Rule ID
SV-257292r961287_rule
Version
V2R2
CCIs
Rancher MCM must verify the certificate used for Rancher's ingress is a valid DOD certificate. This is achieved by verifying the helm installation contains correct parameters.
Verify helm installation contains correct parameters:
Navigate to Triple Bar Symbol(Global) >> <local cluster>.
From the kubectl shell (>_) Execute:
`helm get values rancher -n cattle-system`
The output must contain:
```
privateCA: true
ingress:
tls:
source: secret
```
If the output source is not "secret", this is a finding.
Verify contents of certificates are correct:
From the console, type:
kubectl -n cattle-system get secret tls-rancher-ingress -o 'jsonpath={.data.tls\.crt}' | base64 --decode | openssl x509 -noout -text
kubectl -n cattle-system get secret tls-ca -o 'jsonpath={.data.cacerts\.pem}' | base64 --decode | openssl x509 -noout -textUpdate the secrets to contain valid certificates. Put the correct and valid DOD certificate and key in files called "tls.crt" and "tls.key", respectively, and then run: kubectl -n cattle-system create secret tls tls-rancher-ingress \ --cert=tls.crt \ --key=tls.key Upload the CA required for the certs by creating another file called "cacerts.pem" and running: kubectl -n cattle-system create secret generic tls-ca \ --from-file=cacerts.pem=./cacerts.pem The helm chart values need to be updated to include the check section: privateCA: true ingress: tls: source: secret Rerun helm upgrade with the new values for the certs to take effect.