rke2.yaml with server address lookpback (127.0.0.1) not LB

[cloudcafetech]

Below steps when buildings RKE2 cluster on RHEL 8 & F5 LB (rancher.example.com) with signed CA loaded.

mkdir -p /etc/rancher/rke2
cat << EOF >  /etc/rancher/rke2/config.yaml
token: pkls-secret
write-kubeconfig-mode: "0644"
tls-san:
  - rancher.example.com
EOF

curl -sfL https://get.rke2.io | INSTALL_RKE2_CHANNEL=v1.20 sh -
systemctl enable rke2-server.service
systemctl start rke2-server.service

Cluster build OK. When I look kubeconfig file (/etc/rancher/rke2/rke2.yaml) its a loopback (server: https://127.0.0.1:6443) not LB (rancher.example.com)

That OK, I am able to get cluster details.

But if I change server address with LB (rancher.example.com) in kubeconfig file (/etc/rancher/rke2/rke2.yaml) then getting following error ...

Unable to connect to the server: x509: certificate signed by unknown authority

[brandond]

Yes, the local admin kubeconfig on each server points at the local apiserver instance. Agents don't have an admin kubeconfig, but their kubelet kubeconfig points at a client loadbalancer that distributes connections between servers. The external LB address is only used when initially connecting to the cluster. This is covered in the RKE2 HA documentation.

[cloudcafetech]

I am using RKE2 HA, even after setting up 3 CP also facing same x509 error..

Unable to connect to the server: x509: certificate signed by unknown authority

[cloudcafetech]

I can download certificate from LB and use it. Right?
But how to use it RKE2, that you need to help me please.

[brandond]

No, you should configure your LB to disable ssl termination. It should be a plain TCP load balancer.

[cloudcafetech]

This setup standard in onprem, I can't change company rule. Need to figure out like this scenario.

[cloudcafetech]

By the way, where (path) RKE2 keep certificate and static pod yaml ?

[cloudcafetech]

I think that can solve if you tell me how to add certificate (pem) of fqdn (LB) in RK2 config file ... how normally we do in GUI