is there a way to run rancher cluster agents in tls verify disabled mode?
r
red-waitress-37932
11/23/2022, 12:11 PM
sounds like something you shouldn't do without a really good reason.
What do you want to accomplish with that?
b
breezy-ram-80329
11/23/2022, 12:46 PM
i have setup rancher with tls termination at load balancer level. The rancher server is redirecting to https again even though the termination happened at lb already. I guess the x-forwarded proto header has been somehow overrided by the nginx ingress controller ( according to this open issue https://github.com/kubernetes/ingress-nginx/issues/8195).
due to this my cluster agents could not verify the ca cert of the rancher server (cauz i could not configure tls due to the https redirection happening) . Since this is just for poc , i need to run the agents in an insecure mode)
r
red-waitress-37932
11/23/2022, 12:47 PM
so the issue is that your LB presents the wrong cert?
so fix that 🙂
also make sure you have the "server-url" global setting set up properly
it should point to the hostname your LB serves the correct cert for
I have the set the server url to the loadbalancer dns name.
the issue is with the nginx ingress controller
via x-forwarded-proto:https header the server understands the tls termination already happend at the lb
so it won't ask for https traffic. somehow the nginx controller is not forwarding this header
r
red-waitress-37932
11/23/2022, 12:53 PM
hmmm, ok load balancers are a topic I'm only just now learning about, but from what I read, the theory is to make the LB talk directly to the services via node ports. your LB might have an ingress controller that can help with that.