I thought it was supplementary_addresses_in_ssl_keys but seeing it used demonstrates they really mean "IP address" and not the more generic address concept.

So I would suspect one of two paths: 1. update the openssl.conf.j2 to distinguish between a supplementary_address which is an IP, versus a hostname; 2. cheat and make the kube-master "hostnames" in the inventory match up with the actual SAN name you would like in the cert (since those identifiers in the inventory can be mapped to IP addresses via ansible_ssh_host for the purposes of connecting to the Nodes)

Arguably the change to openssl.conf.j2 should go upstream in a PR, because your request certainly seems like a common and reasonable one