Enable CSR signing on an RKE cluster so certificates are issued

kubectl get csr
NAME                  AGE   REQUESTOR   CONDITION
my-csr                18m   admin       Approved

kubectl get csr
NAME                  AGE   REQUESTOR   CONDITION
my-csr                18m   admin       Approved,Issued

You will need to provide the following flags for the kube-controller-manager: --cluster-signing-cert-file and --cluster-signing-key-file

RKE1

In order to do this from the Rancher UI:

1. Go to Cluster Management
2. Select the 3-dot menu next to the desired cluster and click Edit Config
3. Click the Edit as YAML button
4. Under the rancher_kubernetes_engine_config.services section, replace

   kube-controller: {}

   with

   kube-controller:
     extra_args:
       cluster-signing-cert-file: /etc/kubernetes/ssl/kube-ca.pem
       cluster-signing-key-file: /etc/kubernetes/ssl/kube-ca-key.pem

   
    
5. Click the Save button at the bottom of the screen
6. Once the cluster finishes reconciling, you should be able to go through the steps again and have the certificate issued

If this is on a cluster managed using rke up, you will have to put these values in the cluster.yml file and run rke up

RKE2

In order to do this from the Rancher UI:

1. Go to Cluster Management
2. Select the 3-dot menu next to the desired cluster and click Edit Config
3. Go to the Advanced setting under cluster config
4. Add the following additional Controller Manager Args

   cluster-signing-cert-file=/etc/kubernetes/ssl/kube-ca.pem
   cluster-signing-key-file=/etc/kubernetes/ssl/kube-ca-key.pem

5. Click the Save button at the bottom of the screen
6. Once the cluster finishes reconciling, you should be able to go through the steps again and have the certificate issued