We are using Rancher 1.6.15 to manage a K8S 1.9.5 cluster from the catalog template. I cannot figure out how to get k8s cluster TLS cert signing to work.
Currently, if I create a CSR:
apiVersion: certificates.k8s.io/v1beta1
kind: CertificateSigningRequest
metadata:
name: app-tls-csr
spec:
groups:
- system:authenticated
request:
usages: - digital signature
- key encipherment
- server auth
submit it:
kubectl create -f csr.yaml
and approve it:
kubectl certificate approve app-tls-csr
The CSR shows as approved, but never Issued:
$ kc get certificatesigningrequest
NAME AGE REQUESTOR CONDITION
app-tls-csr.default 7h admin Approved
According to the k8s TLS docs:
We need to add these params to the kube-controller-manager
–cluster-signing-cert-file="/etc/path/to/kubernetes/ca/ca.crt" --cluster-signing-key-file="/etc/path/to/kubernetes/ca/ca.key"
Looking at my exisiting k8s processes, these are not being supplied by Rancher, and I see no variables in the template that can add additional args to the kube-controller-manager.
Can anyone suggest how to get TLS working properly within k8s managed by rancher?