How to set cipher-suites for etcd in RKE2

This document (000021373) is provided subject to the disclaimer at the end of this document.

Environment

• Rancher v2.7+
• A standalone or Rancher-provisioned RKE2 cluster

Situation

This article details how to customise the TLS cipher suites used by etcd in an RKE2 cluster

Resolution

Rancher-provisioned RKE2 clusters:

1. Navigate to Cluster Management within the Rancher UI
2. Click Edit Config for the relevant RKE2 cluster
3. Click Edit as YAML at the bottom of the page
4. Add a machineSelectorConfig block to set the desired cipher-suites via the etcd-arg field on etcd nodes, per the following example:

spec:
     [...]
     rkeConfig:
       [...]
       machineSelectorConfig
      - config:
          etcd-arg: "cipher-suites=[TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]"
        matchLabels:
          rke.cattle.io/etcd-role: 'true'
[...]

1. Click Save to apply the change

Standalone RKE2 clusters:

Repeat the following process on each server node in the RKE2 cluster:

1. Add the etcd-arg with the desired cipher-suites to the RKE2 configuration file at /etc/rancher/rke2/config.yaml file and save it, per the following example:

etcd-arg: "cipher-suites=[TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]"

1. Restart the rke2-server service to apply the change:

systemctl restart rke2-server

1. Verify the change. The new configuration will be populated in the etcd configuration file.

``` root@susenode01:~# cat /var/lib/rancher/rke2/server/db/etcd/config advertise-client-urls: (redacted) cipher-suites: - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 client-transport-security:   cert-file: /var/lib/rancher/rke2/server/tls/etcd/server-client.crt   client-cert-auth: true   key-file: /var/lib/rancher/rke2/server/tls/etcd/server-client.key   trusted-ca-file: /var/lib/rancher/rke2/server/tls/etcd/server-ca.crt data-dir: /var/lib/rancher/rke2/server/db/etcd ...(omitted)

```

Additional Information

RKE2 Server Configuration Reference

• Flags: https://docs.rke2.io/reference/server_config#flags

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.