How to configure the Fleet Webhook using Rancher's Let's Encrypt Ingress certificate

Article Number: 000022357

Environment

• Rancher v2.6+
• Rancher configured to use a Let's Encrypt certificate, with cert-manager installed.

Procedure

When SUSE Rancher is configured with a Let's Encrypt certificate managed by cert-manager, the resulting TLS secret (tls-rancher-ingress) resides within the cattle-system namespace.

If the Fleet Webhook service is configured to use the same hostname as the Rancher UI, and you wish to use the same certificate as Rancher, it requires access to this specific TLS certificate to validate connections. However, because Kubernetes Secrets are namespaced resources, the Fleet Webhook (located in cattle-fleet-system) cannot natively reference a secret stored in cattle-system.

This article describes how to use kubernetes-reflector to automatically copy (or 'reflect' in kubernetes-reflector terminology) the Let's Encrypt certificate Secret from the Rancher namespace to the Fleet namespace.

Note on Supportability: This article is provided for informational purposes. kubernetes-reflector is a third-party project and is not directly supported by SUSE. Users should validate this workflow in a staging environment before applying it to production clusters.

Configuration

Reflection of secrets between Namespaces is managed by kubernetes-reflector through the use of annotations. To automatically copy the tls-rancher-ingress Secret from the cattle-system to cattle-fleet-system Namespace, the following annotations need to be applied:

• reflector.v1.k8s.emberstack.com/reflection-allowed: "true" - to permit reflection
• reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: cattle-fleet-system - to permit reflection to the Fleet Namespace
• reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true" - to enable automatic reflection
• reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: cattle-fleet-system - to enable automatic reflection to the Fleet Namespace

Since the tls-rancher-ingress Secret is automatically generated by cert-manager these annotations need to be defined via a secretTemplate on the tls-rancher-ingress Certificate. In the Rancher Helm chart, this can be achieved by setting the annotation cert-manager.io/secret-template, with the required secretTemplate, on the Rancher Ingress, via the ingress.extraAnnotations value.

1. Install kubernetes-reflector

Install kubernetes-reflector into the Rancher local cluster, in line with the reflector documentation, selecting a Namespace of your choosing specifically for kubernetes-reflector. 2. Update values for the Rancher Helm chart

Follow the Rancher upgrade process to add the cert-manager.io/secret-template configuration to the ingress.extraAnnotations value.

Use the --version flag to pin your current version and prevent a change in the running version.

If you use a Helm values file for the helm upgradecommand, add the required annotation to this file:

ingress:
  extraAnnotations:
    cert-manager.io/secret-template: |
      {
        "annotations": {
          "reflector.v1.k8s.emberstack.com/reflection-allowed": "true",
          "reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces": "cattle-fleet-system",
          "reflector.v1.k8s.emberstack.com/reflection-auto-enabled": "true",
          "reflector.v1.k8s.emberstack.com/reflection-auto-namespaces": "cattle-fleet-system"
        }
      }

If you pass the Helm values to helm upgrade directly via the CLI, add the annotation with --set-json (requires Helm 3.10+):

--set-json 'ingress.extraAnnotations={"cert-manager.io/secret-template":"{\"annotations\":{\"reflector.v1.k8s.emberstack.com/reflection-allowed\":\"true\",\"reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces\":\"cattle-fleet-system\",\"reflector.v1.k8s.emberstack.com/reflection-auto-enabled\":\"true\",\"reflector.v1.k8s.emberstack.com/reflection-auto-namespaces\":\"cattle-fleet-system\"}}"}'

3. Delete existing tls-rancher-ingress Certificate

After upgrading Rancher with the required ingress.extraAnnotations value, delete the existing tls-rancher-ingress Certificate, to trigger re-creation with the secretTemplate:

kubectl -n cattle-system delete certificate tls-rancher-ingress

Verification

Once configuration is complete, check both namespaces to ensure the secret is present:

• kubectl get secret tls-rancher-ingress -n cattle-system
• kubectl get secret tls-rancher-ingress -n cattle-fleet-system

You can now create the Fleet Webhook Ingress in cattle-fleet-system referencing the tls-rancher-ingress Secret.