Comments (4)
Since the kube-apiserver runs in a container, startup arguments come from the rke2 config file. It is exposed through the terraform module via the rke2_config
argument. Your terraform file should contain something like this:
module "rke2" {
...
rke2_config = <<-EOT
kube-apiserver-arg:
- "service-account-issuer=<OIDC provider URL>"
- "service-account-key-file=/var/lib/rancher/rke2/server/irsa/sa-signer-pkcs8.pub"
- "service-account-key-file=/var/lib/rancher/rke2/server/tls/service.key"
- "service-account-signing-key-file=/var/lib/rancher/rke2/server/irsa/sa-signer.key"
EOT
...
}
You can see the config file documentation at https://docs.rke2.io/install/install_options/install_options/#configuration-file and get the full list of arguments available that can be passed to the rke2 server at https://docs.rke2.io/install/install_options/server_config/.
from rke2-aws-tf.
Thanks @adamacosta I will look into this!
from rke2-aws-tf.
@adamacosta I tried this out and it worked! Seems like I didn't even need to specify the volume and mounts which I thought would be required for the pod to access the files on the master node. The only concern I have is that it will not allow you to specify two service-account-key-file's. The sa-signer-pkcs8.pub is the new key I need for IAM Roles for Service Accounts (IRSA) to work.
Do you know if the default tls service.key in there even matters or will it just utilize the new service-account-key-file for IRSA that I provided for anything that the default key was used for? I'm able to successfully deploy rke2 with only specifying my new key, but I'm not sure how to tell/test if replacing it will cause issues in other areas.
from rke2-aws-tf.
I suspect it's just going to use your key and not the generated key, but I'm not totally certain of that. You might consider asking on the Rancher community forum or the Rancher users slack server to see if you can get an answer from the RKE2 developers directly.
from rke2-aws-tf.
Related Issues (20)
- agent-nodepool Terraform template using an experimental feature without enabling the feature HOT 3
- RKE2 Cluster creation fails with private subnets HOT 4
- Examples don't work in RHEL8. NGINX Backend, CoreDNS, Metrics server left in crash loop. HOT 3
- statestore module not compatabile with version 4.0.0 of AWS provider HOT 1
- publish module to terraform registry HOT 1
- Fix deprecated items for Terraform 1.27 HOT 1
- How to access private IP servers and agents HOT 1
- Server fails on AMI having the AWS CLI installed HOT 2
- Feature flag to allow turning on/off security group creation HOT 2
- S3 now defaults to ACLs disabled HOT 1
- Name length issues for nlb module HOT 2
- Does not work on latest RHEL AMIs. No easy way to specify release channel for binary HOT 1
- Error: want at least 1 healthy instance(s) registered to Load Balancer, have 0', timeout: 10m0 HOT 3
- Non-backwards compatible change: CP using NLB HOT 9
- `aws_lb_target_group` logic error on long names HOT 1
- tls-san entry in server config is ignored HOT 3
- No SLES provision for servers or agents HOT 1
- Need to pin Terraform AWS provider HOT 2
- Terraform 0.13 does not support optional keyword HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from rke2-aws-tf.