Channels
academy
amazon
arm
azure
cabpr
chinese
ci-cd
danish
deutsch
developer
elemental
epinio
espanol
events
extensions
fleet
français
gcp
general
harvester
harvester-dev
hobbyfarm
hypper
japanese
k3d
k3os
k3s
k3s-contributor
kim
kubernetes
kubewarden
lima
logging
longhorn-dev
longhorn-storage
masterclass
mesos
mexico
nederlands
neuvector-security
office-hours
one-point-x
onlinemeetup
onlinetraining
opni
os
ozt
phillydotnet
portugues
rancher-desktop
rancher-extensions
rancher-setup
rancher-wrangler
random
rfed_ara
rio
rke
rke2
russian
s3gw
service-mesh
storage
submariner
supermicro-sixsq
swarm
terraform-controller
terraform-provider-rancher2
terraform-provider-rke
theranchcast
training-0110
training-0124
training-0131
training-0207
training-0214
training-1220
ukranian
v16-v21-migration
vsphere
windows
Title
l
late-vr-98727
09/21/2022, 9:12 AMHey folks! I have a rk2 based cluster on rancher (v2.6.7). I wanted to enable Authorized Cluster Endpoint , so I did
localClusterAuthEndpoint: enabled: trueUnable to connect to the server: x509: certificate is valid for 127.0.0.1, ::1, 10.128.0.17, 10.43.0.1, not 98.190..
can anyone please help?
b
bright-whale-83501
09/21/2022, 9:22 AMHi. struggling with the exact same problem myself. I added a question in #rke2 thats related, and no answer.
I asume you have the fqdn context in your kubeconfig file, but no token
l
late-vr-98727
09/21/2022, 9:27 AMI did not provide fqdn value , it is taking the downstream cluster server ip address!
b
bright-whale-83501
09/21/2022, 9:27 AMthat should probably work aswell.
but do you have a token or certificate for that context to authenticate with?
l
late-vr-98727
09/21/2022, 9:30 AMyeah i have a
certificate-authority-datab
bright-whale-83501
09/21/2022, 9:30 AMmay I ask, did you add a CA in the form field in rancher?
l
late-vr-98727
09/21/2022, 9:31 AMnope just enabled it to true and did not add CA
b
bright-whale-83501
09/21/2022, 9:31 AMI think your problem is that you need to set SAN to a k8s master IP
l
late-vr-98727
09/21/2022, 9:32 AMok.. how to do it , any idea?
b
bright-whale-83501
09/21/2022, 9:32 AMdo you have rancher gui? (which version)
l
late-vr-98727
09/21/2022, 9:32 AMyes.. 2.6.7
b
bright-whale-83501
09/21/2022, 9:33 AMlook in cluster management, enter the cluster, edit config. Look at "Networking"
There at the bottom you have ACE, and above TLS alterrnative names
I have rancher 2.6.8 so it might be different, have not used 2.6.7 since i skipped that release
that could be, yes
l
late-vr-98727
09/21/2022, 9:50 AMhey @bright-whale-83501, do I need to edit the cluster config where rancher server is installed or downstream cluster?
b
bright-whale-83501
09/21/2022, 9:54 AMDownstream cluster
Since ACE is about authentication, what authenticate. If you dont use ace you always use the rancher cluster
Youe tring to become alice in 4 here https://docs.ranchermanager.rancher.io/reference-guides/rancher-manager-architecture/communicating-with-downstream-user-clusters
l
late-vr-98727
09/21/2022, 11:55 AMyeah gotcha. But I am not getting the "Networking" options in cluster config yaml
b
bright-whale-83501
09/21/2022, 12:38 PMYour rancher cluster, are you admin?
If you look in the yaml, you should see machineGlobalConfig. cluster-domain and tls-san in there?
l
late-vr-98727
09/21/2022, 12:55 PMI am not admin. Does it require to be admin?
a
able-engineer-22050
10/05/2022, 4:46 PMHi,
I have a related question to this. I have a couple of downstream rke2 clusters not created with authorized cluster endpoint enabled.
Can I somehow enable this after creation?