From 768e4d0d4b6a73c294caf4464f552bfb153a2d75 Mon Sep 17 00:00:00 2001 From: linkandzelda91 <1525431+linkandzelda91@users.noreply.github.com> Date: Fri, 19 Sep 2025 00:35:58 -0500 Subject: [PATCH 01/10] Add required External TLS Traefik configuration. After longer than I would like to admit not understanding why I was getting redirect loops, I stumbled upon this: https://github.com/rancher/rancher/issues/31071 and a second issue requesting the documentation be updated with the discovered solution: https://github.com/rancher/rancher/issues/43875 looks like someone added something for using nginx as an ingress to enable the header pass through, so I pretty much just copied the phrasing. the config I am using is from https://docs.k3s.io/helm#customizing-packaged-components-with-helmchartconfig I added the other two RFC1918 subnets before realizing there's an allow all option, but I kinda like this a little better because doesn't trust them from WAN addresses. --- .../helm-chart-options.md | 24 ++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/docs/getting-started/installation-and-upgrade/installation-references/helm-chart-options.md b/docs/getting-started/installation-and-upgrade/installation-references/helm-chart-options.md index 3ee46920bbd..2f588f9c2d5 100644 --- a/docs/getting-started/installation-and-upgrade/installation-references/helm-chart-options.md +++ b/docs/getting-started/installation-and-upgrade/installation-references/helm-chart-options.md @@ -213,7 +213,7 @@ If you are using a Private CA signed certificate (or if `agent-tls-mode` is set ::: -Your load balancer must support long lived websocket connections and will need to insert proxy headers so Rancher can route links correctly. +Your load balancer must support long lived websocket connections and will need to insert proxy headers so Rancher can route links correctly. Additionally, your ingress must support passing through the required headers listed below. ### Configuring Ingress for External TLS when Using NGINX v0.22 @@ -235,6 +235,28 @@ spec: use-forwarded-headers: "true" ``` +### Configuring Ingress for External TLS when using Traefik +For K3s installations, you can create a custom `traefik-config.yaml` file at `/var/lib/rancher/k3s/server/manifests` containing this required setting to enable using forwarded headers with external TLS termination. Without this required setting applied, the external LB will continuously respond with redirect loops it receives from the ingress controller. (This can be created before or after rancher is installed, rke2 server agent will notice this addition and automatically apply it.) + +``` +apiVersion: helm.cattle.io/v1 +kind: HelmChartConfig +metadata: + name: traefik + namespace: kube-system +spec: + valuesContent: |- + image: + repository: docker.io/library/traefik + ports: + web: + forwardedHeaders: + trustedIPs: + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 +``` + ### Required Headers - `Host` From 213d8de9166a4ef1c143c82f6492f40f9f6f2674 Mon Sep 17 00:00:00 2001 From: linkandzelda91 <1525431+linkandzelda91@users.noreply.github.com> Date: Tue, 23 Sep 2025 18:53:08 -0500 Subject: [PATCH 02/10] Apply suggestion from @LucasSaintarbor Co-authored-by: Lucas Saintarbor --- .../installation-references/helm-chart-options.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/getting-started/installation-and-upgrade/installation-references/helm-chart-options.md b/docs/getting-started/installation-and-upgrade/installation-references/helm-chart-options.md index 2f588f9c2d5..64dc0068d2b 100644 --- a/docs/getting-started/installation-and-upgrade/installation-references/helm-chart-options.md +++ b/docs/getting-started/installation-and-upgrade/installation-references/helm-chart-options.md @@ -213,7 +213,7 @@ If you are using a Private CA signed certificate (or if `agent-tls-mode` is set ::: -Your load balancer must support long lived websocket connections and will need to insert proxy headers so Rancher can route links correctly. Additionally, your ingress must support passing through the required headers listed below. +Your load balancer must support long-lived WebSocket connections and will need to insert proxy headers so Rancher can route links correctly. Additionally, your ingress must support passing through the required headers listed below. ### Configuring Ingress for External TLS when Using NGINX v0.22 From ad1b9e0a24840e59ec8aaa7adec48630b4281809 Mon Sep 17 00:00:00 2001 From: linkandzelda91 <1525431+linkandzelda91@users.noreply.github.com> Date: Tue, 23 Sep 2025 18:54:42 -0500 Subject: [PATCH 03/10] Apply suggestion from @LucasSaintarbor Co-authored-by: Lucas Saintarbor --- .../installation-references/helm-chart-options.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/getting-started/installation-and-upgrade/installation-references/helm-chart-options.md b/docs/getting-started/installation-and-upgrade/installation-references/helm-chart-options.md index 64dc0068d2b..c1e68303952 100644 --- a/docs/getting-started/installation-and-upgrade/installation-references/helm-chart-options.md +++ b/docs/getting-started/installation-and-upgrade/installation-references/helm-chart-options.md @@ -238,7 +238,7 @@ spec: ### Configuring Ingress for External TLS when using Traefik For K3s installations, you can create a custom `traefik-config.yaml` file at `/var/lib/rancher/k3s/server/manifests` containing this required setting to enable using forwarded headers with external TLS termination. Without this required setting applied, the external LB will continuously respond with redirect loops it receives from the ingress controller. (This can be created before or after rancher is installed, rke2 server agent will notice this addition and automatically apply it.) -``` +```yaml apiVersion: helm.cattle.io/v1 kind: HelmChartConfig metadata: From 164d73daa795c8c8a09518bb404b1f0eed1679dd Mon Sep 17 00:00:00 2001 From: linkandzelda91 <1525431+linkandzelda91@users.noreply.github.com> Date: Tue, 23 Sep 2025 18:55:05 -0500 Subject: [PATCH 04/10] Apply suggestion from @LucasSaintarbor Co-authored-by: Lucas Saintarbor --- .../installation-references/helm-chart-options.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/getting-started/installation-and-upgrade/installation-references/helm-chart-options.md b/docs/getting-started/installation-and-upgrade/installation-references/helm-chart-options.md index c1e68303952..d425f5a513f 100644 --- a/docs/getting-started/installation-and-upgrade/installation-references/helm-chart-options.md +++ b/docs/getting-started/installation-and-upgrade/installation-references/helm-chart-options.md @@ -236,7 +236,8 @@ spec: ``` ### Configuring Ingress for External TLS when using Traefik -For K3s installations, you can create a custom `traefik-config.yaml` file at `/var/lib/rancher/k3s/server/manifests` containing this required setting to enable using forwarded headers with external TLS termination. Without this required setting applied, the external LB will continuously respond with redirect loops it receives from the ingress controller. (This can be created before or after rancher is installed, rke2 server agent will notice this addition and automatically apply it.) + +For K3s installations, you can create a custom `traefik-config.yaml` file at `/var/lib/rancher/k3s/server/manifests` containing this required setting to enable using forwarded headers with external TLS termination. Without this setting applied, the external load balancer will continuously respond with redirect loops it receives from the ingress controller. You can create a custom `traefik-config.yaml` file before or after you install Rancher as the RKE2 server agent will notice this addition and automatically apply it. ```yaml apiVersion: helm.cattle.io/v1 From f0348e1a11c808128f60644869efcadb4c3e7277 Mon Sep 17 00:00:00 2001 From: linkandzelda91 <1525431+linkandzelda91@users.noreply.github.com> Date: Tue, 23 Sep 2025 18:56:36 -0500 Subject: [PATCH 05/10] Update K3s server agent reference in Helm chart options --- .../installation-references/helm-chart-options.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/getting-started/installation-and-upgrade/installation-references/helm-chart-options.md b/docs/getting-started/installation-and-upgrade/installation-references/helm-chart-options.md index d425f5a513f..d5b4d4a7cbe 100644 --- a/docs/getting-started/installation-and-upgrade/installation-references/helm-chart-options.md +++ b/docs/getting-started/installation-and-upgrade/installation-references/helm-chart-options.md @@ -237,7 +237,7 @@ spec: ### Configuring Ingress for External TLS when using Traefik -For K3s installations, you can create a custom `traefik-config.yaml` file at `/var/lib/rancher/k3s/server/manifests` containing this required setting to enable using forwarded headers with external TLS termination. Without this setting applied, the external load balancer will continuously respond with redirect loops it receives from the ingress controller. You can create a custom `traefik-config.yaml` file before or after you install Rancher as the RKE2 server agent will notice this addition and automatically apply it. +For K3s installations, you can create a custom `traefik-config.yaml` file at `/var/lib/rancher/k3s/server/manifests` containing this required setting to enable using forwarded headers with external TLS termination. Without this setting applied, the external load balancer will continuously respond with redirect loops it receives from the ingress controller. You can create a custom `traefik-config.yaml` file before or after you install Rancher as the K3s server agent will notice this addition and automatically apply it. ```yaml apiVersion: helm.cattle.io/v1 From d08feb0ec35b50b71944e782d7ed9ae0bcf390f1 Mon Sep 17 00:00:00 2001 From: linkandzelda91 <1525431+linkandzelda91@users.noreply.github.com> Date: Tue, 23 Sep 2025 19:09:27 -0500 Subject: [PATCH 06/10] Update ingress configuration instructions for clarity Clarify ingress configuration requirements for load balancers and NGINX. --- .../installation-references/helm-chart-options.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/getting-started/installation-and-upgrade/installation-references/helm-chart-options.md b/docs/getting-started/installation-and-upgrade/installation-references/helm-chart-options.md index d5b4d4a7cbe..a8fe1edae07 100644 --- a/docs/getting-started/installation-and-upgrade/installation-references/helm-chart-options.md +++ b/docs/getting-started/installation-and-upgrade/installation-references/helm-chart-options.md @@ -213,7 +213,7 @@ If you are using a Private CA signed certificate (or if `agent-tls-mode` is set ::: -Your load balancer must support long-lived WebSocket connections and will need to insert proxy headers so Rancher can route links correctly. Additionally, your ingress must support passing through the required headers listed below. +Your load balancer must support long-lived WebSocket connections and will need to insert proxy headers so Rancher can route links correctly. Additionally, your ingress must be configured to use those proxy headers. ### Configuring Ingress for External TLS when Using NGINX v0.22 From cf878b7aa10f004adfcd4d0adc7142fc4de48950 Mon Sep 17 00:00:00 2001 From: linkandzelda91 <1525431+linkandzelda91@users.noreply.github.com> Date: Tue, 23 Sep 2025 19:09:31 -0500 Subject: [PATCH 07/10] Update Helm chart options for Ingress configuration Added instructions for configuring Ingress with Traefik for external TLS termination and clarified WebSocket connection requirements. --- .../helm-chart-options.md | 25 ++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/versioned_docs/version-2.9/getting-started/installation-and-upgrade/installation-references/helm-chart-options.md b/versioned_docs/version-2.9/getting-started/installation-and-upgrade/installation-references/helm-chart-options.md index f5ea1e636a1..1eba3d82d55 100644 --- a/versioned_docs/version-2.9/getting-started/installation-and-upgrade/installation-references/helm-chart-options.md +++ b/versioned_docs/version-2.9/getting-started/installation-and-upgrade/installation-references/helm-chart-options.md @@ -209,7 +209,7 @@ If you are using a Private CA signed certificate (or if `agent-tls-mode` is set ::: -Your load balancer must support long lived websocket connections and will need to insert proxy headers so Rancher can route links correctly. +Your load balancer must support long-lived WebSocket connections and will need to insert proxy headers so Rancher can route links correctly. Additionally, your ingress must be configured to use those proxy headers. ### Configuring Ingress for External TLS when Using NGINX v0.22 @@ -239,6 +239,29 @@ spec: use-forwarded-headers: "true" ``` +### Configuring Ingress for External TLS when using Traefik + +For K3s installations, you can create a custom `traefik-config.yaml` file at `/var/lib/rancher/k3s/server/manifests` containing this required setting to enable using forwarded headers with external TLS termination. Without this setting applied, the external load balancer will continuously respond with redirect loops it receives from the ingress controller. You can create a custom `traefik-config.yaml` file before or after you install Rancher as the K3s server agent will notice this addition and automatically apply it. + +```yaml +apiVersion: helm.cattle.io/v1 +kind: HelmChartConfig +metadata: + name: traefik + namespace: kube-system +spec: + valuesContent: |- + image: + repository: docker.io/library/traefik + ports: + web: + forwardedHeaders: + trustedIPs: + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 +``` + ### Required Headers - `Host` From 3420a70b4996a525f5f6b96742eae817912de045 Mon Sep 17 00:00:00 2001 From: linkandzelda91 <1525431+linkandzelda91@users.noreply.github.com> Date: Tue, 23 Sep 2025 19:09:36 -0500 Subject: [PATCH 08/10] Clarify WebSocket support and add Traefik config Updated wording for clarity and added instructions for Traefik configuration. --- .../helm-chart-options.md | 25 ++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/versioned_docs/version-2.10/getting-started/installation-and-upgrade/installation-references/helm-chart-options.md b/versioned_docs/version-2.10/getting-started/installation-and-upgrade/installation-references/helm-chart-options.md index f5ea1e636a1..1eba3d82d55 100644 --- a/versioned_docs/version-2.10/getting-started/installation-and-upgrade/installation-references/helm-chart-options.md +++ b/versioned_docs/version-2.10/getting-started/installation-and-upgrade/installation-references/helm-chart-options.md @@ -209,7 +209,7 @@ If you are using a Private CA signed certificate (or if `agent-tls-mode` is set ::: -Your load balancer must support long lived websocket connections and will need to insert proxy headers so Rancher can route links correctly. +Your load balancer must support long-lived WebSocket connections and will need to insert proxy headers so Rancher can route links correctly. Additionally, your ingress must be configured to use those proxy headers. ### Configuring Ingress for External TLS when Using NGINX v0.22 @@ -239,6 +239,29 @@ spec: use-forwarded-headers: "true" ``` +### Configuring Ingress for External TLS when using Traefik + +For K3s installations, you can create a custom `traefik-config.yaml` file at `/var/lib/rancher/k3s/server/manifests` containing this required setting to enable using forwarded headers with external TLS termination. Without this setting applied, the external load balancer will continuously respond with redirect loops it receives from the ingress controller. You can create a custom `traefik-config.yaml` file before or after you install Rancher as the K3s server agent will notice this addition and automatically apply it. + +```yaml +apiVersion: helm.cattle.io/v1 +kind: HelmChartConfig +metadata: + name: traefik + namespace: kube-system +spec: + valuesContent: |- + image: + repository: docker.io/library/traefik + ports: + web: + forwardedHeaders: + trustedIPs: + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 +``` + ### Required Headers - `Host` From e97eaa573fa4533fa5a54ba5cf30fb91ca5b9e2d Mon Sep 17 00:00:00 2001 From: linkandzelda91 <1525431+linkandzelda91@users.noreply.github.com> Date: Tue, 23 Sep 2025 19:09:39 -0500 Subject: [PATCH 09/10] Update Helm chart options for Ingress configuration Added instructions for configuring Ingress with Traefik and clarified WebSocket connection requirements. --- .../helm-chart-options.md | 25 ++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/versioned_docs/version-2.11/getting-started/installation-and-upgrade/installation-references/helm-chart-options.md b/versioned_docs/version-2.11/getting-started/installation-and-upgrade/installation-references/helm-chart-options.md index aa8da6f793f..7378e106674 100644 --- a/versioned_docs/version-2.11/getting-started/installation-and-upgrade/installation-references/helm-chart-options.md +++ b/versioned_docs/version-2.11/getting-started/installation-and-upgrade/installation-references/helm-chart-options.md @@ -208,7 +208,7 @@ If you are using a Private CA signed certificate (or if `agent-tls-mode` is set ::: -Your load balancer must support long lived websocket connections and will need to insert proxy headers so Rancher can route links correctly. +Your load balancer must support long-lived WebSocket connections and will need to insert proxy headers so Rancher can route links correctly. Additionally, your ingress must be configured to use those proxy headers. ### Configuring Ingress for External TLS when Using NGINX v0.22 @@ -238,6 +238,29 @@ spec: use-forwarded-headers: "true" ``` +### Configuring Ingress for External TLS when using Traefik + +For K3s installations, you can create a custom `traefik-config.yaml` file at `/var/lib/rancher/k3s/server/manifests` containing this required setting to enable using forwarded headers with external TLS termination. Without this setting applied, the external load balancer will continuously respond with redirect loops it receives from the ingress controller. You can create a custom `traefik-config.yaml` file before or after you install Rancher as the K3s server agent will notice this addition and automatically apply it. + +```yaml +apiVersion: helm.cattle.io/v1 +kind: HelmChartConfig +metadata: + name: traefik + namespace: kube-system +spec: + valuesContent: |- + image: + repository: docker.io/library/traefik + ports: + web: + forwardedHeaders: + trustedIPs: + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 +``` + ### Required Headers - `Host` From cd12bbbe42d65ead28768b2379701b4e0302f836 Mon Sep 17 00:00:00 2001 From: linkandzelda91 <1525431+linkandzelda91@users.noreply.github.com> Date: Tue, 23 Sep 2025 19:09:41 -0500 Subject: [PATCH 10/10] Update Helm chart options for TLS and Traefik Clarified requirements for load balancer and added instructions for Traefik configuration. --- .../helm-chart-options.md | 25 ++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/versioned_docs/version-2.12/getting-started/installation-and-upgrade/installation-references/helm-chart-options.md b/versioned_docs/version-2.12/getting-started/installation-and-upgrade/installation-references/helm-chart-options.md index 3ee46920bbd..a8fe1edae07 100644 --- a/versioned_docs/version-2.12/getting-started/installation-and-upgrade/installation-references/helm-chart-options.md +++ b/versioned_docs/version-2.12/getting-started/installation-and-upgrade/installation-references/helm-chart-options.md @@ -213,7 +213,7 @@ If you are using a Private CA signed certificate (or if `agent-tls-mode` is set ::: -Your load balancer must support long lived websocket connections and will need to insert proxy headers so Rancher can route links correctly. +Your load balancer must support long-lived WebSocket connections and will need to insert proxy headers so Rancher can route links correctly. Additionally, your ingress must be configured to use those proxy headers. ### Configuring Ingress for External TLS when Using NGINX v0.22 @@ -235,6 +235,29 @@ spec: use-forwarded-headers: "true" ``` +### Configuring Ingress for External TLS when using Traefik + +For K3s installations, you can create a custom `traefik-config.yaml` file at `/var/lib/rancher/k3s/server/manifests` containing this required setting to enable using forwarded headers with external TLS termination. Without this setting applied, the external load balancer will continuously respond with redirect loops it receives from the ingress controller. You can create a custom `traefik-config.yaml` file before or after you install Rancher as the K3s server agent will notice this addition and automatically apply it. + +```yaml +apiVersion: helm.cattle.io/v1 +kind: HelmChartConfig +metadata: + name: traefik + namespace: kube-system +spec: + valuesContent: |- + image: + repository: docker.io/library/traefik + ports: + web: + forwardedHeaders: + trustedIPs: + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 +``` + ### Required Headers - `Host`