Hello Rancher friends,
I am facing an issue where when deploying rancher with helm it auto-generates certs for it. However, I am trying to use the privateCA workaround to use my own certs but still it does not pick my certs, and the logs dont tell me much more than it just auto-generate its CA.
For a bit of context, we are running our cluster on bare-metal. kubeadm v1.29. I already have cert-manager installed to manage our kubernetes certs as an intermediate ca. We also use kube-vip load-balancer to assign an IP to our rancher dashboard and unfortunately we will not use an ingress controller like nginx/traeffik for now. Then the steps that i follow before are:
- I create the cattle-system namespace
- create the rancher certificate using that definition file:
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: tls-rancher-ingress
namespace: cattle-system
labels:
app: rancher
spec:
secretName: tls-rancher-ingress
secretTemplate:
labels:
app.kubernetes.io/name: rancher
duration: 8760h # 1 year
renewBefore: 360h # 15d
commonName: [my cn]
isCA: false
privateKey:
algorithm: RSA
encoding: PKCS1
size: 4096
rotationPolicy: Always
dnsNames:
- [dns names]
ipAddresses:
issuerRef:
name: default-clusterissuer
kind: ClusterIssuer
-
then i compile the CA of cert-manager following by my root CA into 1 cacerts.pem file
-
then i run the following to create a secret from that file from the previous step
kubectl -n cattle-system create secret generic tls-ca \
--from-file=cacerts.pem=./cacerts.pem
- then finally i push the following command to deploy rancher
helm install rancher rancher-stable/rancher \ --namespace cattle-system \ -f values.yaml
and the values.yaml file looks like this:
hostname: [my hostname]
privateCA: true
ingress:
tls:
source: secret
extraAnnotations:
cert-manager.io/cluster-issuer: default-clusterissuer
I am not sure what is wrong in my steps ? if anyone faced the same problem or might have an idea 
? or if anyone could share how they succeeded where I miserably failed.