+ZU/9B8+moHHSVB9fFRmJD5
UVX+Vx+I/53d6dGD7w6l4UeqATun4XLtiKJ424g+pMlbU1/ndt9RwAjsZC1C60tS
M66Zz1dzk38U44622EYnFwpiggNMWoxH1Ev0puR55b2kBFX5QMgm5p1UT1taU2vN
r5HQM4r56jQ5JDg+jElaftvsGW9tGD7K1j6ro5Cg48WgGivZUkfIBPrmtWOBtUtS
WjMXhsF+m9HC1Y9NfHot6Gkkgvqf0DXIR/BhaDx5Yu2+lHjnY4Obfrlg+A==
-----END CERTIFICATE-----
What Should Happen Instead?
The FQDN "mycank8scluster-b22d77.maas" should be added to the certificate SAN list for the clusterapi discover the control plane as initialized.
Reproduction Steps
Just bootstrap the cluster via MAAS
System information
maas infrastructure provider with version 0.5.0
Canonical k8s version 1.33.4
Can you suggest a fix?
No response
Are you interested in contributing with a fix?
No response