Channels
academy
amazon
arm
azure
cabpr
chinese
ci-cd
danish
deutsch
developer
elemental
epinio
espanol
events
extensions
fleet
français
gcp
general
harvester
harvester-dev
hobbyfarm
hypper
japanese
k3d
k3os
k3s
k3s-contributor
kim
kubernetes
kubewarden
lima
logging
longhorn-dev
longhorn-storage
masterclass
mesos
mexico
nederlands
neuvector-security
office-hours
one-point-x
onlinemeetup
onlinetraining
opni
os
ozt
phillydotnet
portugues
rancher-desktop
rancher-extensions
rancher-setup
rancher-wrangler
random
rfed_ara
rio
rke
rke2
russian
s3gw
service-mesh
storage
submariner
supermicro-sixsq
swarm
terraform-controller
terraform-provider-rancher2
terraform-provider-rke
theranchcast
training-0110
training-0124
training-0131
training-0207
training-0214
training-1220
ukranian
v16-v21-migration
vsphere
windows
Title
b
breezy-ram-80329
11/23/2022, 12:02 PMis there a way to run rancher cluster agents in tls verify disabled mode?
r
red-waitress-37932
11/23/2022, 12:11 PMsounds like something you shouldn't do without a really good reason.
What do you want to accomplish with that?
b
breezy-ram-80329
11/23/2022, 12:46 PMi have setup rancher with tls termination at load balancer level. The rancher server is redirecting to https again even though the termination happened at lb already. I guess the x-forwarded proto header has been somehow overrided by the nginx ingress controller ( according to this open issue https://github.com/kubernetes/ingress-nginx/issues/8195).
due to this my cluster agents could not verify the ca cert of the rancher server (cauz i could not configure tls due to the https redirection happening) . Since this is just for poc , i need to run the agents in an insecure mode)
r
red-waitress-37932
11/23/2022, 12:47 PMso the issue is that your LB presents the wrong cert?
so fix that 🙂
also make sure you have the "server-url" global setting set up properly
it should point to the hostname your LB serves the correct cert for
like this:
https://rancher.example.com
b
breezy-ram-80329
11/23/2022, 12:50 PMI have the set the server url to the loadbalancer dns name.
the issue is with the nginx ingress controller
via x-forwarded-proto:https header the server understands the tls termination already happend at the lb
so it won't ask for https traffic. somehow the nginx controller is not forwarding this header
r
red-waitress-37932
11/23/2022, 12:53 PMhmmm, ok load balancers are a topic I'm only just now learning about, but from what I read, the theory is to make the LB talk directly to the services via node ports. your LB might have an ingress controller that can help with that.
what is your LB?
https://github.com/kubernetes/ingress-nginx/issues/8195#issuecomment-1324579000 someone says the issue no longer exists in ingress-nginx-4.3.0 + aws-load-balancer-controller-1.4.5.
That's from the issue you posted, but it's very recent (7h ago), so I thought maybe you didn't see it yet