Is mutual SSL / client certificate authentication supported by the Rancher agent?
We already have an Apache reverse proxy in front of the Rancher server to provide SSL, however, we would also like to do an SSLVerifyClient Require to prevent unauthorized (or any really) access to the Rancher API without a valid client certificate.
Thanks!
We do not currently support this or have any immediate plans to.
The UI, CLI, etc are consumers of the same API, so e.g. all user browsers would have to have certs.
Thanks Vincent!
I think we’ll try to implement some kind of split interface design where users of a public vip are required to present a client certificate, however, API users will have their own endpoint that doesn’t require one.