This message was deleted.

Here is just as good. 😄 1. You can actually avoid cert-manager all thogether. Rancher will want to terminate TLS. So that might be the exception where you have to load certs with a secret. All other apps can be http inside. The nginx ingress-controller handles both http and https out of the box. 2. Honestly you should look at what comes default with rke2, STIG, CIS, and nginx ingress-controller. If you want we can jump on a zoom and I can walk you through all the bits? This dovetails into 3. 3. If you are looking for an ATO, I would go with what every is already approved. Other than that both Ubuntu and Rocky are both great. Also think about what updates are available on your network. hope this helps.

It very much does, thank you! We're meeting with F5 on some things this afternoon, so I was in a panic to understand better before I ask something of them. 1. I think when I was reading External TLS Term. Thats where I got confused. (--set tls=external) Thats for workload ingress, not for the Rancher UI itself. 2. I think I was being too broad. F5 Documentation is kind of OpenShift heavy, and RKE2 has so many options now. Its just analysis paralysis. 3. We've been on the fence for years, but I know have more hardware than I do capacity to manage it, so I need to shore some things up with Ansible to take the workload off. Rocky9, with FIPS + STIG during Install, seems like the faster track to getting legal to begin with. Ubuntu was more familiar, but to do STIG truly, I think thats a pay option.

Rocky STIG is easy, and identical to RHEL. If you need help with RKE2 STIG’d I have a guide.

That was one of our big decision points. Today, we need to slap the table, and be okay with Rocky9. We've done some STIG with RHEL via OSCAP, but I was super curious (and havent found a good example online) of how people are "kickstarting" Rocky in a way that initiates the FIPS compliance during Install.

use ansible and a reboot?

"WhiplashQuestionMoment": CNI. F5 Container Ingress Services seems to prefer Flannel, but thats an RKE2 "not production" kind of thing, yet. Plus, I think STIG is gonna murder me on the k8s side because I can't do Network Policies.

my 2 cents. ignore F5 and don’t use their ingress. Use canal and the default nginx ingress. 😄 If your certs are external to the node/cluster then it shouldn’t matter for Fips and a reboot?

I think you broke my brain...because now Im staring at the ceiling, wondering how or why I got to this point. I dont remember why F5 was important, other than we have it, and the wildcard cert is there already.

Oh you can still F5 as the external LB. I thought they were pushing nginx+ on the cluster.

ohhh, no. no NGINX Plus. I think it was just our objective to use F5 Container Ingress Services Pod...so we can use CI/CI to create new services, etc on the F5. All things TLS would be terminated on the F5 HA Pair. (and just to expound, we have two physical sites, with a F5 HA Pair)

Ah.