TL;DR: How can I make a internal root CA known to Rancher when the Rancher SSL cert is not signed by it, but other external systems (like OIDC provider) are?
I have a running Rancher in version v2.6.3
on one of my VMs as a Docker container. It uses a SSL certificate signed by DigiCert, as I'm using it to manage clusters outside of my own network. The Web UI login is only used from within my network. I use an OIDC client in Keycloak for it. Since this Keycloak is (and should stay) only accessible from my internal network it has a certificate signed by my internal CA.
To get this working I needed to make the root CA known to Rancher. So I mounted it to the container at /etc/rancher/ssl/cacerts.pem
alongside my DigiCert-signed certificate and key (SSL_CERT_DIR
is set to /etc/rancher/ssl
).
After doing that I could successfully configure OIDC auth with my internal Keycloak. Before adding the root CA, I got a certificate error when Rancher tried to read https://<KEYCLOAK REALM AUTH URL>/.well-known/openid-configuration
.
Now Rancher is adding this root CA certificate to the kubeconfig
files the users can download from the UI to access their clusters. Which then results in a certificate error when they want to access the cluster with kubectl
. I could now tell everyone to just remove the certificate-authority-data
when they download their config. But it feels like - even though it is working - that this is not the correct way to make the certificate known to Rancher. If I understand the documentation and the result described here correctly, the file /etc/rancher/ssl/cacerts.pem
should only be used in case your Rancher uses a certificate signed by a non-public CA.
Is there another way to make my internal CA known to Rancher? Unfortunately I could only find this article in the documentation which I followed to the result above.
Thanks in advance!
CodePudding user response:
I figured it out!
I found something in the Rancher Helm Chart Options about Additional Trusted CAs. Which lead me to the Helm chart where I found this block in the Deployment:
{{- if .Values.additionalTrustedCAs }}
- mountPath: /etc/pki/trust/anchors/ca-additional.pem
name: tls-ca-additional-volume
subPath: ca-additional.pem
readOnly: true
- mountPath: /etc/rancher/ssl/ca-additional.pem
name: tls-ca-additional-volume
subPath: ca-additional.pem
readOnly: true
{{- end }}
{{- if .Values.privateCA }}
# Pass CA cert into rancher for private CA
- mountPath: /etc/rancher/ssl/cacerts.pem
name: tls-ca-volume
subPath: cacerts.pem
readOnly: true
{{- end }}
Apparently adding additional CA certs to the trust store is as easy as mounting the CAs to /etc/rancher/ssl/ca-additional.pem
and /etc/pki/trust/anchors/ca-additional.pem
.
Tried it already and it is working like a charm! OIDC login works and when I download a kubeconfig
the certificate-authority-data
is not set.