I know this is an old topic. But didn’t seem to get a solid answer. I recently struggled with this so it’s still valid. Here is the option I found.
Go in and edit your cluster. Then click the edit as yaml.
In the yaml, there is a section called rancher_kubernetes_engine_config. In that section is something for authentication.
Add the additional “sans” to the certificate by adding the entries like i have below.
rancher_kubernetes_engine_config:
addon_job_timeout: 30
authentication:
sans:
- 10.10.60.105
- k8s.mydomain.com
Save the yaml, and let it regenerate your certs. That 10.10.60.105 is the VIP in my F5 load balancer. The domain is the fqdn i have pointed at the vip. I then have my F5 setup to do layer 4 performance pass through and the VIP is setup for 6443.
The health check is doing simple tcp check on 6443.
All our tools, clients ect are pointing now to my fqdn, since i have all rancher nodes acting as masters, if the api goes down (so does port 6443) health check fails, F5 stops directing traffic to it till it comes back up.
Again, sorry revive an old topic, but I am hoping this helps someone else as it was a pain for me to find