I apologize in advance if this is effectively “ELI5” anywhere, but for now I am having a hard time making Rancher (2.5) work with EKS ingress.
I first attempted the new type of install, where I build an EKS cluster, then install Rancher on top. This mostly worked but… I elected to use Rancher’s own certificate. I could verify that the certificate was created. I even found a new ELB instance. Cool. Except that ELB instance only seems to be able to map to the NodePort selected for port 80, which forces a redirect to 443 (as expected) and the corresponding NodePort does not seem to exist. Help?
I also tested running a bootstrap Rancher instance, and using its interface creating an EKS cluster. This worked well and this time it is, obviously, easy to access Rancher’s Web UI.
However, when I rolled out a “hello world” payload and attempted creating an ingress using the neighboring UI… well, the Ingress has been initializing for hours.
Was I supposed to create a load balancer (ELB) first? What am I missing?
Note: I realize that the ingress being created in my second scenario is L7, therefore it should be an ALB. I cannot figure out how to create a L4 LB in 2.5 anymore.
Another update, regarding the first scenario: since it does create a ELB (a classic one) I went ahead and added a ACM certificate and HTTPS support. This appears to work.
(Note that I was only able to get the original load balancer created by patching my Rancher service to be a “Load Balancer” rather than “ClusterIP” and I suspect this is NOT how the Rancher team intended this)
However, classic ELB does not support web sockets… and there is no one on the Rancher side listening on port 443 so I cannot simply forward SSL/443.
So, I decided to give Rancher a hand and migrated the CLB to a ALB (L7) – I can now access Rancher’s web UI including websockets, etc.
Anyway, moving past this one… I just rolled out a workload. I also attempted creating a load balancer, but now Rancher seems unable to create a ELB and my LB is stuck “Initializing…”
And yes, the service I am trying to access is my nodeport service. I suspect that if I patched it as well, again I would end up with a CLB. But then, certificate support is out the window. Basically I am back in pure K8S land.
Have I completely lost the plot?