Skip to content

Add docs for tls-additional #1981

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add docs for tls-additional #1981

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions docs/getting-started/installation-and-upgrade/resources/add-tls-secrets.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,8 +42,24 @@ kubectl -n cattle-system create secret generic tls-ca \

The configured `tls-ca` secret is retrieved when Rancher starts. On a running Rancher installation the updated CA will take effect after new Rancher pods are started.

The certificate chain must be properly formatted, or components may fail to download resources from the Rancher server.

:::

## Adding Additional CA Certificates

If you are using a node driver which makes API requests using a different CA than the one configured for Rancher, additional root certificates and certificate chains can be added.
Copy link
Contributor

@LucasSaintarbor LucasSaintarbor Oct 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
If you are using a node driver which makes API requests using a different CA than the one configured for Rancher, additional root certificates and certificate chains can be added.
If you are using a node driver that makes API requests with a different CA than the one configured for Rancher, you can add additional root certificates and certificate chains.


Create a unique file ending in `.pem` for each certificate that is required, and use kubectl to create the
`tls-additional` secret in the `cattle-system` namespace.

```
Copy link
Contributor

@LucasSaintarbor LucasSaintarbor Oct 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
```
```console

kubectl -n cattle-system create secret generic tls-additional \
--from-file=cacerts1.pem=cacerts1.pem --from-file=cacerts2.pem=cacerts2.pem
```

These CA root certificates and certificate chains will be mounted into the node driver pod during provisioning.
Copy link
Contributor

@LucasSaintarbor LucasSaintarbor Oct 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
These CA root certificates and certificate chains will be mounted into the node driver pod during provisioning.
Rancher mounts these CA root certificates and certificate chains into the node driver pod during provisioning.


## Updating a Private CA Certificate

Follow the steps on [this page](update-rancher-certificate.md) to update the SSL certificate of the ingress in a Rancher [high availability Kubernetes installation](../install-upgrade-on-a-kubernetes-cluster/install-upgrade-on-a-kubernetes-cluster.md) or to switch from the default self-signed certificate to a custom certificate.