Hi, I have a question about the generated rke2.yaml kubeconfig (/etc/rancher/rke2/rke2.yaml). Do you know if it’s possible to override the certificate-authority-data? It seems RKE2-server uses the server/tls/server-ca.crt as certificate-authority-data, am I right? Is it possible to change the path ?
10/14/2022, 7:06 PM
The admin kubeconfig is set up so that the cluster’s root CA is trusted by kubectl when using that kubeconfig, yes. Why would you want to change that?
You can always copy that file and modify it if you need to. There’s no way to alter the content that RKE2 generates automatically, no.
10/14/2022, 8:46 PM
I deployed a RKE2 cluster with my own certificates (with an intermediate CA) and the server-ca.crt can not contain a full chain. Everything work because I changed the kube-controller manager deployment and give the full CA chain with the —root-ca-file parameter (it permits to serviceAccounts to take into account the full CA chain).
The last issue I have is with the rke2.yaml file. I copy it and change the certificate-authority-data to give my full CA chain but I wanted to know if it was possible without copy it
I tried several things but the file is generated automatically by RKE2. I was not able to alter it like you said it. Thanks for your response
10/14/2022, 11:11 PM
There are some restrictions around the CAs on the Kubernetes side, in particular I believe that all the various cluster intermediate CAs should not be signed by the same root CA, because the token signing stuff relies on having cert validation fail and then be retried with a different CA bundle so that it can confirm which one it came from.
I can’t remember where that’s documented on the upstream side though