https://rancher.com/ logo
Title
b

breezy-ram-80329

11/23/2022, 12:02 PM
is there a way to run rancher cluster agents in tls verify disabled mode?
r

red-waitress-37932

11/23/2022, 12:11 PM
sounds like something you shouldn't do without a really good reason. What do you want to accomplish with that?
b

breezy-ram-80329

11/23/2022, 12:46 PM
i have setup rancher with tls termination at load balancer level. The rancher server is redirecting to https again even though the termination happened at lb already. I guess the x-forwarded proto header has been somehow overrided by the nginx ingress controller ( according to this open issue https://github.com/kubernetes/ingress-nginx/issues/8195). due to this my cluster agents could not verify the ca cert of the rancher server (cauz i could not configure tls due to the https redirection happening) . Since this is just for poc , i need to run the agents in an insecure mode)
r

red-waitress-37932

11/23/2022, 12:47 PM
so the issue is that your LB presents the wrong cert?
so fix that 🙂
also make sure you have the "server-url" global setting set up properly
it should point to the hostname your LB serves the correct cert for
b

breezy-ram-80329

11/23/2022, 12:50 PM
I have the set the server url to the loadbalancer dns name.
the issue is with the nginx ingress controller
via x-forwarded-proto:https header the server understands the tls termination already happend at the lb
so it won't ask for https traffic. somehow the nginx controller is not forwarding this header
r

red-waitress-37932

11/23/2022, 12:53 PM
hmmm, ok load balancers are a topic I'm only just now learning about, but from what I read, the theory is to make the LB talk directly to the services via node ports. your LB might have an ingress controller that can help with that.
what is your LB?
https://github.com/kubernetes/ingress-nginx/issues/8195#issuecomment-1324579000 someone says the issue no longer exists in ingress-nginx-4.3.0 + aws-load-balancer-controller-1.4.5. That's from the issue you posted, but it's very recent (7h ago), so I thought maybe you didn't see it yet