Hello all I m not sure if this is the correct channel to inq Rancher Users #rke2

Hello all, I'm not sure if this is the correct cha...

magnificent-afternoon-22128

03/21/2025, 5:46 PM

Hello all, I'm not sure if this is the correct channel to inquire. I was able to set up my RKE2 cluster recently on some of our vms. When I download the Kube config file from our rancher server, I only get a kubeconfig token. I'm not sure what part I missed that didn't generate the appropriate client-certificate-data, client-certificate-key and the certificate-authority-data. Would anyone be able to help me sort it out?

creamy-pencil-82913

03/21/2025, 5:47 PM

when you download a kubeconfig from rancher, all communication to the downstream cluster goes through rancher

creamy-pencil-82913

03/21/2025, 5:48 PM

if you want to communicate directly with the downstream cluster without going through rancher, you need to set up authorized cluster endpoint on that cluster, and use that context from the generated kubeconfig provided by rancher

creamy-pencil-82913

03/21/2025, 5:49 PM

or you can ssh into the downstream nodes and get a copy of the admin kubeconfig, although at that point you’re just straight up bypassing rancher

magnificent-afternoon-22128

03/21/2025, 6:07 PM

pardon my lack of knowledge but we have RKE1 clusters that are working. Whenever I go to the Rancher UI and download the kube config for those, I get a kube config like this:

Copy code

apiVersion: v1
kind: Config
clusters:
- name: "<<< some name >>>"
  cluster:
    server: "<<< rancher host here >>>"
- name: "<<< some name >>>"
  cluster:
    server: "https://<<< node IP >>>:6443"
    certificate-authority-data: "<<< valid cert here >>>"
- name: "<<< name >>>"
  cluster:
    server: "https://<<< node IP >>>:6443"
    certificate-authority-data: "<<< valid cert >>>"
- name: "<<< another host here >>>"
  cluster:
    server: "https://<<< node IP >>>:6443"
    certificate-authority-data: "<<< valid cert >>>"
users:
- name: "<<< cluster name >>>"
  user:
    token: "<<< valid tolken >>>

contexts:
- name: "<<< cluster context >>>"
  context:
    user: "<<< cluster context >>>"
    cluster: "<<< cluster context >>>"

current-context: "<<< cluster context >>>"

creamy-pencil-82913

03/21/2025, 6:09 PM

right there are multiple cluster entries. the first one that goes through rancher, the others that go directly to the server nodes. because you have enabled ACE for that cluster. If you want to do the same for RKE2, you need to enable ACE on that cluster.

magnificent-afternoon-22128

03/21/2025, 6:09 PM

The new RKE2 cluster generates a kube config like this:

Copy code

apiVersion: v1
kind: Config
clusters:
- name: "<<< some name >>>"
  cluster:
    server: "<<< rancher host here >>>"
users:
- name: "<<< some name >>>"
  user:
    token: "<<< valid token >>>"
contexts:
- name: "<<< some name >>>"
  context:
    user: "<<< some name >>>"
    cluster: "<<< some name >>>"

current-context: "<<< some name >>>"

creamy-pencil-82913

03/21/2025, 6:09 PM

enable ace

creamy-pencil-82913

03/21/2025, 6:10 PM

image.png

creamy-pencil-82913

03/21/2025, 6:11 PM

https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/manage-clusters/access-clusters/authorized-cluster-endpoint

magnificent-afternoon-22128

03/21/2025, 6:13 PM

oh, I failed to toggle that when setting it up. If I don't provide a cert, it should generate one for me correct?

magnificent-afternoon-22128

03/21/2025, 6:14 PM

thank you so much for your help

creamy-pencil-82913

03/21/2025, 6:48 PM

it’ll just use the cluster ca by default. which should be fine.

magnificent-afternoon-22128

03/21/2025, 6:49 PM

awesome, thank you so much for your help

Open in Slack

Previous Next