I am trying to setup Rancher:latest using the documentation provided here - https://rancher.com/docs/rancher/v2.x/en/installation/ha-server-install-external-lb/
Here is how my setup looks:
Hosts: 3 CentOS 7.5 hosts with docker version 17.03.2 installed. Firewall disabled.
host1.example.com
host2.example.com
host3.example.com
Here is my rancher-cluster.yml: based on this template - https://raw.githubusercontent.com/rancher/rancher/58e695b51096b1f404188379cea6f6a35aea9e4c/rke-templates/3-node-externalssl-recognizedca.yml
nodes:
- address: host1.example.com # hostname or IP to access nodes
user: rke # root user (usually 'root')
role: [controlplane,etcd,worker] # K8s roles for node
ssh_key_path: /Users/rancher/.ssh/id_rsa
- address: host2.example.com
user: rke
role: [controlplane,etcd,worker]
ssh_key_path: /Users/rancher/.ssh/id_rsa
- address: host3.example.com
user: rke
role: [controlplane,etcd,worker]
ssh_key_path: /Users/rancher/.ssh/id_rsa
addons: |-
---
kind: Namespace
apiVersion: v1
metadata:
name: cattle-system
---
kind: ServiceAccount
apiVersion: v1
metadata:
name: cattle-admin
namespace: cattle-system
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cattle-crb
namespace: cattle-system
subjects:
- kind: ServiceAccount
name: cattle-admin
namespace: cattle-system
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: Service
metadata:
namespace: cattle-system
name: cattle-service
labels:
app: cattle
spec:
ports:
- port: 80
targetPort: 80
protocol: TCP
name: http
selector:
app: cattle
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
namespace: cattle-system
name: cattle-ingress-http
annotations:
nginx.ingress.kubernetes.io/proxy-connect-timeout: "30"
nginx.ingress.kubernetes.io/proxy-read-timeout: "1800" # Max time in seconds for ws to remain shell window open
nginx.ingress.kubernetes.io/proxy-send-timeout: "1800" # Max time in seconds for ws to remain shell window open
nginx.ingress.kubernetes.io/ssl-redirect: "false" # Disable redirect to ssl
spec:
rules:
- host: rancher.example.com
http:
paths:
- backend:
serviceName: cattle-service
servicePort: 80
---
kind: Deployment
apiVersion: extensions/v1beta1
metadata:
namespace: cattle-system
name: cattle
spec:
replicas: 1
template:
metadata:
labels:
app: cattle
spec:
serviceAccountName: cattle-admin
containers:
- image: rancher/rancher:latest
imagePullPolicy: Always
name: cattle-server
ports:
- containerPort: 80
protocol: TCP
I have this setup sitting behind a f5, that has a virtual pool setup for rancher.example.com with members host1.example.com:443, host2.example.com:443, host3.example.com:443. Its also using a cert signed by Recognized CA.
When I try to browse rancher.example.com, I get a return for “default backend - 404”
I also tried to skip the f5 and create a local host entry in /etc/hosts for rancher.example.com and I still get the same results. It appears that the nginx deployment is not recognizing the fqdn and going directly to the default backend page.
Note- same cert works well if I setup a single node rancher deployment without nginx ingress using rke.
I have also tried to replace the f5 with a nginx server in front of this setup using - https://rancher.com/docs/rancher/v2.x/en/installation/ha-server-install/
For nginx, I used the template - https://raw.githubusercontent.com/rancher/rancher/e9d29b3f3b9673421961c68adf0516807d1317eb/rke-templates/3-node-certificate-recognizedca.yml
In the template I provided the base64 for my cert that had the wildcard cert and the CA cert, and for key I provided the base64 for my cert.key file. When I tried to browse the URL - rancher.example.com after this, I got a HSTS error saying the cert is not valid, and I got a cert named - Kubernetes fake ingress controller certificate.
Can someone guide me in the right direction?
Thanks in advance.