So I m reaching out to know what the best practice is in reg rancher-users #k3s

Title

late-needle-80860

09/18/2023, 9:42 AM

So I’m reaching out to know what the best practice is in regards to the use of

—tls-san

parameter. • should I configure / set it on all server nodes? • And if I upgrade control-plane/server nodes by replacing them one by one ( will end up with the same name and ip ) should I set the parameter in that scenario as well? —- With the v1.28.1 release ( and others ) this parameter have come into focus because of the need to set it to patch the cert. CVE on k3s … Thank you

Please anybody with an idea?

creamy-pencil-82913

09/19/2023, 5:05 PM

--tls-san or --tls-san-security?

What sort of environment are you in that you would need to set --tls-san? Do you have the k3s apiserver behind an external load-balancer or dns alias?

late-needle-80860

09/20/2023, 5:34 AM

—tls-san …. The api ip is a VIP. So e.g. moved from control-plane node A to B if A goes down. In certain environments .. the api is behind a dns name. Thank you

creamy-pencil-82913

09/20/2023, 4:51 PM

in that case yes, you should add --tls-san entries for the VIP address and hostname, on all the servers.

but you always should have been doing that, that’s what the setting is for.

🎯 1