How to use self signed certificates helm catalog?

asp · January 19, 2021, 4:39pm

Hi, I installed rancher (installed via helm chart) on a RKE2 single node cluster (installed via quick start script).

Nexus3 is used to serve the private docker registries. That part works so far.

Since no direct internet access is available on this host, I want to host the helm catalogs in nexus as well.
Nexus has TLS enabled, the certificate is signed with a selfsigned CA.

When changing the catalog url to my nexus repo I get “x509: certificate signed by unknown authority”.

How can I add my own CA as trusted by rancher? The underlying centos7 already trusts the CA, but not the rancher pod.

Thanks in advance, Andreas

Abdo_Younis · July 13, 2021, 2:47pm

If the helm catalog you want to add in rancher uses a self-singed or a certificate that is signed by unknown CA, you have to add this certificate to the trusted CA store used by Rancher.
First make sure you run rancher with the option additionalTrustedCAs=true
Copy your CA certs in pem format into a file named ca-additional.pem and use kubectl to create the tls-ca-additional secret in the cattle-system namespace.
kubectl -n cattle-system create secret generic tls-ca-additional --from-file=ca-additional.pem=./ca-additional.pem

Topic		Replies	Views
Git Helm Catalog untrusted certificate Rancher 2.x	2	508	December 10, 2019
Rancher PrivateCA Rancher 2.x	8	4990	February 11, 2020
Self signed Certificates/cacerts being generated on helm chart deploy of rancher 2.x even though --private-ca isn't being set Rancher 2.x	1	970	August 19, 2019
Solved - Certificate error in logs Rancher 2.x	3	2193	July 4, 2019
X509: certificate signed by unknown authorit when using kubectl or helm Rancher 1.x	3	6181	July 17, 2018

How to use self signed certificates helm catalog?

Related Topics