A clarification regarding the word identical in the question:

In a high-availability RKE2 cluster (using kube-vip and 3 servers)
should the file /etc/rancher/rke2/config.yaml
be identical on the three servers (server1, server2, server3)?

I meant identical except for the section tls-san where the files can differ. For example server1:

tls-san:
- server1
- <http://server1.example.com|server1.example.com>
- <http://cluster.example.com|cluster.example.com>
- 12.34.56.78

server2:

tls-san:
- server2
- <http://server2.example.com|server2.example.com>
- <http://cluster.example.com|cluster.example.com>
- 12.34.56.78

You shouldn’t really need to set those, IP and hostname SANs are already added by default. the tls-san flag is mostly just there in case you have a load-balancer or something that has an additional hostname that you need the cert to be valid for. Is there some reason you’re explicitly adding them?

Interesting, I believe it should then be enough to just keep the virtual IP and its hostname:

tls-san:
- <http://cluster.example.com|cluster.example.com>
- 12.34.56.78

(I use a virtual IP address that is handled by kube-vip for having a High Availability cluster)