Enable CSR signing on an RKE cluster so certificates are issued
This document (000020971) is provided subject to the disclaimer at the end of this document.
Situation
When creating a private key, a CertificateSigningRequest, and approving the CSR. You may notice in the output that the CSR is Approved but not Issued. For example, you may see the following:
kubectl get csr NAME AGE REQUESTOR CONDITION my-csr 18m admin ApprovedBut you actually expect to see the following:
kubectl get csr NAME AGE REQUESTOR CONDITION my-csr 18m admin Approved,Issued
Resolution
In an RKE cluster, you will need to provide the following flags for the
In order to do this from the Rancher UI:
kube-controller-manager: --cluster-signing-cert-file and --cluster-signing-key-fileIn order to do this from the Rancher UI:
- Go to Cluster Management
- Select the 3-dot menu next to the desired cluster and click Edit Config
- Click the Edit as YAML button
- Under the rancher_kubernetes_engine_config.services section, replace
kube-controller: {}withkube-controller: extra_args: cluster-signing-cert-file: /etc/kubernetes/ssl/kube-ca.pem cluster-signing-key-file: /etc/kubernetes/ssl/kube-ca-key.pem
- Click the Save button at the bottom of the screen
- Once the cluster finishes reconciling, you should be able to go through the steps again and have the certificate issued
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000020971
- Creation Date: 13-Feb-2023
- Modified Date:17-Feb-2023
-
- SUSE Rancher
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
