MKE always runs with HTTPS enabled. When you connect to MKE, you need to make sure that the hostname that you use to connect is recognized by MKE’s certificates. If, for instance, you put MKE behind a load balancer that forwards its traffic to your MKE instance, your requests will be for the load balancer’s hostname or IP address, not MKE’s. MKE will reject these requests unless you include the load balancer’s address as a Subject Alternative Name (or SAN) in MKE’s certificates.
If you use your own TLS certificates, make sure that they have the correct SAN values.
If you want to use the self-signed certificate that MKE has out of the
box, you can set up the SANs when you install MKE with the --san
argument. You can also add them after installation.
You will have to do this on every existsing manager node in the cluster, but once you have done so, the SANs are applied automatically to any new manager nodes that join the cluster.
You can also do this from the CLI by first running:
docker node inspect --format '{{ index .Spec.Labels "com.docker.ucp.SANs" }}' <node-id>
default-cs,127.0.0.1,172.17.0.1
This will get the current set of SANs for the given manager node. Append
your desired SAN to this list, for example
default-cs,127.0.0.1,172.17.0.1,example.com
, and then run:
docker node update --label-add com.docker.ucp.SANs=<SANs-list> <node-id>
<SANs-list>
is the list of SANs with your new SAN appended at the
end. As in the web UI, you must do this for every manager node.