Rancher 2.5.1 in GKE cluster

Hi All,

I deployed latest Rancher into the GKE cluster using this instructions:

setting tls=external because I want to use GKE managed cert

here is the full command:

helm install rancher rancher-latest/rancher \            
  --namespace cattle-system \
  --set hostname=my.host.com \
  --set tls=external \
--set replicas=1

Everything seems to be Ok (no errors and warnings in the cluster), but I can’t access the Rancher UI using browser (getting error ‘unexpectedly closed the connection’ in Chrome).
When trying to access using kubectl port-forward i see the redirection (302) happening from 80 to 8443

Rancher pod logs are filled with:

[ERROR] Failed to find system chart fleet will try again in 5 seconds: configmaps "rancher-charts-24bzp" not found

There is probably something I’m missing, but not sure what it is…

TLS is required, you can’t just port forward to 80 and use it.

The balancer/TLS termination device in front of it needs to set x-forwarded-host and -proto headers.

Otherwise the http port is only used for redirecting to https (and it doesn’t know what port tls is actually exposed on, so it redirects to the port the request came in on + 363 (443-80 = 363). So you’re running on :8000?)

I’m following this doc https://staging.rancher.com/docs/rancher/v2.5/en/installation/resources/chart-options/ so I think I’m running on 80 (got redirected to 8443 because port-forward is 8080:80), see the screenshot

.

It seems like only port 80 is exposed.

What is the best way to run Rancher in the cluster managed by GKE (or whatever) and make use of Google manages SSL cert for Rancher (Using Google-managed SSL certificates)? Or there is other recommended way?

Sorry, if this is retarded question, I just created this GKE cluster for Rancher and want to make sure it follows the best practices. Before I was running it in single container and used LetsEncrypt option to take care of SSL certs out of the box - worked pretty good. Does it make sense to use the same (LetsEncrypt) when running Rancher behind GKE LB/Ingress?

Abandoned the idea of using GKE certs management, deployed Rancher with LetsEncrypt and it all works :slight_smile: