diff --git a/docs/getting-started/installation-and-upgrade/installation-references/helm-chart-options.md b/docs/getting-started/installation-and-upgrade/installation-references/helm-chart-options.md index 3ee46920bbd..a8fe1edae07 100644 --- a/docs/getting-started/installation-and-upgrade/installation-references/helm-chart-options.md +++ b/docs/getting-started/installation-and-upgrade/installation-references/helm-chart-options.md @@ -213,7 +213,7 @@ If you are using a Private CA signed certificate (or if `agent-tls-mode` is set ::: -Your load balancer must support long lived websocket connections and will need to insert proxy headers so Rancher can route links correctly. +Your load balancer must support long-lived WebSocket connections and will need to insert proxy headers so Rancher can route links correctly. Additionally, your ingress must be configured to use those proxy headers. ### Configuring Ingress for External TLS when Using NGINX v0.22 @@ -235,6 +235,29 @@ spec: use-forwarded-headers: "true" ``` +### Configuring Ingress for External TLS when using Traefik + +For K3s installations, you can create a custom `traefik-config.yaml` file at `/var/lib/rancher/k3s/server/manifests` containing this required setting to enable using forwarded headers with external TLS termination. Without this setting applied, the external load balancer will continuously respond with redirect loops it receives from the ingress controller. You can create a custom `traefik-config.yaml` file before or after you install Rancher as the K3s server agent will notice this addition and automatically apply it. + +```yaml +apiVersion: helm.cattle.io/v1 +kind: HelmChartConfig +metadata: + name: traefik + namespace: kube-system +spec: + valuesContent: |- + image: + repository: docker.io/library/traefik + ports: + web: + forwardedHeaders: + trustedIPs: + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 +``` + ### Required Headers - `Host` diff --git a/versioned_docs/version-2.10/getting-started/installation-and-upgrade/installation-references/helm-chart-options.md b/versioned_docs/version-2.10/getting-started/installation-and-upgrade/installation-references/helm-chart-options.md index f5ea1e636a1..1eba3d82d55 100644 --- a/versioned_docs/version-2.10/getting-started/installation-and-upgrade/installation-references/helm-chart-options.md +++ b/versioned_docs/version-2.10/getting-started/installation-and-upgrade/installation-references/helm-chart-options.md @@ -209,7 +209,7 @@ If you are using a Private CA signed certificate (or if `agent-tls-mode` is set ::: -Your load balancer must support long lived websocket connections and will need to insert proxy headers so Rancher can route links correctly. +Your load balancer must support long-lived WebSocket connections and will need to insert proxy headers so Rancher can route links correctly. Additionally, your ingress must be configured to use those proxy headers. ### Configuring Ingress for External TLS when Using NGINX v0.22 @@ -239,6 +239,29 @@ spec: use-forwarded-headers: "true" ``` +### Configuring Ingress for External TLS when using Traefik + +For K3s installations, you can create a custom `traefik-config.yaml` file at `/var/lib/rancher/k3s/server/manifests` containing this required setting to enable using forwarded headers with external TLS termination. Without this setting applied, the external load balancer will continuously respond with redirect loops it receives from the ingress controller. You can create a custom `traefik-config.yaml` file before or after you install Rancher as the K3s server agent will notice this addition and automatically apply it. + +```yaml +apiVersion: helm.cattle.io/v1 +kind: HelmChartConfig +metadata: + name: traefik + namespace: kube-system +spec: + valuesContent: |- + image: + repository: docker.io/library/traefik + ports: + web: + forwardedHeaders: + trustedIPs: + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 +``` + ### Required Headers - `Host` diff --git a/versioned_docs/version-2.11/getting-started/installation-and-upgrade/installation-references/helm-chart-options.md b/versioned_docs/version-2.11/getting-started/installation-and-upgrade/installation-references/helm-chart-options.md index aa8da6f793f..7378e106674 100644 --- a/versioned_docs/version-2.11/getting-started/installation-and-upgrade/installation-references/helm-chart-options.md +++ b/versioned_docs/version-2.11/getting-started/installation-and-upgrade/installation-references/helm-chart-options.md @@ -208,7 +208,7 @@ If you are using a Private CA signed certificate (or if `agent-tls-mode` is set ::: -Your load balancer must support long lived websocket connections and will need to insert proxy headers so Rancher can route links correctly. +Your load balancer must support long-lived WebSocket connections and will need to insert proxy headers so Rancher can route links correctly. Additionally, your ingress must be configured to use those proxy headers. ### Configuring Ingress for External TLS when Using NGINX v0.22 @@ -238,6 +238,29 @@ spec: use-forwarded-headers: "true" ``` +### Configuring Ingress for External TLS when using Traefik + +For K3s installations, you can create a custom `traefik-config.yaml` file at `/var/lib/rancher/k3s/server/manifests` containing this required setting to enable using forwarded headers with external TLS termination. Without this setting applied, the external load balancer will continuously respond with redirect loops it receives from the ingress controller. You can create a custom `traefik-config.yaml` file before or after you install Rancher as the K3s server agent will notice this addition and automatically apply it. + +```yaml +apiVersion: helm.cattle.io/v1 +kind: HelmChartConfig +metadata: + name: traefik + namespace: kube-system +spec: + valuesContent: |- + image: + repository: docker.io/library/traefik + ports: + web: + forwardedHeaders: + trustedIPs: + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 +``` + ### Required Headers - `Host` diff --git a/versioned_docs/version-2.12/getting-started/installation-and-upgrade/installation-references/helm-chart-options.md b/versioned_docs/version-2.12/getting-started/installation-and-upgrade/installation-references/helm-chart-options.md index 3ee46920bbd..a8fe1edae07 100644 --- a/versioned_docs/version-2.12/getting-started/installation-and-upgrade/installation-references/helm-chart-options.md +++ b/versioned_docs/version-2.12/getting-started/installation-and-upgrade/installation-references/helm-chart-options.md @@ -213,7 +213,7 @@ If you are using a Private CA signed certificate (or if `agent-tls-mode` is set ::: -Your load balancer must support long lived websocket connections and will need to insert proxy headers so Rancher can route links correctly. +Your load balancer must support long-lived WebSocket connections and will need to insert proxy headers so Rancher can route links correctly. Additionally, your ingress must be configured to use those proxy headers. ### Configuring Ingress for External TLS when Using NGINX v0.22 @@ -235,6 +235,29 @@ spec: use-forwarded-headers: "true" ``` +### Configuring Ingress for External TLS when using Traefik + +For K3s installations, you can create a custom `traefik-config.yaml` file at `/var/lib/rancher/k3s/server/manifests` containing this required setting to enable using forwarded headers with external TLS termination. Without this setting applied, the external load balancer will continuously respond with redirect loops it receives from the ingress controller. You can create a custom `traefik-config.yaml` file before or after you install Rancher as the K3s server agent will notice this addition and automatically apply it. + +```yaml +apiVersion: helm.cattle.io/v1 +kind: HelmChartConfig +metadata: + name: traefik + namespace: kube-system +spec: + valuesContent: |- + image: + repository: docker.io/library/traefik + ports: + web: + forwardedHeaders: + trustedIPs: + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 +``` + ### Required Headers - `Host` diff --git a/versioned_docs/version-2.9/getting-started/installation-and-upgrade/installation-references/helm-chart-options.md b/versioned_docs/version-2.9/getting-started/installation-and-upgrade/installation-references/helm-chart-options.md index f5ea1e636a1..1eba3d82d55 100644 --- a/versioned_docs/version-2.9/getting-started/installation-and-upgrade/installation-references/helm-chart-options.md +++ b/versioned_docs/version-2.9/getting-started/installation-and-upgrade/installation-references/helm-chart-options.md @@ -209,7 +209,7 @@ If you are using a Private CA signed certificate (or if `agent-tls-mode` is set ::: -Your load balancer must support long lived websocket connections and will need to insert proxy headers so Rancher can route links correctly. +Your load balancer must support long-lived WebSocket connections and will need to insert proxy headers so Rancher can route links correctly. Additionally, your ingress must be configured to use those proxy headers. ### Configuring Ingress for External TLS when Using NGINX v0.22 @@ -239,6 +239,29 @@ spec: use-forwarded-headers: "true" ``` +### Configuring Ingress for External TLS when using Traefik + +For K3s installations, you can create a custom `traefik-config.yaml` file at `/var/lib/rancher/k3s/server/manifests` containing this required setting to enable using forwarded headers with external TLS termination. Without this setting applied, the external load balancer will continuously respond with redirect loops it receives from the ingress controller. You can create a custom `traefik-config.yaml` file before or after you install Rancher as the K3s server agent will notice this addition and automatically apply it. + +```yaml +apiVersion: helm.cattle.io/v1 +kind: HelmChartConfig +metadata: + name: traefik + namespace: kube-system +spec: + valuesContent: |- + image: + repository: docker.io/library/traefik + ports: + web: + forwardedHeaders: + trustedIPs: + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 +``` + ### Required Headers - `Host`