From 4943c99e8a1e4c33bda4fa79a2194cd4fe1537b9 Mon Sep 17 00:00:00 2001 From: John Carew Date: Fri, 13 May 2022 14:32:54 -0500 Subject: [PATCH 1/3] Updated contents related to external TLS termination Removed reference to much older reference to v0.25, as it's now on version v1.2 4 years later. Updated instructions on applying needed change via manifest file. Added clearer title for NGINX config, so installer knows where config should be applied. --- .../chart-options/_index.md | 21 ++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/content/rancher/v2.6/en/installation/install-rancher-on-k8s/chart-options/_index.md b/content/rancher/v2.6/en/installation/install-rancher-on-k8s/chart-options/_index.md index 4436fcfe47..8f0d160c05 100644 --- a/content/rancher/v2.6/en/installation/install-rancher-on-k8s/chart-options/_index.md +++ b/content/rancher/v2.6/en/installation/install-rancher-on-k8s/chart-options/_index.md @@ -185,15 +185,22 @@ You may terminate the SSL/TLS on a L7 load balancer external to the Rancher clus Your load balancer must support long lived websocket connections and will need to insert proxy headers so Rancher can route links correctly. -### Configuring Ingress for External TLS when Using NGINX v0.25 +### Configuring Ingress for External TLS when Using NGINX -In NGINX v0.25, the behavior of NGINX has [changed](https://github.com/kubernetes/ingress-nginx/blob/master/Changelog.md#0220) regarding forwarding headers and external TLS termination. Therefore, in the scenario that you are using external TLS termination configuration with NGINX v0.25, you must edit the `cluster.yml` to enable the `use-forwarded-headers` option for ingress: +In the scenario that you are using external TLS termination configuration with NGINX, you must enable the `use-forwarded-headers` option for ingress: +Create a `/var/lib/rancher/rke2/server/manifests/rke2-ingress-nginx-config.yaml` file with the following contents on one of your rke2 nodes. ```yaml -ingress: - provider: nginx - options: - use-forwarded-headers: 'true' +apiVersion: helm.cattle.io/v1 +kind: HelmChartConfig +metadata: + name: rke2-ingress-nginx + namespace: kube-system +spec: + valuesContent: |- + controller: + config: + use-forwarded-headers: "true" ``` ### Required Headers @@ -213,7 +220,7 @@ ingress: Rancher will respond `200` to health checks on the `/healthz` endpoint. -### Example NGINX config +### Example NGINX config for your load balancer doing the TLS termination This NGINX configuration is tested on NGINX 1.14. From d16593cf84c017f4667a4f4b0518ad49e81a675c Mon Sep 17 00:00:00 2001 From: John Carew Date: Sat, 2 Jul 2022 12:33:44 -0500 Subject: [PATCH 2/3] Update content/rancher/v2.6/en/installation/install-rancher-on-k8s/chart-options/_index.md Co-authored-by: Jen Travinski --- .../installation/install-rancher-on-k8s/chart-options/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/rancher/v2.6/en/installation/install-rancher-on-k8s/chart-options/_index.md b/content/rancher/v2.6/en/installation/install-rancher-on-k8s/chart-options/_index.md index 8f0d160c05..14122f47c6 100644 --- a/content/rancher/v2.6/en/installation/install-rancher-on-k8s/chart-options/_index.md +++ b/content/rancher/v2.6/en/installation/install-rancher-on-k8s/chart-options/_index.md @@ -189,7 +189,7 @@ Your load balancer must support long lived websocket connections and will need t In the scenario that you are using external TLS termination configuration with NGINX, you must enable the `use-forwarded-headers` option for ingress: -Create a `/var/lib/rancher/rke2/server/manifests/rke2-ingress-nginx-config.yaml` file with the following contents on one of your rke2 nodes. +Create a `/var/lib/rancher/rke2/server/manifests/rke2-ingress-nginx-config.yaml` file with the following contents on one of your RKE2 nodes: ```yaml apiVersion: helm.cattle.io/v1 kind: HelmChartConfig From e174032a40854cd5127bf916d89f90354ec2c8f1 Mon Sep 17 00:00:00 2001 From: John Carew Date: Sat, 2 Jul 2022 12:34:16 -0500 Subject: [PATCH 3/3] Update content/rancher/v2.6/en/installation/install-rancher-on-k8s/chart-options/_index.md Co-authored-by: Jen Travinski --- .../installation/install-rancher-on-k8s/chart-options/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/rancher/v2.6/en/installation/install-rancher-on-k8s/chart-options/_index.md b/content/rancher/v2.6/en/installation/install-rancher-on-k8s/chart-options/_index.md index 14122f47c6..7237305d9a 100644 --- a/content/rancher/v2.6/en/installation/install-rancher-on-k8s/chart-options/_index.md +++ b/content/rancher/v2.6/en/installation/install-rancher-on-k8s/chart-options/_index.md @@ -187,7 +187,7 @@ Your load balancer must support long lived websocket connections and will need t ### Configuring Ingress for External TLS when Using NGINX -In the scenario that you are using external TLS termination configuration with NGINX, you must enable the `use-forwarded-headers` option for ingress: +In a scenario in which you are using external TLS termination configuration with NGINX, you must enable the `use-forwarded-headers` option for ingress: Create a `/var/lib/rancher/rke2/server/manifests/rke2-ingress-nginx-config.yaml` file with the following contents on one of your RKE2 nodes: ```yaml