From 551d60f1937130adcb1ee4b1027e88fa94de89b8 Mon Sep 17 00:00:00 2001 From: John Carew Date: Thu, 5 Jun 2025 13:37:59 -0500 Subject: [PATCH] Update TLS termination documentation for NGINX v0.22 Clarify the configuration for external TLS termination with NGINX v0.22, including: - Instructions to enable the `use-forwarded-headers` option for ingress in both RKE and RKE2 installations. - A new section for RKE2 detailing how to create a custom configuration file for this setting. - Updates to the required headers section to include `X-Forwarded-Proto` and `X-Forwarded-Port`. --- .../helm2/helm-rancher/chart-options.md | 23 ++++++++++++++++--- .../helm-chart-options.md | 21 +++++++++++++++-- 2 files changed, 39 insertions(+), 5 deletions(-) diff --git a/archived_docs/en/version-2.0-2.4/getting-started/installation-and-upgrade/advanced-options/advanced-use-cases/helm2/helm-rancher/chart-options.md b/archived_docs/en/version-2.0-2.4/getting-started/installation-and-upgrade/advanced-options/advanced-use-cases/helm2/helm-rancher/chart-options.md index d231b49854f..883f194c364 100644 --- a/archived_docs/en/version-2.0-2.4/getting-started/installation-and-upgrade/advanced-options/advanced-use-cases/helm2/helm-rancher/chart-options.md +++ b/archived_docs/en/version-2.0-2.4/getting-started/installation-and-upgrade/advanced-options/advanced-use-cases/helm2/helm-rancher/chart-options.md @@ -155,15 +155,32 @@ You may terminate the SSL/TLS on a L7 load balancer external to the Rancher clus Your load balancer must support long lived websocket connections and will need to insert proxy headers so Rancher can route links correctly. -#### Configuring Ingress for External TLS when Using NGINX v0.25 +### Configuring Ingress for External TLS when Using NGINX v0.22 -In NGINX v0.25, the behavior of NGINX has [changed](https://github.com/kubernetes/ingress-nginx/blob/main/Changelog.md#0220) regarding forwarding headers and external TLS termination. Therefore, in the scenario that you are using external TLS termination configuration with NGINX v0.25, you must edit the `cluster.yml` to enable the `use-forwarded-headers` option for ingress: +In NGINX v0.22, the behavior of NGINX has [changed](https://github.com/kubernetes/ingress-nginx/blob/06efac9f0b6f8f84b553f58ccecf79dc42c75cc6/Changelog.md) regarding forwarding headers and external TLS termination. Therefore, in the scenario that you are using external TLS termination configuration with NGINX v0.22, you must enable the `use-forwarded-headers` option for ingress: +For RKE installations, edit the `cluster.yml` to add the following settings. ```yaml ingress: provider: nginx options: - use-forwarded-headers: "true" + use-forwarded-headers: 'true' +``` + +For RKE2 installations, you can create a custom `rke2-ingress-nginx-config.yaml` file at `/var/lib/rancher/rke2/server/manifests/rke2-ingress-nginx-config.yaml` containing this required setting to enable using forwarded headers with external TLS termination. Without this required setting applied, the external LB will continuously respond with redirect loops it receives from the ingress controller. (This can be created before or after rancher is installed, rke2 server agent will notice this addition and automatically apply it.) + +```yaml +--- +apiVersion: helm.cattle.io/v1 +kind: HelmChartConfig +metadata: + name: rke2-ingress-nginx + namespace: kube-system +spec: + valuesContent: |- + controller: + config: + use-forwarded-headers: "true" ``` #### Required Headers diff --git a/archived_docs/en/version-2.5/reference-guides/installation-references/helm-chart-options.md b/archived_docs/en/version-2.5/reference-guides/installation-references/helm-chart-options.md index 2a6bf024c59..1dbec3b6740 100644 --- a/archived_docs/en/version-2.5/reference-guides/installation-references/helm-chart-options.md +++ b/archived_docs/en/version-2.5/reference-guides/installation-references/helm-chart-options.md @@ -160,10 +160,11 @@ You may terminate the SSL/TLS on a L7 load balancer external to the Rancher clus Your load balancer must support long lived websocket connections and will need to insert proxy headers so Rancher can route links correctly. -### Configuring Ingress for External TLS when Using NGINX v0.25 +### Configuring Ingress for External TLS when Using NGINX v0.22 -In NGINX v0.25, the behavior of NGINX has [changed](https://github.com/kubernetes/ingress-nginx/blob/master/Changelog.md#0220) regarding forwarding headers and external TLS termination. Therefore, in the scenario that you are using external TLS termination configuration with NGINX v0.25, you must edit the `cluster.yml` to enable the `use-forwarded-headers` option for ingress: +In NGINX v0.22, the behavior of NGINX has [changed](https://github.com/kubernetes/ingress-nginx/blob/06efac9f0b6f8f84b553f58ccecf79dc42c75cc6/Changelog.md) regarding forwarding headers and external TLS termination. Therefore, in the scenario that you are using external TLS termination configuration with NGINX v0.22, you must enable the `use-forwarded-headers` option for ingress: +For RKE installations, edit the `cluster.yml` to add the following settings. ```yaml ingress: provider: nginx @@ -171,6 +172,22 @@ ingress: use-forwarded-headers: 'true' ``` +For RKE2 installations, you can create a custom `rke2-ingress-nginx-config.yaml` file at `/var/lib/rancher/rke2/server/manifests/rke2-ingress-nginx-config.yaml` containing this required setting to enable using forwarded headers with external TLS termination. Without this required setting applied, the external LB will continuously respond with redirect loops it receives from the ingress controller. (This can be created before or after rancher is installed, rke2 server agent will notice this addition and automatically apply it.) + +```yaml +--- +apiVersion: helm.cattle.io/v1 +kind: HelmChartConfig +metadata: + name: rke2-ingress-nginx + namespace: kube-system +spec: + valuesContent: |- + controller: + config: + use-forwarded-headers: "true" +``` + ### Required Headers - `Host`