In content/en/docs/getting-started/on-prem.md, the automated flow runs:
./hack/membership/joinMC.sh $TAG <HUB-CLUSTER-NAME> <MEMBER-CLUSTER-NAME> ...
The script at hack/membership/joinMC.sh runs helm upgrade --install member-agent but does not pass --set config.hubCA=.... The member-agent chart (charts/member-agent/values.yaml) defaults tlsClientInsecure to false, meaning TLS is enforced. Without setting config.hubCA, the member agent cannot verify the hub cluster's TLS certificate and the join will fail.
The on-prem.md should either:
- Document that users must set
HUB_CA before running the script and pass it to the script, or
- Show how to set
config.hubCA as an additional --set flag when calling the script, matching what the manual join section already does.
The manual join section in this same doc already correctly extracts HUB_CA via kubectl config view --raw and passes it as --set config.hubCA=$HUB_CA.
In
content/en/docs/getting-started/on-prem.md, the automated flow runs:The script at
hack/membership/joinMC.shrunshelm upgrade --install member-agentbut does not pass--set config.hubCA=.... The member-agent chart (charts/member-agent/values.yaml) defaultstlsClientInsecuretofalse, meaning TLS is enforced. Without settingconfig.hubCA, the member agent cannot verify the hub cluster's TLS certificate and the join will fail.The on-prem.md should either:
HUB_CAbefore running the script and pass it to the script, orconfig.hubCAas an additional--setflag when calling the script, matching what the manual join section already does.The manual join section in this same doc already correctly extracts
HUB_CAviakubectl config view --rawand passes it as--set config.hubCA=$HUB_CA.