https://rancher.com/ logo
#kubernetes
Title
# kubernetes
a

adamant-kite-43734

08/22/2022, 10:42 PM
This message was deleted.
c

creamy-pencil-82913

08/22/2022, 10:56 PM
limiting how? that’s the most common way it’s deployed for production use.
l

little-ambulance-5584

08/22/2022, 10:57 PM
Well the first issue I've ran into is the lack of a custom cert-manager issuer. Let's say you have a cluster that already has a default, or one you want to specify
Not everyone can validate over HTTP-01, especially if it's a private ingress.
c

creamy-pencil-82913

08/22/2022, 11:00 PM
most folks deploy Rancher to a dedicated management cluster, and then put their apps on clusters managed by rancher. so, having existing stuff on there that it would conflict with isn’t very common
l

little-ambulance-5584

08/22/2022, 11:03 PM
I can see that, do most use a public rancher endpoint to validate over letsencrypt though? Where I'm at now we have a standard set of helmfiles we use to deploy baselines for clusters so we can have a standardized versioning of tools (including cert-manager)
c

creamy-pencil-82913

08/22/2022, 11:03 PM
l

little-ambulance-5584

08/22/2022, 11:04 PM
Yeah, looks like I can create another certificate resource, I can of course do a post helm chart to fix this.
c

creamy-pencil-82913

08/22/2022, 11:04 PM
yes, it’s usually deployed to a public endpoint so that all the clusters can get to it
folks that are doing air-gap with private ingress usually also have their own PKI that they want to use, so LE support isn’t important
does the last comment on that issue not work for you?
l

little-ambulance-5584

08/22/2022, 11:05 PM
It just means splitting off another chart to add a certificate resource since it's not supported from the original
We've got a VPN/Expressroute network for our internal resources, Rancher over the internet is an interesting though scary idea 😄
c

creamy-pencil-82913

08/22/2022, 11:06 PM
I”m not sure what you mean by adding another cert resource, as far as I can tell you should be able to just do this when installing the chart?
Copy code
--set ingress.tls.source=secret \
  --set ingress.extraAnnotations.cert-manager\.io/cluster-issuer=yourClusterIssuerName
Using your existing issuer config was what you were asking about right
that’s from the issue I linked
l

little-ambulance-5584

08/22/2022, 11:07 PM
ah so I guess I can use the secret resource since the stops the issuer from being propagated entirely and then add my own.
Didn't get to that last comment there
I know with the other modes it propagates an issuer by default which is why I was curious
I can make this work as a workaround
@creamy-pencil-82913 Are you worried about risks relying on CRDs from other charts (cert-manager) when it's baked like this
c

creamy-pencil-82913

08/22/2022, 11:21 PM
not really… thats why we list the versions of cert-manager that rancher is compatible with in the docs
this is Kubernetes, everything relies on something else.
l

little-ambulance-5584

08/22/2022, 11:30 PM
Certainly not wrong there, just makes it interesting when upgrading resources. Thanks for the info
3 Views