How to enable legacy TLS versions in Rancher's ingress-nginx
This article details how to enable TLS 1.1 on the ingress-nginx controller in Rancher Kubernetes Engine (RKE) CLI or Rancher v2.x provisioned Kubernetes clusters.
Pre-requisites
- A Kubernetes cluster provisioned by the Rancher Kubernetes Engine (RKE) CLI or Rancher v2.x
- For RKE provisioned clusters, you will require the RKE binary and access to the cluster configuration YAML, rkestate file and kubectl access with the kubeconfig for the cluster sourced
- For Rancher v2.x provisioned clusters, you will require cluster owner or global admin permissions in Rancher
Resolution
Configuration for RKE provisioned clusters
Edit the cluster configuration YAML file to include the
ssl-protocols
option for the ingress, as follows:ingress: provider: nginx options: ssl-protocols: "TLSv1.1 TLSv1.2"
Apply the changes to the cluster by invoking
rke up
:rke up --config <cluster configuration yaml file>
Verify the new configuration:
for pod in $(kubectl get pods -l app=ingress-nginx -n ingress-nginx --no-headers -o name | awk -F '/' '{print $2}'); do echo -n "Checking $pod .... "; kubectl -n ingress-nginx exec "$pod" -- bash -c "cat /etc/nginx/nginx.conf | grep ssl_protocols | grep '1.1' > /dev/null 2>&1 && echo 'Good' || echo 'Bad'"; done
Configuration for Rancher provisioned clusters
Login into the Rancher UI.
Go to Global -> Clusters -> Cluster Name
From the Cluster Dashboard, edit the cluster by Clicking on “⋮” then select Edit.
Click “Edit as YAML.”
Include the
ssl-protocols
option for the ingress, as follows:ingress: provider: nginx options: ssl-protocols: "TLSv1.1 TLSv1.2"
Click “Save” at the bottom of the page.
Wait for the cluster to finish upgrading.
Go back to the Cluster Dashboard and click “Launch kubectl.”
Run the following inside the kubectl CLI to verify the new argument:
for pod in $(kubectl get pods -l app=ingress-nginx -n ingress-nginx --no-headers -o name | awk -F '/' '{print $2}'); do echo -n "Checking $pod .... "; kubectl -n ingress-nginx exec "$pod" -- bash -c "cat /etc/nginx/nginx.conf | grep ssl_protocols | grep '1.1' > /dev/null 2>&1 && echo 'Good' || echo 'Bad'"; done