This message was deleted.

Don't do that. If you have a LB in front of the rke2 control plane, it must use the same ports, and pass through tcp directly. Kubernetes makes extensive use of client certificate auth, and offloading tls to the load-balancer breaks that.

okay so I should set passthru

You don't even really need an expensive external load-balancer in front of the servers, a DNS alias is just fine. The registration endpoint is only used when joining the cluster, after that the client pulls endpoints from the cluster so the external LB is completely unused.

its possible its already setup like this. we have stoodup 3 other rancher clusters and the install went fine