You can just click Enable
and hit save (this is the default for new clusters). A kubeconfig entry can only point to one endpoint, so it continues to proxy through the server by default, but adds another context on the generated kubeconfig files that points directly at the control plane node(s) (one at a time). You can manually switch to that context if the server container was down, and this is generally good enough to have a way in for emergencies.
To (reliably) point directly at the cluster all the time, you need a load balancer (e.g. in AWS) which targets only the healthy control plane nodes. And then a domain name pointing at it; that’s the FQDN
field.
Kubectl (mostly) only does TLS, and you’re now pointing it at some hostname you picked for that the cluster knows nothing about. So you need the balancer to do TLS termination. If the cert you use is issued by a CA that’s in the client’s cacerts list, then you’re done. If not we need the certificate (and/or CA chain) so that we can put it into the generated kubeconfig files to make kubectl trust it. That’s the Certificates
field.