I am working on getting my Rancher-HA cluster to connect to Catalog. My nodes are behind a Corporate Proxy that also does SSL-Inspection. I.e. - certificates presented by ALL external endpoints are unpacked at the corporate boundary and re-signed by the Corporate CA before being sent back to my Rancher-HA cluster.
I have successfully added outbound proxy rules to my rancher-config.yml file, but am now seeing Unknown Certificate Authority errors when attempting to connect to the Rancher Catalog at git.rancher.io
Basic question - how do I append a new CA to my cluster’s CA-trusts ?
After working at this for a while, I found a solution.
If you deployed Rancher using Helm, there is this option:
# Additional Trusted CAs.
# Enable this flag and add your CA certs as a secret named tls-ca-additional in the namespace.
# See README.md for details.
additionalTrustedCAs: false
In the cluster where Rancher is installed, create a secret in the cattle-system
namespace as follows:
name: tls-ca-additional
key: ca-additional.pem
value: [concatenated pem of root and intermediate CAs]
Then set the additionalTrustedCAs to true, and upgrade your Rancher helm chart.
What it does, is mounts the secret at /etc/ssl/certs/ca-additional.pem
, and now Rancher is able to fetch catalogs through SSL interception.
1 Like