Custom Corporate Root CA

Hi all,

we’re using an HA install and we were able to inject our corporate root CA to the rancher server install (additional-ca Secret way) . So the rancher Server Helm-Application is able to communicate with our other corporate applications via TLS securely (Gitlab, Artifactory,…).

However, and I think this is actually how it’s supposed to be, every started Pod got that secret not mounted and is therefore not able to connect validated to the other applications.
What I hope to know, is there a good/best practice to make our Rancher created custom clusters able to connect to these outside applications through https?

  • Should we configure the docker daemons somehow during install on the nodes?
  • Is there a more abstract K8s way to handle this case and serving custom root CAs?
  • Should we fall back all to http traffic instead of https?


There is no mechanism for automatically causing that cert to appear in all pods. You can define all the workloads using a base image that already includes it, define it as a configmap and have every workload use it, or something more exotic like write a custom admission controller that causes that to happen.