I installed it via helm without IAM roles for Service Accounts (IRSA) configured for the EKS cluster, so the controller pods used the policy's attached to the underlying instance profile of the worker nodes.
To deploy Rancher, I used the following helm install command, note using a values file can make this syntax clearer and easier.
helm install rancher rancher-stable/rancher \
--namespace cattle-system --create-namespace=true \
--set hostname=<rancher hostname> \
--set replicas=2 \
--version 2.6.2 \
--set tls=external \
--set ingress.extraAnnotations.'alb\.ingress\.kubernetes\.io/target-type'='ip' \
--set ingress.extraAnnotations.'alb\.ingress\.kubernetes\.io/scheme'='internet-facing' \
--set ingress.extraAnnotations.'kubernetes\.io/ingress\.class'='alb' \
--set ingress.extraAnnotations.'alb\.ingress\.kubernetes\.io/certificate-arn'='arn:aws:acm:region:account:certificate/id'As you can see, I used ACM and terminated SSL only on the ALB (--set tls=external), with an internet-facing ALB. Be sure to replace the Rancher hostname, version, replicas and ACM ARN
Note, the target-type of ip is needed when not exposing the service outside of the cluster. The controller will auto-discover subnets by default, so tagging is needed for each subnet in use.
- https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.3/how-it-works/#ingress-traffic
- https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.3/deploy/subnet_discovery/
Once the ALB is provisioned you can adjust the DNS for your Rancher hostname to point to the ALB, in Route53 this is best as an alias.