Rancher HA and User-Cluster in LAN

Hi,

how do you deal with such setup where Rancher HA and the User-cluster are both behind a firewall?
The HA installation documentation recommends a streaming Loadbalancer in front of Rancher.

https://rancher.com/docs/rancher/v2.x/en/installation/how-ha-works/
https://rancher.com/docs/rancher/v2.x/en/installation/ha/create-nodes-lb/nginx/

If I use same loadbalancer for the User-Cluster, the TLS termination has to be configured on the
rancher cluster. Rancher is than the bottleneck in my understandingā€¦

Do you setup another loadbalancer (HA) in front of the User-cluster and expose this to public area
or is there any other solution?
I would like to avoid User-Cluster unavailbility when rancher crashes for some reason (self contained cluster).

Any thoughts on this?

Kind regards,
Michael

This option is described here: https://rancher.com/docs/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/#authorized-cluster-endpoint

Cool thanksā€¦ I missed this. :slightly_smiling_face:
The ā€˜authorized endpointā€™ (singular) makes me wonder a bit because there are many. Letā€™s say 3 control planes. The loadbalancer (same as for rancher) is than the authorized endpoint?

If you are using an authorized cluster endpoint, we recommend creating an FQDN pointing to a load balancer which balances traffic across your nodes with the controlplane role.
https://rancher.com/docs/rancher/v2.x/en/overview/architecture-recommendations/#architecture-for-an-authorized-cluster-endpoint

This means another load balancer in front of the user cluster but only for control planes? :anguished:

  1. External load balancer (NGINX) routing traffic to my 3 rancher nodes
  2. Internal load balancer for control planes (for authorized cluster endpoint)
  3. External load balancer (NGINX) for the user cluster

Things become complicated. Alternative is TLS termination at load balancer (The one where rancher is exposed now to public) I think.
I donā€™t want to use HA Loadbalancers for every single thing in cluster.

@seimic how did you solve this issue? if you did it how was the config of your lb? same as in fron tof your rancher ha servers?

Hi,

yes, Iā€™m using a second floating ip for the control planes load balancing at the edge nodes (edge nodes = two nodes in failover setup exposed to the internet).
I use nginx at the edge nodes to stream the traffic to the control planes.

Something like thisā€¦

stream {
  upstream cluster_api_upstream {
    least_conn;
    server ${cluster_ctrl0_ip}:6443 max_fails=3 fail_timeout=10s;
    server ${cluster_ctrl1_ip}:6443 max_fails=3 fail_timeout=10s;
    server ${cluster_ctrl2_ip}:6443 max_fails=3 fail_timeout=10s;
  }
  ...

  server {
    listen ${vpc_fip_cluster}:6443;
    proxy_pass cluster_api_upstream;
  }  
  ...
}

Kind regards,
Michael

1 Like