https://rancher.com/ logo
Title
r

refined-analyst-8898

03/27/2023, 12:33 PM
I've migrated a workload to RKE2, a distro that's still new to me. The application requires ingress SSL-passthrough (as opposed to termination), which is not enabled by default in RKE2's tailoring of the
ingress-nginx
chart. That's expected, but I'm hesitant to customize it because I don't have a complete mental map of the life cycle, especially upgrades. I've patched the daemonset to add the optional arg. It'd be helpful to hear from someone more familiar with RKE2 that this is entirely expected or a patently bad idea!
$ k get daemonsets.apps rke2-ingress-nginx-controller \
    --namespace kube-system \
    --output go-template='{{ range ((index .spec.template.spec.containers 0).args) }}{{.}}{{"\n"}}{{end}}'
/nginx-ingress-controller
--election-id=ingress-controller-leader
--controller-class=<http://k8s.io/ingress-nginx|k8s.io/ingress-nginx>
--ingress-class=nginx
--configmap=$(POD_NAMESPACE)/rke2-ingress-nginx-controller
--validating-webhook=:8443
--validating-webhook-certificate=/usr/local/certificates/cert
--validating-webhook-key=/usr/local/certificates/key
--watch-ingress-without-class=true

$ k patch daemonsets.apps "rke2-ingress-nginx-controller" \
            --namespace kube-system \
            --type json \
            --patch '[{"op": "add",
                "path": "/spec/template/spec/containers/0/args/-",
                "value":"--enable-ssl-passthrough"
            }]'
daemonset.apps/rke2-ingress-nginx-controller patched

$ k get daemonsets.apps rke2-ingress-nginx-controller \
    --namespace kube-system \
    --output go-template='{{ range ((index .spec.template.spec.containers 0).args) }}{{.}}{{"\n"}}{{end}}'
/nginx-ingress-controller
--election-id=ingress-controller-leader
--controller-class=<http://k8s.io/ingress-nginx|k8s.io/ingress-nginx>
--ingress-class=nginx
--configmap=$(POD_NAMESPACE)/rke2-ingress-nginx-controller
--validating-webhook=:8443
--validating-webhook-certificate=/usr/local/certificates/cert
--validating-webhook-key=/usr/local/certificates/key
--watch-ingress-without-class=true
--enable-ssl-passthrough
c

careful-mouse-42236

03/27/2023, 12:57 PM
I'm used to install RKE2 without NGINX Ingress Controller then install & manage it in a GitOps way with the officiel Helm chart (https://kubernetes.github.io/ingress-nginx/). It works fine. I use chart parameters to configure it, like
<http://nginx.ingress.kubernetes.io/ssl-passthrough|nginx.ingress.kubernetes.io/ssl-passthrough>
.
r

refined-analyst-8898

03/27/2023, 1:29 PM
Now I see that this appears to be viable as well.
---
apiVersion: <http://helm.cattle.io/v1|helm.cattle.io/v1>
kind: HelmChartConfig
metadata:
  name: rke2-ingress-nginx
  namespace: kube-system
spec:
  valuesContent: |-
    controller:
      extraArgs:
        enable-ssl-passthrough: true
­čĹŹ 1
I confirmed that applying the above manifest in namespace
kube-system
re-added the extra arg to the daemonset deployment.