Custom Corporate Root CA

chrish · March 4, 2019, 9:24am

Hi all,

we’re using an HA install and we were able to inject our corporate root CA to the rancher server install (additional-ca Secret way) . So the rancher Server Helm-Application is able to communicate with our other corporate applications via TLS securely (Gitlab, Artifactory,…).

However, and I think this is actually how it’s supposed to be, every started Pod got that secret not mounted and is therefore not able to connect validated to the other applications.
What I hope to know, is there a good/best practice to make our Rancher created custom clusters able to connect to these outside applications through https?

Should we configure the docker daemons somehow during install on the nodes?
Is there a more abstract K8s way to handle this case and serving custom root CAs?
Should we fall back all to http traffic instead of https?

Regards

vincent · March 5, 2019, 8:25am

There is no mechanism for automatically causing that cert to appear in all pods. You can define all the workloads using a base image that already includes it, define it as a configmap and have every workload use it, or something more exotic like write a custom admission controller that causes that to happen.

Topic		Replies	Views
Git Helm Catalog untrusted certificate Rancher 2.x	2	508	December 10, 2019
Catalog Not Loading - Behind Corporate Proxy with SSL-Inspection Rancher 2.x	2	1219	May 20, 2019
Rancher PrivateCA Rancher 2.x	8	4988	February 11, 2020
Using a custom cert for Rancher HA (corporate CA) - best practice? Rancher 2.x	0	484	March 11, 2019
Self signed Certificates/cacerts being generated on helm chart deploy of rancher 2.x even though --private-ca isn't being set Rancher 2.x	1	970	August 19, 2019

Custom Corporate Root CA

Related Topics