Channels
extensions
rancher-extensions
supermicro-sixsq
ozt
os
one-point-x
rio
onlinemeetup
v16-v21-migration
events
onlinetraining
training-1220
training-0110
training-0124
k3s-contributor
submariner
storage
k3os
windows
ci-cd
theranchcast
rfed_ara
nederlands
ukranian
danish
training-0131
masterclass
training-0207
training-0214
terraform-controller
epinio
phillydotnet
swarm
rancher-wrangler
deutsch
russian
chinese
mesos
français
japanese
arm
longhorn-dev
terraform-provider-rke
service-mesh
azure
gcp
academy
random
elemental
espanol
lima
harvester-dev
portugues
kubernetes
kim
hypper
kubewarden
opni
logging
neuvector-security
rancher-setup
developer
office-hours
mexico
cabpr
rke
vsphere
longhorn-storage
k3s
k3d
terraform-provider-rancher2
fleet
amazon
harvester
rke2
s3gw
hobbyfarm
rancher-desktop
general
Title
h
helpful-beard-54962
03/25/2023, 1:22 AMDoes anyone have experience with Rancher GKE clusters ingress? I installed the nginx-ingress, works, but doesn't use SSL, only port 80. I added certificates, I tried everything in the documentation
r
refined-analyst-8898
03/25/2023, 1:30 AMNot in GKE specifically, no. Do you think the problem is unique to GKE?
h
helpful-beard-54962
03/25/2023, 1:31 AMI don't know if it's only on GKE.
Problem:
Nginx-ingress always forwards to port 80, it works.
443 returns 404 NOT Found.
All the necessary configs that work on another AWS cluster are there
r
refined-analyst-8898
03/25/2023, 1:35 AMOh, interesting. So what's the value of
spec.tls.*.hostshostspec.rules.*.hostThe load balancer will only route the request properly if the DNS name matches
hosth
helpful-beard-54962
03/25/2023, 1:37 AMThe DNS routes correctly on port 80.
tls is a wildcard that seems to be pe applied successfully. Browser shows valid certificate
r
refined-analyst-8898
03/25/2023, 1:38 AMYour server certificate has a wildcard DNS SAN, right?
h
helpful-beard-54962
03/25/2023, 1:39 AMYes. The Certificate is correctly validates as wildcard. I tested it on a different cluster and it works
r
refined-analyst-8898
03/25/2023, 1:40 AMHere is a functioning Ingress example.
apiVersion: <http://networking.k8s.io/v1|networking.k8s.io/v1>
kind: Ingress
metadata:
annotations:
<http://cert-manager.io/issuer|cert-manager.io/issuer>: rancher
<http://cert-manager.io/issuer-kind|cert-manager.io/issuer-kind>: Issuer
<http://field.cattle.io/publicEndpoints|field.cattle.io/publicEndpoints>: '[{"addresses":["192.168.5.15"],"port":443,"protocol":"HTTPS","serviceName":"cattle-system:rancher","ingressName":"cattle-system:rancher","hostname":"<http://rancher.example.com|rancher.example.com>","allNodes":false}]'
<http://meta.helm.sh/release-name|meta.helm.sh/release-name>: rancher
<http://meta.helm.sh/release-namespace|meta.helm.sh/release-namespace>: cattle-system
<http://nginx.ingress.kubernetes.io/proxy-connect-timeout|nginx.ingress.kubernetes.io/proxy-connect-timeout>: "30"
<http://nginx.ingress.kubernetes.io/proxy-read-timeout|nginx.ingress.kubernetes.io/proxy-read-timeout>: "1800"
<http://nginx.ingress.kubernetes.io/proxy-send-timeout|nginx.ingress.kubernetes.io/proxy-send-timeout>: "1800"
creationTimestamp: "2023-03-23T00:13:53Z"
generation: 1
labels:
app: rancher
<http://app.kubernetes.io/managed-by|app.kubernetes.io/managed-by>: Helm
chart: rancher-2.7.1
heritage: Helm
release: rancher
name: rancher
namespace: cattle-system
resourceVersion: "2223"
uid: 1f78f424-c9a3-4bae-9379-75d193409d35
spec:
ingressClassName: traefik
rules:
- host: <http://rancher.example.com|rancher.example.com>
http:
paths:
- backend:
service:
name: rancher
port:
number: 80
pathType: ImplementationSpecific
tls:
- hosts:
- <http://rancher.example.com|rancher.example.com>
secretName: tls-rancher-ingress
status:
loadBalancer:
ingress:
- ip: 192.168.5.15I was pointing out the necessary symmetry between the two occurrences of
<http://rancher.example.com|rancher.example.com>spec.rulesspec.tlsh
helpful-beard-54962
03/25/2023, 1:43 AMYes, this is identical to my config
tls:
- hosts:
- '*.<http://example.com|example.com>'r
refined-analyst-8898
03/25/2023, 1:44 AMThat is the problem. It should not be a wildcard in this spot, but the expected DNS name instead.
The web client/user agent is the audience for the wildcard DNS SAN, not this load balancer.
h
helpful-beard-54962
03/25/2023, 1:45 AMok, updating now ...
wow. worked. Testing some more
so even if the certificate is a wildcard, the host must be the full path, correct?
r
refined-analyst-8898
03/25/2023, 1:48 AMYes, you must program Nginx to match some DNS name with a cluster service. I believe Nginx can handle a wildcard scenario, but I'm not certain how to express that in an Ingress resource.
This resource suggests there is some support for wildcard hosts since K8s 1.18.
https://docs.nginx.com/nginx-ingress-controller/configuration/ingress-resources/basic-configuration/#new-features-available[…]bernetes-118-and-above
There's certainly support for wildcard hosts in K8s Ingress, but they don't give an example of a wildcard TLS host pattern.
https://kubernetes.io/docs/concepts/services-networking/ingress/#hostname-wildcards
h
helpful-beard-54962
03/25/2023, 1:57 AMgreat. seems to be working now. Thanks!
r
refined-analyst-8898
03/25/2023, 2:00 AMYou're welcome!
This post does give an example of wildcard TLS host. Maybe it was a stray keystroke error preventing the match?
https://docs.digitalocean.com/tutorials/set-up-nginx-ingress-controller-to-use-wildcard-certificates/#step-5-set-up-nginx-t[…]-wildcard-certificates
h
helpful-beard-54962
03/25/2023, 2:09 AMNo, so what happens is the moment I add * to the host in TLS it automatically reverts back to HTTP. If add the host as exact match, then it works with SSL