How to enable legacy TLS versions in Rancher's ingress-nginx
This article details how to enable TLS 1.1 on the ingress-nginx controller in Rancher Kubernetes Engine (RKE) CLI or Rancher v2.x provisioned Kubernetes clusters.
Pre-requisites
- A Kubernetes cluster provisioned by the Rancher Kubernetes Engine (RKE) CLI or Rancher v2.x
- For RKE provisioned clusters, you will require the RKE binary and access to the cluster configuration YAML, rkestate file and kubectl access with the kubeconfig for the cluster sourced
- For Rancher v2.x provisioned clusters, you will require cluster owner or global admin permissions in Rancher
Resolution
Configuration for RKE provisioned clusters
-
Edit the cluster configuration YAML file to include the
ssl-protocols
option for the ingress, as follows:ingress: provider: nginx options: ssl-protocols: "TLSv1.1 TLSv1.2"
-
Apply the changes to the cluster by invoking
rke up
:rke up --config <cluster configuration yaml file>
-
Verify the new configuration:
for pod in $(kubectl get pods -l app=ingress-nginx -n ingress-nginx --no-headers -o name | awk -F '/' '{print $2}'); do echo -n "Checking $pod .... "; kubectl -n ingress-nginx exec "$pod" -- bash -c "cat /etc/nginx/nginx.conf | grep ssl_protocols | grep '1.1' > /dev/null 2>&1 && echo 'Good' || echo 'Bad'"; done
Configuration for Rancher provisioned clusters
-
Login into the Rancher UI.
-
Go to Global -> Clusters -> Cluster Name
-
From the Cluster Dashboard, edit the cluster by Clicking on “⋮” then select Edit.
-
Click “Edit as YAML.”
-
Include the
ssl-protocols
option for the ingress, as follows:ingress: provider: nginx options: ssl-protocols: "TLSv1.1 TLSv1.2"
-
Click “Save” at the bottom of the page.
-
Wait for the cluster to finish upgrading.
-
Go back to the Cluster Dashboard and click “Launch kubectl.”
-
Run the following inside the kubectl CLI to verify the new argument:
for pod in $(kubectl get pods -l app=ingress-nginx -n ingress-nginx --no-headers -o name | awk -F '/' '{print $2}'); do echo -n "Checking $pod .... "; kubectl -n ingress-nginx exec "$pod" -- bash -c "cat /etc/nginx/nginx.conf | grep ssl_protocols | grep '1.1' > /dev/null 2>&1 && echo 'Good' || echo 'Bad'"; done