Hey folks I have a rk2 based cluster on rancher v2 6 7 I wan rancher-users #general

Title

# general

late-vr-98727

09/21/2022, 9:12 AM

Hey folks! I have a rk2 based cluster on rancher (v2.6.7). I wanted to enable Authorized Cluster Endpoint , so I did

localClusterAuthEndpoint: enabled: true

. And then it did give me kubeconfig with all the master nodes info. But when I use once of the context defined in the kubeconfig. I get the following error

Unable to connect to the server: x509: certificate is valid for 127.0.0.1, ::1, 10.128.0.17, 10.43.0.1, not 98.190..

can anyone please help?

I am following this doc - https://docs.ranchermanager.rancher.io/how-to-guides/advanced-user-guides/manage-clusters/access-clusters/use-kubectl-and-kubeconfig

bright-whale-83501

09/21/2022, 9:22 AM

Hi. struggling with the exact same problem myself. I added a question in #rke2 thats related, and no answer.

I asume you have the fqdn context in your kubeconfig file, but no token

late-vr-98727

09/21/2022, 9:27 AM

I did not provide fqdn value , it is taking the downstream cluster server ip address!

bright-whale-83501

09/21/2022, 9:27 AM

that should probably work aswell.

but do you have a token or certificate for that context to authenticate with?

late-vr-98727

09/21/2022, 9:30 AM

yeah i have a

certificate-authority-data

,but it still throws the error

bright-whale-83501

09/21/2022, 9:30 AM

may I ask, did you add a CA in the form field in rancher?

late-vr-98727

09/21/2022, 9:31 AM

nope just enabled it to true and did not add CA

bright-whale-83501

09/21/2022, 9:31 AM

I think your problem is that you need to set SAN to a k8s master IP

late-vr-98727

09/21/2022, 9:32 AM

ok.. how to do it , any idea?

bright-whale-83501

09/21/2022, 9:32 AM

do you have rancher gui? (which version)

late-vr-98727

09/21/2022, 9:32 AM

yes.. 2.6.7

bright-whale-83501

09/21/2022, 9:33 AM

look in cluster management, enter the cluster, edit config. Look at "Networking"

There at the bottom you have ACE, and above TLS alterrnative names

I have rancher 2.6.8 so it might be different, have not used 2.6.7 since i skipped that release

that could be, yes

late-vr-98727

09/21/2022, 9:50 AM

hey @bright-whale-83501, do I need to edit the cluster config where rancher server is installed or downstream cluster?

bright-whale-83501

09/21/2022, 9:54 AM

Downstream cluster

Since ACE is about authentication, what authenticate. If you dont use ace you always use the rancher cluster

Youe tring to become alice in 4 here https://docs.ranchermanager.rancher.io/reference-guides/rancher-manager-architecture/communicating-with-downstream-user-clusters

late-vr-98727

09/21/2022, 11:55 AM

yeah gotcha. But I am not getting the "Networking" options in cluster config yaml

bright-whale-83501

09/21/2022, 12:38 PM

Your rancher cluster, are you admin?

If you look in the yaml, you should see machineGlobalConfig. cluster-domain and tls-san in there?

late-vr-98727

09/21/2022, 12:55 PM

I am not admin. Does it require to be admin?

able-engineer-22050

10/05/2022, 4:46 PM

Hi, I have a related question to this. I have a couple of downstream rke2 clusters not created with authorized cluster endpoint enabled. Can I somehow enable this after creation?

7 Views