From 5a36f98bdd035b47c6f53533146c328f279e6870 Mon Sep 17 00:00:00 2001 From: Jake Hyde Date: Thu, 28 Aug 2025 14:37:23 -0400 Subject: [PATCH] Add docs for tls-additional --- .../resources/add-tls-secrets.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/docs/getting-started/installation-and-upgrade/resources/add-tls-secrets.md b/docs/getting-started/installation-and-upgrade/resources/add-tls-secrets.md index 24c0bfe786e3..db52f5a4a023 100644 --- a/docs/getting-started/installation-and-upgrade/resources/add-tls-secrets.md +++ b/docs/getting-started/installation-and-upgrade/resources/add-tls-secrets.md @@ -42,8 +42,24 @@ kubectl -n cattle-system create secret generic tls-ca \ The configured `tls-ca` secret is retrieved when Rancher starts. On a running Rancher installation the updated CA will take effect after new Rancher pods are started. +The certificate chain must be properly formatted, or components may fail to download resources from the Rancher server. + ::: +## Adding Additional CA Certificates + +If you are using a node driver which makes API requests using a different CA than the one configured for Rancher, additional root certificates and certificate chains can be added. + +Create a unique file ending in `.pem` for each certificate that is required, and use kubectl to create the +`tls-additional` secret in the `cattle-system` namespace. + +``` +kubectl -n cattle-system create secret generic tls-additional \ + --from-file=cacerts1.pem=cacerts1.pem --from-file=cacerts2.pem=cacerts2.pem +``` + +These CA root certificates and certificate chains will be mounted into the node driver pod during provisioning. + ## Updating a Private CA Certificate Follow the steps on [this page](update-rancher-certificate.md) to update the SSL certificate of the ingress in a Rancher [high availability Kubernetes installation](../install-upgrade-on-a-kubernetes-cluster/install-upgrade-on-a-kubernetes-cluster.md) or to switch from the default self-signed certificate to a custom certificate.