question regarding setting a rke2 cluster for rancher, the

config.yaml

example lists tls-san for

<http://my-kubernetes-domain.com|my-kubernetes-domain.com>

and

<http://another-kubernetes-domain.com|another-kubernetes-domain.com>

, are these supposed to the hostnames for rancher itself? so say if i'm doing

<http://rancher.example.com|rancher.example.com>

i should put that in the list? this is the page i'm referring to https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/kubernetes-cluster-setup/rke2-for-rancher

no. those are in case you put a LB or DNS alias in front of the kubernetes api itself. They are not used by the Ingress in any way and do not have to be present for the Rancher Ingress to function.

ok thanks

you point them at the first server, or the dns alias / external LB. They coordinate with the existing server to join the cluster.

gotcha

I’m exploring this myself reading up on it….this is only for the kubernetes api? so if we are doing metalLB. *.k8.example.com —-> metalLB (IP) —> ingress-nginx—> app tls-san It’s not needed If I do HA and use like kube-vip so k8.example.com —> Kube-vip (ip) —> 3x HA Master nodes hosting kubernetes API. would need to add tls-san: k8.example.com Is that correct?

well also for the rke2 supervisor api that is used during cluster join. But it is completely isolated from the ingress, if that is what you are asking about.

Yeah, my example was simplified

it is literally just additional hostnames/IPs that the rke2 server certs will be valid for. Has nothing to do with whatever you will later do with ingress.

so i got the cluster bootstrapped and i installed rancher with helm