Ingress nginx replacement (#2237)

* Replace/remove ingress-nginx references * Add links to annotations + remove example using unsupported annotation
2026-05-23 21:28:21 +00:00 · 2026-03-19 11:14:14 -07:00
parent 8fbc785b2c
commit b6192dee43
76 changed files with 94 additions and 662 deletions
@@ -13,7 +13,7 @@ This section describes how to troubleshoot an installation of Rancher on a Kuber
 Most of the troubleshooting will be done on objects in these 3 namespaces.

 - `cattle-system` - `rancher` deployment and pods.
- `ingress-nginx` - Ingress controller pods and services.
+- `traefik` - Ingress controller pods and services.
 - `cert-manager` - `cert-manager` pods.

 ### "default backend - 404"
@@ -123,10 +123,10 @@ kubectl -n cattle-system describe ingress

 If its ready and the SSL is still not working you may have a malformed cert or secret.

-Check the nginx-ingress-controller logs. Because the nginx-ingress-controller has multiple containers in its pod you will need to specify the name of the container.
+Check the `traefik` logs.

 ```
-kubectl -n ingress-nginx logs -f nginx-ingress-controller-rfjrq nginx-ingress-controller
+kubectl logs -n traefik traefik-6b94b8b688-bngw2
 ...
 W0705 23:04:58.240571       7 backend_ssl.go:49] error obtaining PEM from secret cattle-system/tls-rancher-ingress: error retrieving secret cattle-system/tls-rancher-ingress: secret cattle-system/tls-rancher-ingress was not found
 ```
@@ -148,11 +148,6 @@ The most common cause of this issue is port 8472/UDP is not open between the nod

 Once the network issue is resolved, the `canal` pods should timeout and restart to establish their connections.

-### nginx-ingress-controller Pods show RESTARTS
-
-The most common cause of this issue is the `canal` pods have failed to establish the overlay network. See [canal Pods show READY `2/3`](#canal-pods-show-ready-23) for troubleshooting.
-
-
 ### Failed to dial to /var/run/docker.sock: ssh: rejected: administratively prohibited (open failed)

 Some causes of this error include:
@@ -132,18 +132,14 @@ This option is only effective on the initial Rancher install. See [Issue 16522](

 To customize or use a different ingress with Rancher server you can set your own Ingress annotations.

+Please refer to the Traefik documentation for the full list of Ingress NGINX annotations that are [supported](https://doc.traefik.io/traefik/reference/routing-configuration/kubernetes/ingress-nginx/#annotations-support) and [unsupported](https://doc.traefik.io/traefik/reference/routing-configuration/kubernetes/ingress-nginx/#unsupported-annotations) by Traefik's kubernetesIngressNginx provider.
+
 Example on setting a custom certificate issuer:

 ```plain
 --set ingress.extraAnnotations.'cert-manager\.io/cluster-issuer'=issuer-name
 ```

-Example on setting a static proxy header with `ingress.configurationSnippet`. This value is parsed like a template so variables can be used.
-
-```plain
--set ingress.configurationSnippet='more_set_input_headers X-Forwarded-Host {{ .Values.hostname }};'
-```
-
 ### HTTP Proxy

 Rancher requires internet access for some functionality (Helm charts). Use `proxy` to set your proxy server or use `extraEnv` to set the `HTTPS_PROXY` environment variable to point to your proxy server.
@@ -216,26 +212,6 @@ If you are using a Private CA signed certificate (or if `agent-tls-mode` is set

 Your load balancer must support long lived websocket connections and will need to insert proxy headers so Rancher can route links correctly.

-### Configuring Ingress for External TLS when Using NGINX v0.22
-
-In NGINX v0.22, the behavior of NGINX has [changed](https://github.com/kubernetes/ingress-nginx/blob/06efac9f0b6f8f84b553f58ccecf79dc42c75cc6/Changelog.md) regarding forwarding headers and external TLS termination. Therefore, in the scenario that you are using external TLS termination configuration with NGINX v0.22, you must enable the `use-forwarded-headers` option for ingress:
-
-For RKE2 installations, you can create a custom `rke2-ingress-nginx-config.yaml` file at `/var/lib/rancher/rke2/server/manifests/rke2-ingress-nginx-config.yaml` containing this required setting to enable using forwarded headers with external TLS termination. Without this required setting applied, the external LB will continuously respond with redirect loops it receives from the ingress controller. (This can be created before or after rancher is installed, rke2 server agent will notice this addition and automatically apply it.)
-
-```yaml
---
-apiVersion: helm.cattle.io/v1
-kind: HelmChartConfig
-metadata:
-  name: rke2-ingress-nginx
-  namespace: kube-system
-spec:
-  valuesContent: |-
-    controller:
-      config:
-        use-forwarded-headers: "true"
-```
-
 ### Required Headers

 - `Host`
@@ -252,66 +228,3 @@ spec:
 ### Health Checks

 Rancher will respond `200` to health checks on the `/healthz` endpoint.
-
-### Example NGINX config
-
-This NGINX configuration is tested on NGINX 1.14.
-
-:::caution
-
-This NGINX configuration is only an example and may not suit your environment. For complete documentation, see [NGINX Load Balancing - HTTP Load Balancing](https://docs.nginx.com/nginx/admin-guide/load-balancer/http-load-balancer/).
-
-:::
-
- Replace `IP_NODE1`, `IP_NODE2` and `IP_NODE3` with the IP addresses of the nodes in your cluster.
- Replace both occurrences of `FQDN` to the DNS name for Rancher.
- Replace `/certs/fullchain.pem` and `/certs/privkey.pem` to the location of the server certificate and the server certificate key respectively.
-
-```
-worker_processes 4;
-worker_rlimit_nofile 40000;
-
-events {
-    worker_connections 8192;
-}
-
-http {
-    upstream rancher {
-        server IP_NODE_1:80;
-        server IP_NODE_2:80;
-        server IP_NODE_3:80;
-    }
-
-    map $http_upgrade $connection_upgrade {
-        default Upgrade;
-        ''      close;
-    }
-
-    server {
-        listen 443 ssl http2;
-        server_name FQDN;
-        ssl_certificate /certs/fullchain.pem;
-        ssl_certificate_key /certs/privkey.pem;
-
-        location / {
-            proxy_set_header Host $host;
-            proxy_set_header X-Forwarded-Proto $scheme;
-            proxy_set_header X-Forwarded-Port $server_port;
-            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-            proxy_pass http://rancher;
-            proxy_http_version 1.1;
-            proxy_set_header Upgrade $http_upgrade;
-            proxy_set_header Connection $connection_upgrade;
-            # This allows the ability for the execute shell window to remain open for up to 15 minutes. Without this parameter, the default is 1 minute and will automatically close.
-            proxy_read_timeout 900s;
-            proxy_buffering off;
-        }
-    }
-
-    server {
-        listen 80;
-        server_name FQDN;
-        return 301 https://$server_name$request_uri;
-    }
-}
-```
@@ -97,7 +97,7 @@ You can access your cluster after its state is updated to **Active**.
 **Active** clusters are assigned two Projects:

 - `Default`, containing the `default` namespace
- `System`, containing the `cattle-system`, `ingress-nginx`, `kube-public`, and `kube-system` namespaces
+- `System`, containing the `cattle-system`, `traefik`, `kube-public`, and `kube-system` namespaces

 #### Finished