This message was deleted.

I want to access Rancher Manager privately with verifiable certs, not the dynamic certs Rancher issues to itself. I think I've exhausted all the alternatives looking for this: external TLS, source "secret", source "rancher", and source "letsEncrypt". All of these provide TLS, but none of them provide a verifiable cert terminating TLS on the pod itself.

Is https://kubernetes.github.io/ingress-nginx/user-guide/tls/#ssl-passthrough something other than what you're looking for? My understanding is that for this sort of thing you need to look into the upstream documentation, as Rancher's fairly agnostic. Now, you may want to do that on a separate ingress controller instance, but it should be feasible.

Thanks, @rough-farmer-49135. I want to configure the Rancher container with a private key and certificate so it can terminate TLS on the pod, not an Ingress or other external proxy. The Helm chart, if I understand it correctly, is opinionated on this point and insists on providing a "dynamic" TLS server certificate, but I want to bring my own certificate.

I tend to have wildcard DNS in front of my cluster and separate pods by hostname. With that I'm fairly sure I got SSL directly to the pod (I was messing with it for a security application that wanted to do 2 way SSL between parts of it that it expected to use a load balancer for but I didn't have spare IPs and was trying to shoehorn through NGINX ingress controller and I did get it working while breaking everything else expecting plain text, but since it wasn't my app I'm not 100% sure).

I have a certificate I want to use with Rancher, and the cluster service TCP proxy is sufficient for load balancing across the pods that share that server certificate configuration. I will provide my own private point of entry to the cluster service, and so I do not need a gateway or ingress resource in this case.

You should verify Rancher's ingress and make sure you've got whatever is there covered and at that point you could use a LoadBalancer while removing the ingress controller and have direct TCP access with that?

Direct TCP / TLS-passthrough to the Rancher ClusterIP service is what I'm after, but I want to avoid an outward-facing exposure with a Gateway or Ingress. I have no problem providing my own private, L4 path to the ClusterIP, so I just need the Rancher pods to terminate TLS with the certificate that I provide in the form of a Kubernetes Secret of type

tls

, i.e., the type that is managed by Cert Manager. Thanks for helping me think through the options here.

Good luck. I've about exhausted my ideas, hope one of them or something one jogged loose helps.

Another alternative that Rancher doesn't seem to support yet is specifying the certificate issuer when TLS source is LetsEncrypt. Currently, Rancher insists on creating a LE issuer which can solve HTTP01 challenges only, but my goal is to terminate TLS for a private Rancher with a certificate I obtained through a DNS01 challenge, which does not require public internet ingress nor Kubernetes Ingress.