Channels
academy
amazon
arm
azure
cabpr
chinese
ci-cd
danish
deutsch
developer
elemental
epinio
espanol
events
extensions
fleet
français
gcp
general
harvester
harvester-dev
hobbyfarm
hypper
japanese
k3d
k3os
k3s
k3s-contributor
kim
kubernetes
kubewarden
lima
logging
longhorn-dev
longhorn-storage
masterclass
mesos
mexico
nederlands
neuvector-security
office-hours
one-point-x
onlinemeetup
onlinetraining
opni
os
ozt
phillydotnet
portugues
rancher-desktop
rancher-extensions
rancher-setup
rancher-wrangler
random
rfed_ara
rio
rke
rke2
russian
s3gw
service-mesh
storage
submariner
supermicro-sixsq
swarm
terraform-controller
terraform-provider-rancher2
terraform-provider-rke
theranchcast
training-0110
training-0124
training-0131
training-0207
training-0214
training-1220
ukranian
v16-v21-migration
vsphere
windows
Title
l
little-ambulance-5584
08/22/2022, 10:42 PMIs the helm deployment of rancher still pretty well supported? the chart seems very limiting https://github.com/rancher/rancher/tree/release/v2.6/chart
c
creamy-pencil-82913
08/22/2022, 10:56 PMlimiting how? that’s the most common way it’s deployed for production use.
l
little-ambulance-5584
08/22/2022, 10:57 PMWell the first issue I've ran into is the lack of a custom cert-manager issuer. Let's say you have a cluster that already has a default, or one you want to specify
Not everyone can validate over HTTP-01, especially if it's a private ingress.
c
creamy-pencil-82913
08/22/2022, 11:00 PMmost folks deploy Rancher to a dedicated management cluster, and then put their apps on clusters managed by rancher. so, having existing stuff on there that it would conflict with isn’t very common
l
little-ambulance-5584
08/22/2022, 11:03 PMI can see that, do most use a public rancher endpoint to validate over letsencrypt though?
Where I'm at now we have a standard set of helmfiles we use to deploy baselines for clusters so we can have a standardized versioning of tools (including cert-manager)
c
creamy-pencil-82913
08/22/2022, 11:03 PMl
little-ambulance-5584
08/22/2022, 11:04 PMYeah, looks like I can create another certificate resource, I can of course do a post helm chart to fix this.
c
creamy-pencil-82913
08/22/2022, 11:04 PMyes, it’s usually deployed to a public endpoint so that all the clusters can get to it
folks that are doing air-gap with private ingress usually also have their own PKI that they want to use, so LE support isn’t important
does the last comment on that issue not work for you?
l
little-ambulance-5584
08/22/2022, 11:05 PMIt just means splitting off another chart to add a certificate resource since it's not supported from the original
We've got a VPN/Expressroute network for our internal resources, Rancher over the internet is an interesting though scary idea 😄
c
creamy-pencil-82913
08/22/2022, 11:06 PMI”m not sure what you mean by adding another cert resource, as far as I can tell you should be able to just do this when installing the chart?
--set ingress.tls.source=secret \
--set ingress.extraAnnotations.cert-manager\.io/cluster-issuer=yourClusterIssuerNameUsing your existing issuer config was what you were asking about right
that’s from the issue I linked
l
little-ambulance-5584
08/22/2022, 11:07 PMah so I guess I can use the secret resource since the stops the issuer from being propagated entirely and then add my own.
Didn't get to that last comment there
I know with the other modes it propagates an issuer by default which is why I was curious
I can make this work as a workaround
@creamy-pencil-82913 Are you worried about risks relying on CRDs from other charts (cert-manager) when it's baked like this
c
creamy-pencil-82913
08/22/2022, 11:21 PMnot really… thats why we list the versions of cert-manager that rancher is compatible with in the docs
this is Kubernetes, everything relies on something else.
l
little-ambulance-5584
08/22/2022, 11:30 PMCertainly not wrong there, just makes it interesting when upgrading resources. Thanks for the info