After the tls-rancher-ingress & tls-ca.yaml [ cert ] replacement all the child or managed cluster are in the " Configuring bootstrap node(s) custom-1089dcc37e79: waiting for plan to be applied " state or updating phase.

[DipindasThayyil]

After the tls-rancher-ingress & tls-ca.yaml [ cert - rke2 ] replacement all the child or managed cluster are in the " Configuring bootstrap node(s) custom-1089dcc37e79: waiting for plan to be applied " state or updating phase.

As of now I've performed the below steps. Any suggestion ?

Child Cluster K8s version - v1.28.10+rke2r1

rancher manager v2.8.5

kubectl -n cattle-system get secret tls-rancher-ingress  -o yaml  > tls-rancher-ingress-orig.yaml 

kubectl -n cattle-system create secret tls tls-rancher-ingress
--cert=tls.crt
--key=tls.key
--dry-run=client --save-config -o yaml | kubectl apply -f -

kubectl rollout restart deploy/rancher -n cattle-system

cp tls-ca.yaml tls-ca-bk.yaml
sed -i "s|^( cacerts.pem: ).|\1$(cat encoded.txt)|" tls-ca.yaml
more tls-ca.yaml
ls -lrt
k get secrets tls-ca -n cattle-system -o yaml
kubectl replace -f tls-ca.yaml
kubectl -n cattle-system get secret tls-ca
kubectl -n cattle-system rollout restart deployment rancher

As per the managed cluster conditions

Provisioned Unknown 45 mins ago [Waiting] configuring bootstrap node(s) custom-1089dcc37e79: waiting for plan to be applied
Ready False 8 hours ago [Disconnected] Cluster agent is not connected

[brandond]

This is a Rancher issue, not RKE2. Please check Rancher docs on how to rotate or replace the ingress certificate.