I am trying to setup Rancher:latest using the documentation provided here - https://rancher.com/docs/rancher/v2.x/en/installation/ha-server-install-external-lb/
Here is how my setup looks:
Here is my rancher-cluster.yml: based on this template - https://raw.githubusercontent.com/rancher/rancher/58e695b51096b1f404188379cea6f6a35aea9e4c/rke-templates/3-node-externalssl-recognizedca.yml
nodes: - address: host1.example.com # hostname or IP to access nodes user: rke # root user (usually 'root') role: [controlplane,etcd,worker] # K8s roles for node ssh_key_path: /Users/rancher/.ssh/id_rsa - address: host2.example.com user: rke role: [controlplane,etcd,worker] ssh_key_path: /Users/rancher/.ssh/id_rsa - address: host3.example.com user: rke role: [controlplane,etcd,worker] ssh_key_path: /Users/rancher/.ssh/id_rsa addons: |- --- kind: Namespace apiVersion: v1 metadata: name: cattle-system --- kind: ServiceAccount apiVersion: v1 metadata: name: cattle-admin namespace: cattle-system --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: cattle-crb namespace: cattle-system subjects: - kind: ServiceAccount name: cattle-admin namespace: cattle-system roleRef: kind: ClusterRole name: cluster-admin apiGroup: rbac.authorization.k8s.io --- apiVersion: v1 kind: Service metadata: namespace: cattle-system name: cattle-service labels: app: cattle spec: ports: - port: 80 targetPort: 80 protocol: TCP name: http selector: app: cattle --- apiVersion: extensions/v1beta1 kind: Ingress metadata: namespace: cattle-system name: cattle-ingress-http annotations: nginx.ingress.kubernetes.io/proxy-connect-timeout: "30" nginx.ingress.kubernetes.io/proxy-read-timeout: "1800" # Max time in seconds for ws to remain shell window open nginx.ingress.kubernetes.io/proxy-send-timeout: "1800" # Max time in seconds for ws to remain shell window open nginx.ingress.kubernetes.io/ssl-redirect: "false" # Disable redirect to ssl spec: rules: - host: rancher.example.com http: paths: - backend: serviceName: cattle-service servicePort: 80 --- kind: Deployment apiVersion: extensions/v1beta1 metadata: namespace: cattle-system name: cattle spec: replicas: 1 template: metadata: labels: app: cattle spec: serviceAccountName: cattle-admin containers: - image: rancher/rancher:latest imagePullPolicy: Always name: cattle-server ports: - containerPort: 80 protocol: TCP
I have this setup sitting behind a f5, that has a virtual pool setup for rancher.example.com with members host1.example.com:443, host2.example.com:443, host3.example.com:443. Its also using a cert signed by Recognized CA.
When I try to browse rancher.example.com, I get a return for “default backend - 404”
I also tried to skip the f5 and create a local host entry in /etc/hosts for rancher.example.com and I still get the same results. It appears that the nginx deployment is not recognizing the fqdn and going directly to the default backend page.
Note- same cert works well if I setup a single node rancher deployment without nginx ingress using rke.
I have also tried to replace the f5 with a nginx server in front of this setup using - https://rancher.com/docs/rancher/v2.x/en/installation/ha-server-install/
In the template I provided the base64 for my cert that had the wildcard cert and the CA cert, and for key I provided the base64 for my cert.key file. When I tried to browse the URL - rancher.example.com after this, I got a HSTS error saying the cert is not valid, and I got a cert named - Kubernetes fake ingress controller certificate.
Can someone guide me in the right direction?
Thanks in advance.