https://rancher.com/ logo
Title
f

freezing-teacher-93828

09/05/2022, 9:06 AM
A clarification regarding the word identical in the question:
In a high-availability RKE2 cluster (using kube-vip and 3 servers)
should the file /etc/rancher/rke2/config.yaml
be identical on the three servers (server1, server2, server3)?
I meant identical except for the section tls-san where the files can differ. For example server1:
tls-san:
- server1
- <http://server1.example.com|server1.example.com>
- <http://cluster.example.com|cluster.example.com>
- 12.34.56.78
server2:
tls-san:
- server2
- <http://server2.example.com|server2.example.com>
- <http://cluster.example.com|cluster.example.com>
- 12.34.56.78
c

creamy-pencil-82913

09/05/2022, 9:32 AM
You shouldn’t really need to set those, IP and hostname SANs are already added by default. the tls-san flag is mostly just there in case you have a load-balancer or something that has an additional hostname that you need the cert to be valid for. Is there some reason you’re explicitly adding them?
f

freezing-teacher-93828

09/05/2022, 2:09 PM
Interesting, I believe it should then be enough to just keep the virtual IP and its hostname:
tls-san:
- <http://cluster.example.com|cluster.example.com>
- 12.34.56.78
(I use a virtual IP address that is handled by kube-vip for having a High Availability cluster)