Hi,
I’m using cert-manager to manage my Let’s Encrypt certificates on my single-node rancher installation and would also like to use those certificates for rancher-server (and rancher UI) itself. However, I’m having trouble to grasp how I can get the certificates out of the k8s secret storage into the rancher-server container. Is there any way to provide the certificates after the rancher-server container has been started? E.g. by mounting them to the host and then restarting the rancher-server container and mounting those paths as well?
That’s definitely not a good idea. The k8s cluster is managed by Rancher. So the nodes (even a single node) have to contact the rancher server. So we have a chicken/egg problem. You need the rancher server up and running before you can deploy your k8s cluster so you still need a cert before. Rancher Server itself has letsencrypt support. So maybe this could be also a solution for you: https://rancher.com/docs/rancher/v2.x/en/installation/single-node/
thanks for the tip. The problem is that the node has no public IP address as this is a development environment. Therefore I would have to use DNS validation for letsencrypt and as I read the documentation only HTTP is currently available.
I currently try the following: Setup Rancher with a custom Port as described under “Running rancher/rancher and rancher/rancher-agent on the Same Node” and than add a proxy with the cert-manager ceritificate in front of this. The k8s cluster would use that internal Port and the self signed cert and the users would use the standard ports and the cert-manager cert.
I will report if this works.
I tried this and it almost worked. I now have the letsencrypt certificate in front of the port 8080. The web-UI on port 443 with the correct certificate. I only have one Problem left:
When I show the kubeconfig file in the cluster overview it shows the server https://docker.example.com but with the self signed certificate in certificate-authority-data. If I configure kubectl in this way it can of course not validate the certificate. Now I have two options: One is to change the server URL and open the internal port to every developer (not that optimal). The other is to add the letsencrypt intermediate to cacerts (not intended). I tried the second route and it worked. Therefore I had to docker exec -it rancher_container bash into the rancher container and create a file named /etc/rancher/ssl/cacerts.pem with both the self signed and the Letsencrypt Intermediate. After restarting the container everything worked. I will test if registration of a new node also works with this setup and if it does I will write a little tutorial.