Adding https to rancher server in existing 1.6 environment


#1

I’ve been googling the following but haven’t had any luck so far… maybe I’m blind but.

What is the correct way to reconfigure both rancher server and connected hosts, so that they essentially talk to the server on a new url? (https instead of http being the only change)

For example:
Say our rancher server currently listens on http://our-rancher
and we want it to be on https://our-rancher
we plan on using an nginx reverse proxy to encapsulate it in https

  1. How do we tell the server that the url is changed?
  2. How to we tell worker hosts that the url has changed?

Alternative solution: Can we just add a http->https redirect (for example with code 308) - will rancher’s client software on worker hosts handle non-GET request redirects?


#2

Change the host registration URL and then (re)run the custom add host command (docker run … rancher/agent) on each host.


#3
  1. How do you change the host registration url? I cannot find it in the 1.6 rancher web gui. Or do you just mean I should edit the docker run command and replace the url there?

  2. Also - do we need to stop and services on the worker hosts and/or disconnecting them from the master host before we run the command?


#4

  1. No, it will just re-register.

#5

Thanks. Tried it but it seems like we also need to recreate all system services + load balancers, because they have CATTLE_CONFIG_URL and CATTLE_URL still set to the old url, even after the agent itself is replaced and host re-registered.

So we need to replace those containers… is my conclusion correct?
tried it with some non-critical containers and the new instances got the updated env variables

Looking at the access logs on the rancher server/master it also seems to be the case…


#6

For anyone interested, we ended up doing the following

  1. Change the registration url
  2. Re-register the rancher agent by simply running the docker run command on the slave hosts
  3. Re-create system services to automatically update environmental variables from old -> new url
  4. Re-create all load balancers to automatically update environmental variables from old -> new url

After this we have no more http requests logged to the old url