在RKE2集群Helm安装Rancher server后,访问web初始登录失败

Rancher 2.x RKE2
1

Rancher Server 设置

  • Rancher 版本:2.7.1
  • 安装选项:
    • Helm高可用安装
    • Local 集群的类型:RKE2 版本v1.25.9+rke2r2
  • 在线或离线部署:离线部署

主机操作系统:
Centos7.9 x64

背景:
1、RKE2上通过Helm离线安装好Rancher2.7.1后,pod启动成功,cattle-system命名空间rancher POD运行正常。外部TLS终止方式通过Nginx服务代理出去,RKE2集群Nginx-ingress配置文件如下:

/var/lib/rancher/rke2/server/manifests/rke2-ingress-nginx-config.yaml

apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
name: rke2-ingress-nginx
namespace: kube-system
spec:
valuesContent: |-
controller:
config:
use-forwarded-headers: “true”

Nginx配置如下:
worker_processes 4;
worker_rlimit_nofile 40000;

events {
worker_connections 8192;
}

http {
upstream rancher {
server IP_NODE_1:80;
server IP_NODE_2:80;
server IP_NODE_3:80;
}

map $http_upgrade $connection_upgrade {
    default Upgrade;
    ''      close;
}

server {
    listen 443 ssl http2;
    server_name FQDN;
    ssl_certificate /certs/fullchain.pem;
    ssl_certificate_key /certs/privkey.pem;

    location / {
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Port $server_port;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://rancher;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        # 此项允许执行的 shell 窗口保持开启,最长可达15分钟。不使用此参数的话,默认1分钟后自动关闭。
        proxy_read_timeout 900s;
        proxy_buffering off;
    }
}

server {
    listen 80;
    server_name FQDN;
    return 301 https://$server_name$request_uri;
}

}

2、通过web页面访问rancher,在页面命令提示的获取随机密码登录时,一直在转圈圈,然后外部Nginx
的access日志如下:

日志

10.3.154.251 - - [13/Jun/2023:10:02:21 +0800] “POST /v3-public/localProviders/local?action=login HTTP/2.0” 200 0 “https://xxhrancher.domain.com/dashboard/auth/login” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36”
10.3.154.251 - - [13/Jun/2023:10:02:21 +0800] “GET /v3/users?me=true HTTP/2.0” 200 414 “https://xxhrancher.domain.com/dashboard/auth/login” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36”
10.3.154.251 - - [13/Jun/2023:10:02:21 +0800] “GET /api/v1/namespaces/cattle-ui-plugin-system/services/http:ui-plugin-operator:80/proxy/index.json HTTP/2.0” 403 402 “https://xxhrancher.domain.com/dashboard/auth/login” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36”
10.3.154.251 - - [13/Jun/2023:10:02:21 +0800] “GET /dashboard/_nuxt/d652e0e7e361584334de.js HTTP/2.0” 200 7289 “https://xxhrancher.domain.com/dashboard/auth/login” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36”
10.3.154.251 - - [13/Jun/2023:10:02:21 +0800] “GET /v1/management.cattle.io.setting HTTP/2.0” 502 552 “https://xxhrancher.domain.com/dashboard/auth/login” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36”
10.3.154.251 - - [13/Jun/2023:10:02:21 +0800] “GET /v3/users?me=true HTTP/2.0” 200 414 “https://xxhrancher.domain.com/dashboard/auth/login” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36”
10.3.154.251 - - [13/Jun/2023:10:02:21 +0800] “GET /v1/management.cattle.io.setting HTTP/2.0” 502 552 “https://xxhrancher.domain.com/dashboard/auth/login” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36”
10.3.154.251 - - [13/Jun/2023:10:02:21 +0800] “GET /v3/settings/ui-pl HTTP/2.0” 200 255 “https://xxhrancher.domain.com/dashboard/auth/login” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36”
10.3.154.251 - - [13/Jun/2023:10:02:21 +0800] “GET /v3/principals HTTP/2.0” 200 420 “https://xxhrancher.domain.com/dashboard/auth/login” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36”
10.3.154.251 - - [13/Jun/2023:10:02:21 +0800] “GET /v1/management.cattle.io.feature/multi-cluster-management HTTP/2.0” 502 552 “https://xxhrancher.domain.com/dashboard/auth/login” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36”
10.3.154.251 - - [13/Jun/2023:10:02:21 +0800] “GET /favicon.png HTTP/2.0” 200 787 “https://xxhrancher.domain.com/dashboard/auth/setup” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36”
10.3.154.251 - - [13/Jun/2023:10:02:21 +0800] “GET /v1/management.cattle.io.setting HTTP/2.0” 502 552 “https://xxhrancher.domain.com/dashboard/auth/setup” “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36”
10.3.157.191 - - [13/Jun/2023:10:02:23 +0800] “GET /v3/connect HTTP/1.1” 401 21 “-” “Go-http-client/1.1”
10.3.157.191 - - [13/Jun/2023:10:02:23 +0800] “GET /v3/connect HTTP/1.1” 401 21 “-” “Go-http-client/1.1”
10.3.157.191 - - [13/Jun/2023:10:02:23 +0800] “GET /v3/connect HTTP/1.1” 400 17 “-” “Go-http-client/1.1”
10.3.157.191 - - [13/Jun/2023:10:02:23 +0800] “GET /v3/connect HTTP/1.1” 400 17 “-” “Go-http-client/1.1”
10.3.157.193 - - [13/Jun/2023:10:02:25 +0800] “GET /version HTTP/2.0” 401 129 “-” “fleetagent/v0.0.0 (linux/amd64) kubernetes/$Format”
10.3.157.193 - - [13/Jun/2023:10:02:25 +0800] “GET /version HTTP/2.0” 401 129 “-” “rancher-system-agent/v0.0.0 (linux/amd64) kubernetes/$Format”
10.3.157.191 - - [13/Jun/2023:10:02:28 +0800] “GET /v3/connect HTTP/1.1” 401 21 “-” “Go-http-client/1.1”
10.3.157.191 - - [13/Jun/2023:10:02:28 +0800] “GET /v3/connect HTTP/1.1” 401 21 “-” “Go-http-client/1.1”
10.3.157.194 - - [13/Jun/2023:10:02:32 +0800] “GET /version HTTP/2.0” 401 129 “-” “rancher-system-agent/v0.0.0 (linux/amd64) kubernetes/$Format”
10.3.157.192 - - [13/Jun/2023:10:02:32 +0800] “GET /version HTTP/2.0” 401 129 “-” “rancher-system-agent/v0.0.0 (linux/amd64) kubernetes/$Format”
10.3.157.191 - - [13/Jun/2023:10:02:32 +0800] “GET /version HTTP/2.0” 401 129 “-” “rancher-system-agent/v0.0.0 (linux/amd64) kubernetes/$Format”
10.3.157.191 - - [13/Jun/2023:10:02:33 +0800] “GET /v3/connect HTTP/1.1” 401 21 “-” “Go-http-client/1.1”
10.3.157.191 - - [13/Jun/2023:10:02:33 +0800] “GET /v3/connect HTTP/1.1” 401 21 “-” “Go-http-client/1.1”
10.3.157.191 - - [13/Jun/2023:10:02:33 +0800] “GET /v3/connect HTTP/1.1” 400 17 “-” “Go-http-client/1.1”
10.3.157.191 - - [13/Jun/2023:10:02:33 +0800] “GET /v3/connect HTTP/1.1” 400 17 “-” “Go-http-client/1.1”

2

这里有个外部终止 tls 的文章,可以参考下,Rancher 高可用安装--使用外部 LB 终止 SSL/TLS