SnakebiteEF2000
commented
3 months ago I found out when I Set a default registry, i.e., https://someregistry.internal-domain.com/rancher (/rancher is the endpoint which shall proxy to docker hub on our harbor registry), the rancher agent on the downstream cluster receives the path https:/someregistry.internal-domain.com/rancher, so the second Slash of the protocol descriptor is missing which makes it unusable. I guess this slash gets escaped somewhere in the chain. When I set the registry using 3 slashes, e.g., https:/// on the agent, https:// will be used, but the local cluster and rke2 service will use https:///, so they will fail. I am trying to come up with a fix for this, but I don't currently have a deep understanding of rancher or Kubernetes to commit, so some help would be nice.
Rancher Server Setup
Information about the Cluster
Manually Provisioned nodes using ubuntu autoinstall on a vsphere cluster. Both for the local cluster nodes and for the downstream
User Information
Describe the bug Rancher was installed with the helm option --privateCA and a valid certificate was provisioned via secrets. The ingresses use the Cert and it is valid and works. When i now run the registration command on a downstream cluster node the installer seems to run but it failes to download or create the /tls folder needed for all the Kubelets. /v3/settings/cacerts shows the correct cert and the checksum on the clients matches this certificate. I am unsure of this but it seems like the client has the wrong certificate-authority-data. When checking /var/lib/rancher/agent/rancher2_connection_info.json a very different certificate is shown than what our CA has.
To Reproduce Create a secrect tls-ca and tls-ingress-cert Setup rancher using helm. set --privateCA=true, Create downstream cluster using external as provider Result
Expected Result a working cluster