Shulou(Shulou.com)05/31 Report--

This article shows you how to do TLS termination in Rancher 2.x, the content is concise and easy to understand, it will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

Introduction

We will explore different ways in which Rancher uses TLS certificates. TLS, the secure transport layer protocol, is an encryption protocol used to protect network communications. It is the successor to the currently deprecated secure Sockets layer (SSL).

How TLS is integrated into various Rancher components and how to prepare the environment to make proper use of TLS in Rancher.

Why is secure Transport layer Protocol (TLS) important?

Rancher can use TLS anywhere. Therefore, it is important to determine the TLS termination option before installing Rancher.

1. Confirm the types of TLS termination you want to perform. There are the following types:

Self-signed, terminated by Rancher (this is the default)

Let's Encrypt, terminated by Rancher

Bring your own certificate, terminated by Rancher

External TLS termination

2. If you choose to bring your own certificate or external TLS termination, make sure you have a copy of the CA certificate used to register the certificate (only cert, no key is required). Rancher needs this file when performing an operation.

3. Make sure you know the hostname that Rancher will use. This cannot be changed after installation.

What components require secure Transport layer protocols

For any enterprise software, you need to determine specific requirements, including storage requirements, network, cloud or local, before installing and using them. You must answer these questions clearly before you install.

For Rancher, one of the considerations is TLS. You must understand and plan to use Rancher for TLS so that you can get a fully supported and well-functioning solution.

In addition to HTTPS security, there are two other places where TLS is also highly needed:

1 、 kubectl

2. Node and cluster agent communication

Note that TLS is not used in more than the above two places, but it is more common in these two places.

Understand kubectl TLS

First, let's take a look at the sample kubeconfig file:

ApiVersion: v1kind: Configclusters:\-name: "sample" cluster: server: "https://rancher.example.org/k8s/clusters/c-1234" certificate-authority-data:" LS0t... "

Pay special attention to the existence of certificate-authority-data. This field is the base64-encoded version of the CA certificate, which can be used to sign the TLS certificate provided by the Kubernetes API server. Or the TLS certificate provided by Rancher when the agent invokes kube-apiserver.

Why is this so important? Because kubectl uses certificate-authority-data to make sure that you (not the impostor) are connecting to the correct cluster. If the certificate provided by the server has not been signed by a certificate in certificate-authority-data, kubectl will warn you and exit. Basically, you won't be attacked by MITM (man in the middle).

The values in certificate-authority-data come from kube-ca 's CA certificate (non-Rancher cluster or Rancher cluster using authorized cluster endpoints) or Rancher CA certificate (any Rancher cluster).

Be sure to enter the correct value in this field, otherwise kubectl will not verify the connection to your Kubernetes cluster. This is why you need to configure TLS correctly when setting up Rancher.

Understand the communication between nodes and cluster Agent

In any Rancher-connected cluster, including imported or otherwise, two workloads need to be deployed:

1 、 cattle-cluster-agentDeployment

2 、 cattle-node-agentDeployment

Each workload performs a specific function. In summary, the two agent connect to Rancher's API and establish a secure websocket connection on tcp/443. The websocket connection is then used for two-way communication between the Rancher and the managed node or cluster.

The cluster agent connects to the Kubernetes API that hosts the cluster, which allows Rancher to perform API operations through the websocket tunnel. When performing cluster operations (such as upgrades, ectd snapshots, etc.), the node agent interacts with the nodes in the RKE cluster.

Both agent use a configuration value called "CA checksum", which is passed to Pod as an environment variable as CATTLE\ _ CA\ _ CHECKSUM. This value needs to be the same as kubectl-- make sure you connect to the correct endpoint and make sure that MITM occurs. However, the checksum works slightly differently.

Cattle agent's CA checksum can hate whether agent is connected to the correct instance of Rancher API. Because Rancher uses TLS to protect its HTTPS API endpoints, the agent container can use this checksum to verify that the TLS certificate provided by the API endpoint is correct.

Second, CATTLE\ _ CA\ _ CHECKSUM is not configured as an base64-encoded copy of the CA certificate. Instead, Rancher generates an sha256 checksum of the CA certificate, which is used to sign the Rancher TLS certificate and places the value in the CATTLE\ _ CA\ _ CHECKSUM field. The results are as follows:

CATTLE\ _ CA\ _ CHECKSUM=b0af09b35ef086fcfc21e990fbd750720abe5c811dbea3ae40fe050a67f0bdb0e

When a Rancher cluster or node agent calls Rancher API, it compares the CA certificate with the one it configured in Deployment and DaemonSet. If they match, communication is established.

Secure Transport layer Protocol (TLS) termination (termination)

There are four main ways to terminate TLS when installing Rancher:

Use Rancher's self-signed certificate

Use Let's Encrypt

Bring your own certificate

External TLS termination

Each method has specific requirements and needs to be weighed in the specific operation.

Use Rancher's self-signed certificate

Of the four options for terminating TLS, this is probably the simplest. This is also the default option for Rancher in HA and single-node installation scenarios. That is, installation is done by not passing any TLS-specific parameters to helm install or docker run.

After installation, Rancher generates an CA certificate (CN=cattle-ca) and uses that certificate to sign its own certificate. Self-signed certificates work differently depending on the type of installation you perform.

Single node installation

After the container starts, before setting up, Rancher responds to any HTTPS request on port 443, regardless of its target host value. How is this possible?

In this state, Rancher automatically generates a certificate for any hostname you arrive. If it is an IP (such as 10.11.12.13), then Rancher generates a self-signed (using cattle-ca) certificate for that IP. If you arrive at this new Rancher installation directory with a hostname (such as my-rancher.example.org), a self-signed certificate will be generated in the same way.

Before Rancher can use a single certificate, you need to complete the setup steps (set the administrator password and confirm the Rancher hostname). The certificate is valid for hostnames configured during Rancher initial setup.

HA installation

In the HA installation scenario, the self-signed certificate requires you to install an application named cert-manager. Unlike single-node Rancher managing CA certificates themselves, HA rancher uses cert-manager to handle the lifecycle of certificates. You can install cert-manager into your prepared Kubernetes cluster according to the following guidelines:

Https://rancher.com/docs/rancher/v2.x/en/installation/k8s-install/helm-rancher/

Once you have finished installing cert-manager, the next step is to install rancher. Using a self-signed certificate is the default setting for Rancher, so there is actually only one mandatory parameter when executing helm install:

-- set hostname=

This parameter is mandatory because the Rancher HA installation does not have the same instant certificate generation capabilities as the single node installation. Therefore, once you set the hostname, the hostname will be used for the entire life cycle of the Rancher installation. So you have to make sure that your settings are correct.

Cert-manager will then generate a certificate that is stored as a secret in the cattle-system namespace named tls-rancher-ingress.

The above is how to do TLS termination in Rancher 2.x. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.