-
|
Is your feature request related to a problem? Please describe. I am trying to bootstrap an rke2 cluster and use external LB for accessing k8s API. That external LB has a different IP/name than rke nodes. Describe the solution you'd like I would like to configure authorized cluster endpoint when deploying a cluster, ideally in /etc/rancher/rke2/config.yaml . Describe alternatives you've considered Documentation on how to enable that in official rke2 docs. Additional context Error I am getting now: E1230 11:00:14.476815 11989 proxy_server.go:147] Error while proxying request: x509: certificate is valid for kubernetes, kubernetes.default, kubernetes.default.svc, kubernetes.default.svc.cluster.local, localhost, k8s-test-n1.openstacklocal, not rke2-.... |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 3 replies
-
|
Authorized cluster endpoints are a Rancher concept, not RKE2. RKE2 has no corresponding concept, and is not in any way aware of Rancher. As far as RKE2 is concerned, Rancher is just another workload deployed to the cluster. I'm confused by what you're asking about here though - are you trying to use the Rancher cluster endpoint, or the ACE address, to join new nodes to the cluster? |
Beta Was this translation helpful? Give feedback.
-
|
Actually, what I am trying is to access RKE2 K8s API behind a LB. Maybe I am confusing something, would appreciate if you could point me to a correct direction. The setup that I have is as follows:
What I want to do is to expose another port - 6443 - on LB and forward requests to K8s API port on RKE2 nodes. TCP part works but when using a kubectl client I get a message about issue with x509 certificate, which is not valid for the domain name that resolves to a LB IP. |
Beta Was this translation helpful? Give feedback.
-
|
You should start the rke2 servers with the RKE2 has no idea about the existence of your external load-balancer and will not include its address in the list of subject alternative names on the cert, so it is not valid for that address unless you manually add it to the SAN list. https://docs.rke2.io/reference/server_config?_highlight=tls-san#rke2-server-cli-help |
Beta Was this translation helpful? Give feedback.
-
|
that was it, many thanks! |
Beta Was this translation helpful? Give feedback.
Authorized cluster endpoints are a Rancher concept, not RKE2. RKE2 has no corresponding concept, and is not in any way aware of Rancher. As far as RKE2 is concerned, Rancher is just another workload deployed to the cluster.
I'm confused by what you're asking about here though - are you trying to use the Rancher cluster endpoint, or the ACE address, to join new nodes to the cluster?