https://rancher.com/ logo
Join Slack
Powered by
This message was deleted.
# general
a
This message was deleted.
p
Rancher HTTPS needs to be reachable by the downstream cluster. Thats about all. Rancher does not need to reach the cluster.
q
So basically Rancher needs to be publicly available for cluster agents to work? Private certs seems like a pain to manage and configure to work with the cluster agents. I haven't really seen much documentation on my use case at all.
p
Rancher need to be reachable by a way or another. You could use a VPN or a proxy (hat handles websockets), that would work too
q
How would you configure the cluster agents to work with a VPN? Would you have to bake your own image?
p
the cluster agents try to use the node networking...?
q
Ah ok, then I can probably do that and bake the VPN into the nodes. That seems possible. We've been using the default EKS nodes, but I know it's possible to setup custom nodes.
p
You didnt said you were using EKS...
q
Oh, well I am using EKS
You can use custom AMIs in EKS.
p
Im unfamiliar with AWS, but on Azure i had previosuly put an IPsec tunnel from my private infrastructure to a vnet inside our tenant. Some manual routing had to be put in place, but afterwards, even managed app could access my private infra.
q
Did you have private certs in your setup?
p
Yep, private CA.
q
How did you setup the cluster agents to work with the private authority? Does it not have trouble with private authorities?
p
q
Thanks.
p
The tricky part is allowing managed apps to allow the custom ca, but thats not related to rancher
4 Views
Open in Slack
PreviousNext
Powered by