Skip to content

Enable CSR signing on an RKE cluster so certificates are issued

This document (000020971) is provided subject to the disclaimer at the end of this document.

Situation

When creating a private key, a CertificateSigningRequest, and approving the CSR. You may notice in the output that the CSR is Approved but not Issued. For example, you may see the following:

kubectl get csr
NAME                  AGE   REQUESTOR   CONDITION
my-csr                18m   admin       Approved

But you actually expect to see the following:

kubectl get csr
NAME                  AGE   REQUESTOR   CONDITION
my-csr                18m   admin       Approved,Issued

Resolution

You will need to provide the following flags for the kube-controller-manager: --cluster-signing-cert-file and --cluster-signing-key-file

RKE1

In order to do this from the Rancher UI:

  1. Go to Cluster Management
  2. Select the 3-dot menu next to the desired cluster and click Edit Config
  3. Click the Edit as YAML button
  4. Under the rancher_kubernetes_engine_config.services section, replace
kube-controller: {}

with

kube-controller:
     extra_args:
       cluster-signing-cert-file: /etc/kubernetes/ssl/kube-ca.pem
       cluster-signing-key-file: /etc/kubernetes/ssl/kube-ca-key.pem
  1. Click the Save button at the bottom of the screen
  2. Once the cluster finishes reconciling, you should be able to go through the steps again and have the certificate issued

If this is on a cluster managed using rke up, you will have to put these values in the cluster.yml file and run rke up

RKE2

In order to do this from the Rancher UI:

  1. Go to Cluster Management
  2. Select the 3-dot menu next to the desired cluster and click Edit Config
  3. Go to the Advanced setting under cluster config
  4. Add the following additional Controller Manager Args
cluster-signing-cert-file=/etc/kubernetes/ssl/kube-ca.pem
cluster-signing-key-file=/etc/kubernetes/ssl/kube-ca-key.pem
  1. Click the Save button at the bottom of the screen
  2. Once the cluster finishes reconciling, you should be able to go through the steps again and have the certificate issued

If this is on a standalone RKE2 cluster, you would need to add the argument in the config.yaml and restart the RKE2 service

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.