SUSE Support

Here When You Need Us

How to set cipher-suites for etcd in RKE2

This document (000021373) is provided subject to the disclaimer at the end of this document.

Environment

Rancher 2.7.X
Rancher 2.8.X
RKE2 1.26.15, 1.27.X, 1.28.X

Resolution

CUSTOM CLUSTERS
  1. Click .
  2. Select Cluster Management.
  3. Select the cluster
  4. On the Clusters page, select  at the end of each row to view a submenu with the following options:
    • Edit as YAML
     Append the cipher-suites needed under the spec:machineGlobalConfig and save it.
  
etcd-arg: "cipher-suites=[TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]"

image.png
The cluster will update the status:  
image.png

STANDALONE CLUSTER

     1. Create or edit the config file at /etc/rancher/rke2/config.yaml.
   
Add the following line to the end of the file and save it.
           etcd-arg: "cipher-suites=[TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]" 
token: (redacted)
server: (redacted)
etcd-arg: "cipher-suites=[TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]"
~
      2. Restart the rke2-server service to apply the change. 
 systemctl restart rke2-server 
      3. Verify the change.

The new configuration will be populated in the etcd configuration file. 
root@susenode01:~# cat /var/lib/rancher/rke2/server/db/etcd/config
advertise-client-urls: (redacted)
cipher-suites:
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
client-transport-security:
  cert-file: /var/lib/rancher/rke2/server/tls/etcd/server-client.crt
  client-cert-auth: true
  key-file: /var/lib/rancher/rke2/server/tls/etcd/server-client.key
  trusted-ca-file: /var/lib/rancher/rke2/server/tls/etcd/server-ca.crt
data-dir: /var/lib/rancher/rke2/server/db/etcd
...(omitted)

Repeat these steps in every etcd node in the cluster.
 

Additional Information

RKE2 Server Configuration Reference

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000021373
  • Creation Date: 27-Feb-2024
  • Modified Date:23-Apr-2024
    • SUSE Rancher

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center