How to update the default ingress-nginx certificate in an RKE2 cluster
Article Number: 000022060
Environment
A standalone or Rancher-provisioned RKE2, with the RKE2-bundled ingress-nginx ingress controller
Procedure
The default SSL certificate for ingress-nginx can be updated in the rke2-ingress-nginx Helm chart via the value controller.extraArgs.default-ssl-certificate. This value should reference the namespace and name of a TLS secret that you have already created in the cluster. This value can be defined in an RKE2 cluster via a HelmChartConfig, as described in this article.
Configuration for Rancher-provisioned RKE2 clusters
- Login to the Rancher UI
- Navigate to Cluster Management
- Click Edit Config for the relevant Rancher-provisioned RKE2 cluster
- Click Additional Manifest and provide the a HelmChartConfig, with the desired default-ssl-certificate, per the example below, setting <namespace> and <secret_name> as required to reference the appropriate TLS secret.
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
name: rke2-ingress-nginx
namespace: kube-system
spec:
valuesContent: |-
controller:
extraArgs:
default-ssl-certificate: "<namespace>/<secret_name>"
Configuration for standalone RKE2 clusters
On server nodes in the cluster, create a HelmChartConfig manifest, with the desired default-ssl-certificate, for the rke2-ingress-nginx chart, within the directory /var/lib/rancher/rke2/server/manifests/ (e.g. /var/lib/rancher/rke2/server/manifests/rke2-ingress-nginx-config.yaml). In the example below, set <namespace> and <secret_name> as required to reference the appropriate TLS secret.
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
name: rke2-ingress-nginx
namespace: kube-system
spec:
valuesContent: |-
controller:
extraArgs:
default-ssl-certificate: "<namespace>/<secret_name>"