Cluster information:
Kubernetes version: v1.29.0+rke2r1
Cloud being used: bare-metal
Installation method:
Host OS: SLES 15 SP5
CNI and version: calico v3.26.3
CRI and version: v1.29.0+rke2r1
Hi there,
I need some help trying to figure out how to change the actual self-signed by rke2 CA certificates to custom CA certificates without re-deploying the whole cluster and trying to minimize the loss of service.
A fresh install worked flawlessly, but I can’t figure out how to proceed on an already running cluster.
We have currently 3 master nodes and several worker nodes.
I’m following this procedure from official documentation.
This is the steps done:
Created the intermediate CA and issued the crt and the key.
On the Master 1 which was the bootstrap, I created /opt/rke2/server/tls and placed into:
- Custom intermediate-ca.pem
- Custom intermediate-ca.key
- Custom root-ca.pem
- A copy of /var/lib/rancher/rke2/server/tls/service.key
Downloaded and run this script:
curl -sL https://github.com/k3s-io/k3s/raw/master/contrib/util/generate-custom-ca-certs.sh | DATA_DIR=/opt/rke2 PRODUCT=rke2 bash -
Now the certificates has been generated in /opt/rke2/server/tls on the master server.
If run the following command the certificates are not changing. A new token is either generated.
rke2 certificate rotate-ca --path=/opt/rke2/server -s https://10.10.10.1:9345 --force
certificates saved to datastore
What should I do now? Any ideas? It’s supposed this is supported according to the documentation… or at least is what I understand from this:
If you used the --force option or changed the root CA, ensure that any nodes that were joined with a secure token are reconfigured to use the new token value, prior to being restarted. The token may be stored in a .env file, systemd unit, or config.yaml, depending on how the node was configured during initial installation.
Thank you so much!