I was looking at the port requirements for Harvester, but it's not clear which ports are required for the VIP/Management Address. From the bottom of the description it sounds like only `80`/`443` but I imagine if you're using a proxy to get to kubectl you'd want

6443

and

9345

as well. Are there any other missing ports for that?

There have to be more, than are required for Rancher. I've an external ingress node (nginx and nat) as the defgw for my network configured to load-balance across RKE2 control nodes for rancher, and pointing at the first deployed node in my harvester cluster. When I launch the web or serial console I get nothing thru the ingress while local desktop can launch both just fine. port 663 ? and/or others for this?

web vnc is working fine for me.

Do you have nginx redirecting, or an ssh tunnel to get from external to harvester?

Neither. HAProxy forwards to a private subnet/address.

Can you share your config (obfuscate external IP) ?

Sure.

tyvm.

?

I've read that in docs, but I was just pushing the rke2 self-signed cert to the front in nginx. worked for rancher over rke2. Will read again and attempt.

I'm not sure the kube-api server is the same cert that the web front end uses by default.

given I don't control when harvester and rancher update their internal keys it's probably got more than a few holes in it.

Plus if you're just proxying I'm not sure what that gains you.

thanks again

You don't want to re-encrypt harvester VIP traffic as your rancher instance.

Well, I did have nginx serving two front-ends in what I thought was a clean way. I had one cert/key pair copied from the HA rke2 cluster where rancher was deployed; and, this was accessed by URL using the cname pointing to the nginx instance. Also, I had another cert/key pair copied from the rke2 harvester cluster accessed by the URL using the cname pointing to the harvester VIP. While both these front-ends worked for getting to the Web UI of rancher and harvester internally and externally (local external /etc/hosts entries to match cname to externally visible IP) I couldn't get rancher Harvester UI Extension to get past "pending", and as I began the reply here, the web and serial consoles were not working. So, time for me to invest more energy into your experienced and working path with HAProxy, cert-manager, and Let'sEncrypt. Thanks again.

If you can tell nginx to proxy and not re-encrypt I don't think you'll need to add HAProxy to your stack. (unless you want HA and having it be available via two different boxes) I think you can just add the 80 port and let the clusters handle the certs.

Well, I'll be damned. You massively simplified my nginx config, solved my freaking web-console issue and got my rancher Harvester UI integration working. YOU ROCK.

🎉

In case it is helpful for others nginx config and cnames used: internally rancher.lab is the cname for the nginx box doing load-balancing for the ha-rke2 cluster harvester.lab is the cname for the harvester-vip both cnames had to be used at the time of deployment for the cluster managed self-signed certs to work. externally modified /etc/hosts for both hostnames to point to the external IP address of the nginx box.