Setting up TLS CA for Kubernetes

We are using Rancher 1.6.15 to manage a K8S 1.9.5 cluster from the catalog template. I cannot figure out how to get k8s cluster TLS cert signing to work.

Currently, if I create a CSR:
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
name: app-tls-csr
spec:
groups:

  • system:authenticated
    request:
    usages:
  • digital signature
  • key encipherment
  • server auth

submit it:
kubectl create -f csr.yaml

and approve it:
kubectl certificate approve app-tls-csr

The CSR shows as approved, but never Issued:
$ kc get certificatesigningrequest
NAME AGE REQUESTOR CONDITION
app-tls-csr.default 7h admin Approved

According to the k8s TLS docs:

We need to add these params to the kube-controller-manager
–cluster-signing-cert-file="/etc/path/to/kubernetes/ca/ca.crt" --cluster-signing-key-file="/etc/path/to/kubernetes/ca/ca.key"

Looking at my exisiting k8s processes, these are not being supplied by Rancher, and I see no variables in the template that can add additional args to the kube-controller-manager.

Can anyone suggest how to get TLS working properly within k8s managed by rancher?