This message was deleted.
# rke2a
adamant-kite-43734
10/14/2022, 6:55 PMThis message was deleted.
c
creamy-pencil-82913
10/14/2022, 7:06 PMThe admin kubeconfig is set up so that the cluster’s root CA is trusted by kubectl when using that kubeconfig, yes. Why would you want to change that?
creamy-pencil-82913
10/14/2022, 7:07 PMYou can always copy that file and modify it if you need to. There’s no way to alter the content that RKE2 generates automatically, no.
f
flat-notebook-92639
10/14/2022, 8:46 PMI deployed a RKE2 cluster with my own certificates (with an intermediate CA) and the server-ca.crt can not contain a full chain. Everything work because I changed the kube-controller manager deployment and give the full CA chain with the —root-ca-file parameter (it permits to serviceAccounts to take into account the full CA chain).
The last issue I have is with the rke2.yaml file. I copy it and change the certificate-authority-data to give my full CA chain but I wanted to know if it was possible without copy it
flat-notebook-92639
10/14/2022, 8:47 PMI tried several things but the file is generated automatically by RKE2. I was not able to alter it like you said it. Thanks for your response
c
creamy-pencil-82913
10/14/2022, 11:11 PMThere are some restrictions around the CAs on the Kubernetes side, in particular I believe that all the various cluster intermediate CAs should not be signed by the same root CA, because the token signing stuff relies on having cert validation fail and then be retried with a different CA bundle so that it can confirm which one it came from.
creamy-pencil-82913
10/14/2022, 11:13 PMI can’t remember where that’s documented on the upstream side though
2 Views