I have a issue with Rancher tls connection.
Here is my situation:
I have a new Kubernetes installation with 3 x Master Node and 3 x Worker Node hosted on a Proxmox VE cluster.
Rancher 2.8.3 to manage all this. I have a HA proxy on a OPNsense to access to all internal Kubernetes service.There is a reverse proxy to access to the rancher web ui. I created a CA root on opensense and a certificate from it to allow tls connection.
OpenSSL tell me that it is OK. I can go to rancher web ui without issue.
But when I tried to Kubectl get … pods, I get following issue:
E0628 13:03:34.849568 422 memcache.go:265] couldn't get current server API group list: Get "https://rancher.xxxxxxxx.local/k8s/clusters/local/api?timeout=32s": tls: failed to verify certificate: x509: certificate signed by unknown authority
What did I tried to fix that:
I supposed that as my certificate is a self signed, Rancher do not trust it. I followed following link to fix it: Rancher Helm Chart Options | Rancher No result.
Then I supposed that even if I add my own certificate, Rancher do not trust the CA root that signed my certificate. So I followed this tutorial to add my CA root to rancher. Updating the Rancher Certificate | Rancher Now Rancher web interface /v3/settings/cacerts show that my certificate was uploaded. But I have same issue.
I currently wondering if it is not HA Proxy’s fault as it initiates the ssl connection instead of Rancher?
Can we have a Kubernetes cluster without CA / ssl internally and lets HA Proxy encrypt all connections from outside?
There is something I do wrong or I didn’t understand.
Can I have your opinion about my issue?
Regards, Foreman21.