文章目录
- Rancher Deployment (Helm)
- 前期准备
- 创建stl证书
- Rancher 部署
- 登录
Rancher Deployment (Helm)
前期准备
创建stl证书
# 模拟域名,公司可以申请内部域名
# VIP bigdata.harbor.com
# 10.83.195.250 bigdata.rancher.com
# 一般使用公司证书,模拟使用mkdir -p /data/rancher_helm/stl && cd /data/rancher_helm/stl
# 生成 CA 证书私钥
openssl genrsa -out ca.key 4096
# 生成 CA 证书
openssl req -x509 -new -nodes -sha512 -days 36500 \-subj "/C=CN/ST=Guangdong/L=Shenzhen/O=rancher/OU=rancher/CN=bigdata.rancher.com" \-key ca.key \-out ca.crt
# 创建域名证书,生成私钥
openssl genrsa -out rancher.key 4096
# 生成证书签名请求 CSR
openssl req -sha512 -new \-subj "/C=CN/ST=Guangdong/L=Shenzhen/O=rancher/OU=rancher/CN=bigdata.rancher.com" \-key rancher.key \-out rancher.csr
# 生成 x509 v3 扩展
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names[alt_names]
DNS.1=bigdata.rancher.com
DNS.2=*..bigdata.rancher.com
DNS.3=hostname
EOF#创建 rancher 访问证书
openssl x509 -req -sha512 -days 3650 \-extfile v3.ext \-CA ca.crt -CAkey ca.key -CAcreateserial \-in rancher.csr \-out rancher.crt
基于证书创建 secret
kubectl create namespace cattle-system # kubectl -n cattle-system create secret generic tls-ca --from-file=cacerts.pem=./ca.crt# kubectl -n cattle-system create secret tls tls-rancher-ingress --cert=rancher.crt --key=rancher.keykubectl -n cattle-system create secret generic tls-ca --from-file=cacerts.pem=./ky-tech.com.cn_bundle.crtkubectl -n cattle-system create secret tls tls-rancher-ingress --cert=ky-tech.com.cn_bundle.crt --key=ky-tech.com.cn.keykubectl get secret -n cattle-system
Rancher 部署
下载
helm repo add rancher-stable https://releases.rancher.com/server-charts/stable
# k8s 1.23只能使用 rancher 2.7版本,支持矩阵见:https://www.suse.com/suse-rancher/support-matrix/all-supported-versions/
helm pull rancher-stable/rancher --version 2.7.10
tar -zxvf rancher-2.7.10.tgz
cd rancher# 收集镜像发布到私有仓库
# https://ranchermanager.docs.rancher.com/zh/v2.7/getting-started/installation-and-upgrade/other-installation-methods/air-gapped-helm-cli-install/publish-imagesvim rancher/values.yaml
# 修改 ingressClass
ingressClassName: "nginx"
# 修改密码
bootstrapPassword: "admin@123"
安装
# Chart.yaml 上级目录下执行helm install rancher -n cattle-system ./rancher \--set hostname=bigdata.rancher.com \--set ingress.tls.source=tls-rancher-ingress \--set useBundledSystemChart=true helm template rancher ./rancher-<VERSION>.tgz --output-dir . \--no-hooks \ # prevent files for Helm hooks from being generated--namespace cattle-system \--set hostname=<RANCHER.YOURDOMAIN.COM> \--set rancherImage=<REGISTRY.YOURDOMAIN.COM:PORT>/rancher/rancher \--set ingress.tls.source=secret \--set systemDefaultRegistry=<REGISTRY.YOURDOMAIN.COM:PORT> \ # Set a default private registry to be used in Rancher--set useBundledSystemChart=true # Use the packaged Rancher system charts# 查看
kubectl get ingress,svc,pods -owide -n cattle-system # 卸载
helm uninstall rancher -n cattle-system # 彻底删除namespace
kubectl get namespace cattle-system -o json \
| tr -d "\n" | sed "s/\"finalizers\": \[[^]]\+\]/\"finalizers\": []/" \
| kubectl replace --raw /api/v1/namespaces/cattle-system/finalize -f -
登录
# 登录一直报错,需要重置密码
# https://github.com/rancher/rancher/issues/34920
kubectl -n cattle-system exec $(kubectl -n cattle-system get pods -l app=rancher | grep '1/1' | head -1 | awk '{ print $1 }') -- reset-password# 登录页面修改密码 左侧边栏 Users & Authentication
admin@123456