[Question]Why is it necessary to set tls-san option to create rke2 cluster?

[sumpf]

As I know, tls-san option add ip addr or hostname in certificate. if so, why it's required to set a ip addr of mgmt server (which is separated instance) while creating rke2 cluster?
if I'm not add the ip addr of mgmt server for tls-san, I got below error when I run kubectl command with config file.

Unable to connect to the server: x509: certificate is valid for 127.0.0.1, ::1, [...], not [...]

[brandond]

It is only necessary to set tls-san if you're going to put the servers behind a load-balancer, in which case you would want to add the hostname of the load-balancer as a SAN entry on the servers certificates. If you are just joining members directly to one of the servers by name, there's no need to use that option.