Skip to content

Instantly share code, notes, and snippets.

@janeczku
Last active March 18, 2024 17:37
Show Gist options
  • Star 34 You must be signed in to star a gist
  • Fork 5 You must be signed in to fork a gist
  • Save janeczku/d3b9eed3b1dee7863b66fba3367a1bd4 to your computer and use it in GitHub Desktop.
Save janeczku/d3b9eed3b1dee7863b66fba3367a1bd4 to your computer and use it in GitHub Desktop.
Change the hostname/URL and certificate of an existing Rancher installation

Steps to change the URL of Rancher installation and switch from a self-signed certificate to a certificate signed by recognized CA.

  1. Change the Rancher server-url setting to the new URL:

    • Navigate to https://<old_rancher_hostname>/g/settings/advanced
    • Edit server-url to https://<new_rancher_hostname>
  2. Clear the private CA certificate for the old certificate

    • Navigate to https://<old_rancher_hostname>/g/settings/advanced
    • Next to cacerts click context menu -> View in API
    • Click Edit
    • Clear the content of the value field
    • Click Show Request then Send Request
  3. Trigger a re-deployment of the cluster-agent and node-agent for each cluster:

    • Configure kubectl to point at the RKE cluster where Rancher server is running
    • Note down the IDs of the managed clusters: $ kubectl get clusters
    • For each cluster (including local) run:
    $ kubectl patch cluster <CLUSTER_ID> -p '{"status":{"agentImage":"dummy"}}' --type merge
    
  4. Note that this will disconnect all clusters from Rancher until the installation is upgraded with the new hostname / ingress configuration.

  5. Update the certificate for Rancher from private to public signed one:

  6. Upgrade Rancher installation using the helm upgrade command following the steps here: https://rancher.com/docs/rancher/v2.x/en/upgrades/upgrades/ha-server-upgrade-helm/#upgrade-rancher

    • Specify the currently installed Rancher version to prevent software upgrade
    • Pass all the values (--set) that were originally specified during installation
    • Pass the new Rancher hostname in the hostname variable
    • Ensure you specify --set privateCA=false to clear out the old private CA certificate

    Example:

    helm upgrade rancher rancher-stable/rancher --version v2.1.6 \
    --set hostname=rancher-new.example.com \
    --set ingress.tls.source=secret \
    --set privateCA=false \
    --set ...other...options
    
@fr34kyn01535
Copy link

Editing cacerts is no longer possible..

@janeczku
Copy link
Author

Thanks for the info, @fr34kyn01535. Looks like changing the CA certificate now rather needs to be done via a helm upgrade.

@fr34kyn01535
Copy link

Yes, works quite good, ranchers self-healing capabilities are awesome. To change the URL on agents simply edit their address in the api and redeploy them inplace. (for custom agents on dedicated machines) Then roll all certificates and redeploy all services.

@resamaraschi
Copy link

Thanks for this useful gist. 👍

@Nilegfx
Copy link

Nilegfx commented Apr 24, 2021

I am kinda lost here. could you please explain how can I do it with helm upgrade? I tried to do so in separate installation (dev env) but I always end up with this scenario

@Nilegfx
Copy link

Nilegfx commented Apr 25, 2021

finally, I was able to do it.
Rancher docs doesn't mention anything about this and even this gist wasn't helpful in my case because I installed rancher with letsencrypt certificates.
so what I did:

  1. upgrade rancher via helm (don't forget to copy cluster config from rancher UI before you do the following as you won't have access to the cluster config once you changed the URL)
helm upgrade --install \
  --namespace cattle-system \
  --set hostname=new-domain.com \
  --set ingress.tls.source=letsEncrypt \
  --set letsEncrypt.email=user@new-domain.com \
  rancher \
  rancher-stable/rancher
  1. created a new DNS record (I use cloudflare to manage my DNS) it took around an hour for the DNS to be propagated (not sure why, but eventually it worked)
  2. the cluster got detached from rancher and showed health check failure
  3. ssh into the cluster
  4. install kubectl
  5. copied the old kubeconfig to the machine/node and configured `export KUBECONFIG=<OLD_CONFIG_DIR_IN_VM>
  6. get secrets kubectl -n cattle-system get secret
  7. modify the secret cattle-credentials-<RANDOM_HASH>. change data.url (encode it with base64 beforehand)
  8. modify both node and cluster agent in the same VM
    1. modify cluster agent deployment
      1. kubectl -n cattle-system edit deployment cattle-cluster-agent.
      2. change CATTLE_SERVER env to your new domain/url
    2. modify node agent
      1. kubectl -n cattle-system edit daemonsets cattle-node-agent
      2. change CATTLE_SERVER env to your new domain/url

I think in my case there was no need to modify any certificates because cert-manager was already installed at the first time I setup rancher.

I hope this helps someone.

@sebastien-helbert
Copy link

Thanks for sharing this @Nilegfx it works as expected

@maxgio92
Copy link

JFI the comment from @Nilegfx is correct, but right now it misses the update of the node's system agent.
The system agents need to be updated with the registration command. That command can be taken from Rancher UI: Cluster Management > > Registration and re-run on each node, modifying the correct role based on the node is run.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment