Skip to content

How to set cipher-suites for etcd in RKE2

This document (000021373) is provided subject to the disclaimer at the end of this document.

Environment

Rancher 2.7.X

Rancher 2.8.X

RKE2 1.26.15, 1.27.X, 1.28.X

Resolution

CUSTOM CLUSTERS

  1. Click .
  2. Select Cluster Management.
  3. Select the cluster

  4. On the Clusters page, select  at the end of each row to view a submenu with the following options:

  5. Edit as YAML

Append the cipher-suites needed under the spec:machineGlobalConfig and save it.

etcd-arg: "cipher-suites=[TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]"

image.png

The cluster will update the status:

image.png

STANDALONE CLUSTER

1. Create or edit the config file at /etc/rancher/rke2/config.yaml.

Add the following line to the end of the file and save it.

etcd-arg: "cipher-suites=[TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]"

token: (redacted)
server: (redacted)
etcd-arg: "cipher-suites=[TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]"
~

2. Restart the rke2-server service to apply the change.

 systemctl restart rke2-server

3. Verify the change.

The new configuration will be populated in the etcd configuration file.

root@susenode01:~# cat /var/lib/rancher/rke2/server/db/etcd/config
advertise-client-urls: (redacted)
cipher-suites:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
client-transport-security:
  cert-file: /var/lib/rancher/rke2/server/tls/etcd/server-client.crt
  client-cert-auth: true
  key-file: /var/lib/rancher/rke2/server/tls/etcd/server-client.key
  trusted-ca-file: /var/lib/rancher/rke2/server/tls/etcd/server-ca.crt
data-dir: /var/lib/rancher/rke2/server/db/etcd
...(omitted)

Repeat these steps in every etcd node in the cluster.

Additional Information

RKE2 Server Configuration Reference

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.