rancher · anmazzotti · Mar 19, 2026 · Mar 19, 2026
@@ -15,7 +15,6 @@ env:
   MANIFEST_IMG: controller
   CONTROLLER_IMG: controller
   PULL_POLICY: Never
-  CERT_MANAGER_VERSION: v1.16.3
   RANCHER_VERSION: v2.14.0-alpha9
 
 jobs:
@@ -66,17 +65,24 @@ jobs:
       - name: Add local docker image
         run: kind load docker-image ${{ env.MANIFEST_IMG }}:${{ env.TAG }}
 
-      - name: Add cert-manager chart repo
-        run: helm repo add jetstack https://charts.jetstack.io
-
       - name: Add rancher chart repo
         run: helm repo add rancher-alpha https://releases.rancher.com/server-charts/alpha
 
-      - name: Install cert-manager
-        run: helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --version ${{ env.CERT_MANAGER_VERSION }} --set crds.enabled=true --set crds.keep=true --wait
+      - name: Setup Rancher Private CA
+        run: |
+          echo "Configuring Private CA Certificate..."
+          ./scripts/create-rancher-certs.sh
+
+          echo "Create secrets"
+          kubectl create namespace cattle-system
+          kubectl -n cattle-system create secret tls tls-rancher-ingress \
+            --cert /tmp/rancher-private-ca/tls.crt \
+            --key /tmp/rancher-private-ca/tls.key
+          kubectl -n cattle-system create secret generic tls-ca \
+            --from-file /tmp/rancher-private-ca/cacerts.pem
 
       - name: Install Rancher
-        run: helm install rancher rancher-alpha/rancher --namespace cattle-system --create-namespace --set bootstrapPassword=rancheradmin --set replicas=1 --set hostname="e2e.dev.rancher" --set 'extraEnv[0].name=CATTLE_FEATURES' --set 'extraEnv[0].value=turtles=false' --version ${{ env.RANCHER_VERSION }} --wait
+        run: helm install rancher rancher-alpha/rancher --namespace cattle-system --create-namespace --set bootstrapPassword=rancheradmin --set replicas=1 --set hostname="e2e.dev.rancher" --set 'extraEnv[0].name=CATTLE_FEATURES' --set 'extraEnv[0].value=turtles=false' --version ${{ env.RANCHER_VERSION }} --set ingress.tls.source=secret --set privateCA=true --wait
 
       - name: Wait for rancher-webhook
         run: |
@@ -164,11 +170,21 @@ jobs:
       - name: Add local docker image
         run: kind load docker-image ${{ env.MANIFEST_IMG }}:${{ env.TAG }}
 
-      - name: Install cert-manager
-        run: helm repo add jetstack https://charts.jetstack.io && helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --version ${{ env.CERT_MANAGER_VERSION }} --set crds.enabled=true --set crds.keep=true --wait
+      - name: Setup Rancher Private CA
+        run: |
+          echo "Configuring Private CA Certificate..."
+          ./scripts/create-rancher-certs.sh
+
+          echo "Create secrets"
+          kubectl create namespace cattle-system
+          kubectl -n cattle-system create secret tls tls-rancher-ingress \
+            --cert /tmp/rancher-private-ca/tls.crt \
+            --key /tmp/rancher-private-ca/tls.key
+          kubectl -n cattle-system create secret generic tls-ca \
+            --from-file /tmp/rancher-private-ca/cacerts.pem
 
       - name: Install Rancher
-        run: helm repo add rancher-alpha https://releases.rancher.com/server-charts/alpha && helm install rancher rancher-alpha/rancher --namespace cattle-system --create-namespace --set bootstrapPassword=rancheradmin --set replicas=1 --set hostname="e2e.dev.rancher" --set 'extraEnv[0].name=CATTLE_FEATURES' --set 'extraEnv[0].value=turtles=false' --version ${{ env.RANCHER_VERSION }} --wait
+        run: helm repo add rancher-alpha https://releases.rancher.com/server-charts/alpha && helm install rancher rancher-alpha/rancher --namespace cattle-system --create-namespace --set bootstrapPassword=rancheradmin --set replicas=1 --set hostname="e2e.dev.rancher" --set 'extraEnv[0].name=CATTLE_FEATURES' --set 'extraEnv[0].value=turtles=false' --version ${{ env.RANCHER_VERSION }} --set ingress.tls.source=secret --set privateCA=true --wait
 
       - name: Wait for rancher-webhook
         run: |

@@ -203,6 +203,13 @@ export RANCHER_CHARTS_REPO_DIR ?=  $(abspath $(RELEASE_DIR)/rancher-charts)
 export RANCHER_CHART_DEV_VERSION ?= 108.0.0+up99.99.99
 export RANCHER_CHARTS_BASE_BRANCH ?= dev-v2.14
 
+# Rancher Private CA setup
+CREATE_RANCHER_CERTS_SCRIPT_PATH ?= $(ROOT_DIR)/scripts/create-rancher-certs.sh
+export RANCHER_CERT_DIR ?= /tmp/rancher-private-ca
+export RANCHER_CERT_PATH ?= $(RANCHER_CERT_DIR)/tls.crt
+export RANCHER_CERT_KEY_PATH ?= $(RANCHER_CERT_DIR)/tls.key
+export RANCHER_CACERT_PATH ?= $(RANCHER_CERT_DIR)/cacerts.pem
+
 # Allow overriding the imagePullPolicy
 PULL_POLICY ?= IfNotPresent
 
@@ -637,7 +644,8 @@ CLUSTERCTL_BINARY_PATH=$(CLUSTERCTL) \
 SKIP_RESOURCE_CLEANUP=$(SKIP_RESOURCE_CLEANUP) \
 USE_EXISTING_CLUSTER=$(USE_EXISTING_CLUSTER) \
 TURTLES_PROVIDERS=$(TURTLES_PROVIDERS) \
-TURTLES_PROVIDERS_PATH=$(ROOT_DIR)/$(CHART_PACKAGE_DIR)/rancher-turtles-providers-$(RANCHER_CHART_DEV_VERSION).tgz
+TURTLES_PROVIDERS_PATH=$(ROOT_DIR)/$(CHART_PACKAGE_DIR)/rancher-turtles-providers-$(RANCHER_CHART_DEV_VERSION).tgz \
+CREATE_RANCHER_CERTS_SCRIPT_PATH=$(CREATE_RANCHER_CERTS_SCRIPT_PATH)
 
 E2E_RUN_COMMAND=$(E2ECONFIG_VARS) $(GINKGO) -v --trace -p -procs=10 -poll-progress-after=$(GINKGO_POLL_PROGRESS_AFTER) \
 		-poll-progress-interval=$(GINKGO_POLL_PROGRESS_INTERVAL) --tags=e2e --focus="$(GINKGO_FOCUS)" --label-filter="$(GINKGO_LABEL_FILTER)" \

@@ -214,7 +214,6 @@ It is generally not accepted to submit pull requests directly against release br
 
 - Critical bugs fixes, security issue fixes, or fixes for bugs without easy workarounds.
 - Dependency bumps for CVE (usually limited to CVE resolution; backports of non-CVE related version bumps are considered exceptions to be evaluated case by case)
-- Cert-manager version bumps (to avoid having releases with cert-manager versions that are out of support, when possible)
 - Changes required to support new Kubernetes versions, when possible.
 - Changes to use the latest Go patch version to build controller images.
 - Improvements to existing docs (the latest supported branch hosts the current version of the book)

@@ -0,0 +1,68 @@
+#!/bin/bash
+
+# Copyright © 2026 SUSE LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Creates self signed certificates to configure Rancher's ingress.
+# Files can be loaded before installing Rancher with:
+#   kubectl create namespace cattle-system
+#   kubectl -n cattle-system create secret tls tls-rancher-ingress \
+#     --cert=$RANCHER_CERT_PATH \
+#     --key=$RANCHER_KEY_PATH
+#   kubectl -n cattle-system create secret generic tls-ca \
+#     --from-file=$RANCHER_CACERT_PATH
+
+set -xe
+
+RANCHER_HOSTNAME=${RANCHER_HOSTNAME:-localhost}
+RANCHER_CERT_DIR=${RANCHER_CERT_DIR:-/tmp/rancher-private-ca}
+RANCHER_CERT_PATH=${RANCHER_CERT_PATH:-$RANCHER_CERT_DIR/tls.crt}
+RANCHER_CERT_KEY_PATH=${RANCHER_CERT_KEY_PATH:-$RANCHER_CERT_DIR/tls.key}
+RANCHER_CACERT_PATH=${RANCHER_CACERT_PATH:-$RANCHER_CERT_DIR/cacerts.pem}
+
+mkdir -p $RANCHER_CERT_DIR
+
+# Generate CA cert
+openssl genrsa -out "$RANCHER_CERT_DIR/cacerts.key" 4096
+openssl req -x509 -new -nodes \
+  -key "$RANCHER_CERT_DIR/cacerts.key" \
+  -sha256 -days 3650 \
+  -out "$RANCHER_CACERT_PATH" \
+  -subj "/CN=Rancher Test"
+
+# Generate tls cert
+openssl genrsa -out "$RANCHER_CERT_KEY_PATH" 2048
+openssl req -new \
+  -key "$RANCHER_CERT_KEY_PATH" \
+  -out "$RANCHER_CERT_DIR/tls.csr" \
+  -subj "/CN=localhost"
+cat > $RANCHER_CERT_DIR/tls.v3.ext << EOF
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+subjectAltName = @alt_names
+[alt_names]
+DNS.1 = $RANCHER_HOSTNAME
+DNS.2 = localhost
+IP.1 = 127.0.0.1
+EOF
+openssl x509 -req \
+  -in "$RANCHER_CERT_DIR/tls.csr" \
+  -CA "$RANCHER_CACERT_PATH" \
+  -CAkey "$RANCHER_CERT_DIR/cacerts.key" \
+  -CAcreateserial \
+  -out "$RANCHER_CERT_PATH" \
+  -days 3650 \
+  -sha256 \
+  -extfile "$RANCHER_CERT_DIR/tls.v3.ext"
@@ -12,7 +12,10 @@ nodes:
   - containerPort: 30001
     hostPort: 30001
     protocol: TCP
-  # Rancher test Nodeport
-  - containerPort: 30002
-    hostPort: 30002
+  # Rancher test Nodeports (HTTP and HTTPs)
+  - containerPort: 30080
+    hostPort: 30080
+    protocol: TCP
+  - containerPort: 30443
+    hostPort: 30443
     protocol: TCP
@@ -38,6 +38,11 @@ RANCHER_CHARTS_REPO_DIR=${RANCHER_CHARTS_REPO_DIR}
 RANCHER_CHART_DEV_VERSION=${RANCHER_CHART_DEV_VERSION}
 RANCHER_CHARTS_BASE_BRANCH=${RANCHER_CHARTS_BASE_BRANCH}
 
+RANCHER_CERT_DIR=${RANCHER_CERT_DIR:-/tmp/rancher-private-ca}
+RANCHER_CERT_PATH=${RANCHER_CERT_PATH:-$RANCHER_CERT_DIR/tls.crt}
+RANCHER_KEY_PATH=${RANCHER_KEY_PATH:-$RANCHER_CERT_DIR/tls.key}
+RANCHER_CACERT_PATH=${RANCHER_CACERT_PATH:-$RANCHER_CERT_DIR/cacerts.pem}
+
 BASEDIR=$(dirname "$0")
 
 if pgrep -x ngrok > /dev/null; then
@@ -53,15 +58,21 @@ kind load docker-image $RANCHER_IMAGE --name $CLUSTER_NAME
 kubectl rollout status deployment coredns -n kube-system --timeout=90s
 
 helm repo add rancher-$RANCHER_CHANNEL https://releases.rancher.com/server-charts/$RANCHER_CHANNEL --force-update
-helm repo add jetstack https://charts.jetstack.io --force-update
 helm repo add gitea-charts https://dl.gitea.com/charts/ --force-update
 helm repo update
 
-helm install cert-manager jetstack/cert-manager \
-    --namespace cert-manager \
-    --create-namespace \
-    --set crds.enabled=true
+echo "Configuring Private CA Certificate..."
+./scripts/create-rancher-certs.sh
+
+# Create secrets
+kubectl create namespace cattle-system
+kubectl -n cattle-system create secret tls tls-rancher-ingress \
+  --cert $RANCHER_CERT_PATH \
+  --key $RANCHER_KEY_PATH
+kubectl -n cattle-system create secret generic tls-ca \
+  --from-file $RANCHER_CACERT_PATH
 
+echo "Installing Gitea..."
 helm install gitea gitea-charts/gitea \
     -f test/e2e/data/gitea/values.yaml \
     --set gitea.admin.password=$GITEA_PASSWORD \
@@ -112,15 +123,17 @@ helm install rancher rancher-$RANCHER_CHANNEL/rancher \
     --set image.tag=$RANCHER_IMAGE_TAG \
     --set debug=true \
     --version="$RANCHER_VERSION" \
+    --set ingress.tls.source=secret \
+    --set privateCA=true \
     --wait
 
 # Deploy Rancher test Nodeport
 echo "Deploying Rancher test Nodeport..."
 kubectl apply -f test/e2e/data/rancher/test-nodeport.yaml
 
 # Wait for Rancher to be accessible locally
-echo "Waiting for Rancher to be accessible on localhost:30002..."
-until curl -s -o /dev/null -w "%{http_code}" http://localhost:30002 | grep -q "200\|302\|301"; do 
+echo "Waiting for Rancher to be accessible on localhost:30080..."
+until curl -s -o /dev/null -w "%{http_code}" http://localhost:30080 | grep -q "200\|302\|301"; do 
     echo "Waiting for test Rancher Nodeport..."
     sleep 2
 done
@@ -134,7 +147,7 @@ authtoken: $NGROK_AUTHTOKEN
 tunnels:
   rancher:
     proto: http
-    addr: http://localhost:30002
+    addr: http://localhost:30080
     hostname: $RANCHER_HOSTNAME
   gitea:
     proto: http

@@ -132,11 +132,6 @@ variables:
   TURTLES_PROVIDERS_URL: "https://rancher.github.io/turtles"
   TURTLES_PROVIDERS_PATH: "turtles/rancher-turtles-providers"
 
-  # External Charts and Dependencies
-  CERT_MANAGER_REPO_NAME: "jetstack"
-  CERT_MANAGER_URL: "https://charts.jetstack.io"
-  CERT_MANAGER_PATH: "jetstack/cert-manager"
-
   # Ingress Configuration (Ngrok)
   NGROK_REPO_NAME: "ngrok"
   NGROK_URL: "https://charts.ngrok.com"

@@ -8,7 +8,13 @@ spec:
   selector:
     app: rancher
   ports:
-  - nodePort: 30002
+  - nodePort: 30080
+    name: http
     port: 80
     protocol: TCP
     targetPort: 80
+  - nodePort: 30443
+    name: https
+    port: 443
+    protocol: TCP
+    targetPort: 443
@@ -173,7 +173,7 @@ func CreateUsingGitOpsSpec(ctx context.Context, inputGetter func() CreateUsingGi
 				additionalRepo.TargetNamespace = namespace.Name
 			}
 
-			turtlesframework.FleetCreateGitRepo(ctx, additionalRepo)
+			turtlesframework.FleetCreateAndWaitGitRepo(ctx, additionalRepo)
 		}
 
 		additionalVars := map[string]string{
@@ -468,7 +468,7 @@ func CreateUsingGitOpsV1Beta1Spec(ctx context.Context, inputGetter func() Create
 				additionalRepo.TargetNamespace = namespace.Name
 			}
 
-			turtlesframework.FleetCreateGitRepo(ctx, additionalRepo)
+			turtlesframework.FleetCreateAndWaitGitRepo(ctx, additionalRepo)
 		}
 
 		additionalVars := map[string]string{

@@ -69,10 +69,6 @@ var _ = SynchronizedBeforeSuite(
 			Scheme:    e2e.InitScheme(),
 		})
 
-		testenv.DeployCertManager(ctx, testenv.DeployCertManagerInput{
-			BootstrapClusterProxy: setupClusterResult.BootstrapClusterProxy,
-		})
-
 		testenv.RancherDeployIngress(ctx, testenv.RancherDeployIngressInput{
 			BootstrapClusterProxy:     setupClusterResult.BootstrapClusterProxy,
 			CustomIngress:             e2e.TraefikIngress,

@@ -198,6 +198,7 @@ var _ = Describe("Chart upgrade functionality should work", Ordered, Label(e2e.S
 			TurtlesImageTag:       "v0.0.1",
 			RancherHostname:       hostName,
 			RancherWaitInterval:   e2eConfig.GetIntervals(bootstrapClusterProxy.GetName(), "wait-rancher"),
+			SkipPrivateCASetup:    true,
 		})
 
 		By("Waiting for Rancher to be ready after upgrade")

@@ -86,10 +86,6 @@ var _ = SynchronizedBeforeSuite(
 			KubernetesVersion: e2eConfig.GetVariableOrEmpty(e2e.KubernetesVersionChartUpgradeVar),
 		})
 
-		testenv.DeployCertManager(ctx, testenv.DeployCertManagerInput{
-			BootstrapClusterProxy: setupClusterResult.BootstrapClusterProxy,
-		})
-
 		testenv.RancherDeployIngress(ctx, testenv.RancherDeployIngressInput{
 			BootstrapClusterProxy:    setupClusterResult.BootstrapClusterProxy,
 			CustomIngress:            e2e.TraefikIngress,

@@ -66,10 +66,6 @@ var _ = SynchronizedBeforeSuite(
 			Scheme:    e2e.InitScheme(),
 		})
 
-		testenv.DeployCertManager(ctx, testenv.DeployCertManagerInput{
-			BootstrapClusterProxy: setupClusterResult.BootstrapClusterProxy,
-		})
-
 		testenv.RancherDeployIngress(ctx, testenv.RancherDeployIngressInput{
 			BootstrapClusterProxy:     setupClusterResult.BootstrapClusterProxy,
 			CustomIngress:             e2e.TraefikIngress,

@@ -71,10 +71,6 @@ var _ = SynchronizedBeforeSuite(
 			Scheme:    e2e.InitScheme(),
 		})
 
-		testenv.DeployCertManager(ctx, testenv.DeployCertManagerInput{
-			BootstrapClusterProxy: setupClusterResult.BootstrapClusterProxy,
-		})
-
 		testenv.RancherDeployIngress(ctx, testenv.RancherDeployIngressInput{
 			BootstrapClusterProxy:     setupClusterResult.BootstrapClusterProxy,
 			CustomIngress:             e2e.TraefikIngress,

@@ -150,8 +150,7 @@ var _ = Describe("[v2prov] [Azure] Creating a cluster with v2prov should still w
 			WaitInterval:     e2eConfig.GetIntervals(bootstrapClusterProxy.GetName(), "wait-rancher"),
 		})
 
-		rancherConnectRes := &turtlesframework.RunCommandResult{}
-		turtlesframework.RunCommand(ctx, turtlesframework.RunCommandInput{
+		rancherConnectRes := turtlesframework.RunCommand(ctx, turtlesframework.RunCommandInput{
 			Command: "kubectl",
 			Args: []string{
 				"--kubeconfig",
@@ -160,7 +159,7 @@ var _ = Describe("[v2prov] [Azure] Creating a cluster with v2prov should still w
 				"nodes",
 				"--insecure-skip-tls-verify",
 			},
-		}, rancherConnectRes)
+		})
 		Expect(rancherConnectRes.Error).NotTo(HaveOccurred(), "Failed getting nodes with Rancher Kubeconfig")
 		Expect(rancherConnectRes.ExitCode).To(Equal(0), "Getting nodes return non-zero exit code")
 	})