Ground point:
- i have nginx host, 10.1.1.1, with public IP 1.1.1.1
- rancher host, 10.2.2.2 with public IP 2.2.2.2
- single node rancher install
- rancher server_url is https://10.2.2.2
- DNS A record control.example.com -> 1.1.1.1
- nginx server rule, with upstream to 2.2.2.2
- Let’s Encrypt cert installed on nginx for control.example.com
- k8s cluster created with rancher
Setup worked fine and was in production some time.
I’ve decided to move from nginx proxy directrly to rancher. I changed DNS record for control.example.com to 2.2.2.2. Obviously, i’ve got an issue with TLS cert.
I modifyed container like this:
sudo docker run --name=new-rancher -d
–volumes-from old-rancher --restart=unless-stopped -p 80:80 -p 443:443
rancher/rancher:v2.2.8
–acme-domain control.example.com
Container had started succesfully, and in web browser i see like all works with new certs. But my k8s cluster lost connection to rancher. In UI i’ve got such message:
“This cluster is currently Unavailable; areas that interact directly with it will not be available until the API is ready”
And in docker logs new-rancher i’ve got errors:
“TLS handshake error from x.x.x.x:53090: remote error: tls: bad certificate” where x.x.x.x is ip adresses of k8s nodes.
To mitigate an issue, i restored from backup, like this.
docker run --volumes-from new-rancher -v $PWD:/backup \
alpine sh -c "rm /var/lib/rancher/* -rf && \
tar zxvf /backup/backup.tar.gz"
sudo docker run --name=restored-rancher -d --volumes-from new-rancher \
--restart=unless-stopped -p 80:80 -p 443:443 \
rancher/rancher:v2.2.8
In such way, i restored connection to my cluster.
And, there is a question after such a cool story.
How should i migrate Web UI from nginx proxy to rancher directly, how can i migrate to use Let’S encrypt certs in rancher without affecting attached k8s cluster?