Home > Back-end >  Rancher add internal CA to connect to other systems
Rancher add internal CA to connect to other systems

Time:07-06

TL;DR: How can I make a internal root CA known to Rancher when the Rancher SSL cert is not signed by it, but other external systems (like OIDC provider) are?

I have a running Rancher in version v2.6.3 on one of my VMs as a Docker container. It uses a SSL certificate signed by DigiCert, as I'm using it to manage clusters outside of my own network. The Web UI login is only used from within my network. I use an OIDC client in Keycloak for it. Since this Keycloak is (and should stay) only accessible from my internal network it has a certificate signed by my internal CA.

To get this working I needed to make the root CA known to Rancher. So I mounted it to the container at /etc/rancher/ssl/cacerts.pem alongside my DigiCert-signed certificate and key (SSL_CERT_DIR is set to /etc/rancher/ssl).

After doing that I could successfully configure OIDC auth with my internal Keycloak. Before adding the root CA, I got a certificate error when Rancher tried to read https://<KEYCLOAK REALM AUTH URL>/.well-known/openid-configuration.

Now Rancher is adding this root CA certificate to the kubeconfig files the users can download from the UI to access their clusters. Which then results in a certificate error when they want to access the cluster with kubectl. I could now tell everyone to just remove the certificate-authority-data when they download their config. But it feels like - even though it is working - that this is not the correct way to make the certificate known to Rancher. If I understand the documentation and the result described here correctly, the file /etc/rancher/ssl/cacerts.pem should only be used in case your Rancher uses a certificate signed by a non-public CA.

Is there another way to make my internal CA known to Rancher? Unfortunately I could only find this article in the documentation which I followed to the result above.

Thanks in advance!

CodePudding user response:

I figured it out!

I found something in the Rancher Helm Chart Options about Additional Trusted CAs. Which lead me to the Helm chart where I found this block in the Deployment:

{{- if .Values.additionalTrustedCAs }}
- mountPath: /etc/pki/trust/anchors/ca-additional.pem
  name: tls-ca-additional-volume
  subPath: ca-additional.pem
  readOnly: true
- mountPath: /etc/rancher/ssl/ca-additional.pem
  name: tls-ca-additional-volume
  subPath: ca-additional.pem
  readOnly: true
{{- end }}
{{- if .Values.privateCA }}
# Pass CA cert into rancher for private CA
- mountPath: /etc/rancher/ssl/cacerts.pem
  name: tls-ca-volume
  subPath: cacerts.pem
  readOnly: true
{{- end }}

Apparently adding additional CA certs to the trust store is as easy as mounting the CAs to /etc/rancher/ssl/ca-additional.pem and /etc/pki/trust/anchors/ca-additional.pem.

Tried it already and it is working like a charm! OIDC login works and when I download a kubeconfig the certificate-authority-data is not set.

  • Related