How to set cipher-suites for etcd in RKE2
This document (000021373) is provided subject to the disclaimer at the end of this document.
Environment
- Rancher v2.7+
- A standalone or Rancher-provisioned RKE2 cluster
Situation
This article details how to customise the TLS cipher suites used by etcd in an RKE2 cluster
Resolution
Rancher-provisioned RKE2 clusters:
- Navigate to Cluster Management within the Rancher UI
- Click Edit Config for the relevant RKE2 cluster
- Click Edit as YAML at the bottom of the page
- Add a machineSelectorConfig block to set the desired cipher-suites via the etcd-arg field on etcd nodes, per the following example:
spec:
[...]
rkeConfig:
[...]
machineSelectorConfig
- config:
etcd-arg: "cipher-suites=[TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]"
matchLabels:
rke.cattle.io/etcd-role: 'true'
[...]
Standalone RKE2 clusters:
Repeat the following process on each server node in the RKE2 cluster:
- Add the etcd-arg with the desired cipher-suites to the RKE2 configuration file at /etc/rancher/rke2/config.yaml file and save it, per the following example:
etcd-arg: "cipher-suites=[TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]"
systemctl restart rke2-server
root@susenode01:~# cat /var/lib/rancher/rke2/server/db/etcd/config
advertise-client-urls: (redacted)
cipher-suites:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
client-transport-security:
cert-file: /var/lib/rancher/rke2/server/tls/etcd/server-client.crt
client-cert-auth: true
key-file: /var/lib/rancher/rke2/server/tls/etcd/server-client.key
trusted-ca-file: /var/lib/rancher/rke2/server/tls/etcd/server-ca.crt
data-dir: /var/lib/rancher/rke2/server/db/etcd
...(omitted)
Additional Information
RKE2 Server Configuration Reference
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.