文章目录
Rancher Deployment (Helm)
前期准备
创建stl证书
shell
# 模拟域名,公司可以申请内部域名
# VIP bigdata.harbor.com
# 10.83.195.250 bigdata.rancher.com
shell
# 一般使用公司证书,模拟使用
mkdir -p /data/rancher_helm/stl && cd /data/rancher_helm/stl
# 生成 CA 证书私钥
openssl genrsa -out ca.key 4096
# 生成 CA 证书
openssl req -x509 -new -nodes -sha512 -days 36500 \
-subj "/C=CN/ST=Guangdong/L=Shenzhen/O=rancher/OU=rancher/CN=bigdata.rancher.com" \
-key ca.key \
-out ca.crt
# 创建域名证书,生成私钥
openssl genrsa -out rancher.key 4096
# 生成证书签名请求 CSR
openssl req -sha512 -new \
-subj "/C=CN/ST=Guangdong/L=Shenzhen/O=rancher/OU=rancher/CN=bigdata.rancher.com" \
-key rancher.key \
-out rancher.csr
# 生成 x509 v3 扩展
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=bigdata.rancher.com
DNS.2=*..bigdata.rancher.com
DNS.3=hostname
EOF
#创建 rancher 访问证书
openssl x509 -req -sha512 -days 3650 \
-extfile v3.ext \
-CA ca.crt -CAkey ca.key -CAcreateserial \
-in rancher.csr \
-out rancher.crt
基于证书创建 secret
shell
kubectl create namespace cattle-system
# kubectl -n cattle-system create secret generic tls-ca --from-file=cacerts.pem=./ca.crt
# kubectl -n cattle-system create secret tls tls-rancher-ingress --cert=rancher.crt --key=rancher.key
kubectl -n cattle-system create secret generic tls-ca --from-file=cacerts.pem=./ky-tech.com.cn_bundle.crt
kubectl -n cattle-system create secret tls tls-rancher-ingress --cert=ky-tech.com.cn_bundle.crt --key=ky-tech.com.cn.key
kubectl get secret -n cattle-system
Rancher 部署
下载
shell
helm repo add rancher-stable https://releases.rancher.com/server-charts/stable
# k8s 1.23只能使用 rancher 2.7版本,支持矩阵见:https://www.suse.com/suse-rancher/support-matrix/all-supported-versions/
helm pull rancher-stable/rancher --version 2.7.10
tar -zxvf rancher-2.7.10.tgz
cd rancher
# 收集镜像发布到私有仓库
# https://ranchermanager.docs.rancher.com/zh/v2.7/getting-started/installation-and-upgrade/other-installation-methods/air-gapped-helm-cli-install/publish-images
vim rancher/values.yaml
# 修改 ingressClass
ingressClassName: "nginx"
# 修改密码
bootstrapPassword: "admin@123"
安装
shell
# Chart.yaml 上级目录下执行
helm install rancher -n cattle-system ./rancher \
--set hostname=bigdata.rancher.com \
--set ingress.tls.source=tls-rancher-ingress \
--set useBundledSystemChart=true
helm template rancher ./rancher-<VERSION>.tgz --output-dir . \
--no-hooks \ # prevent files for Helm hooks from being generated
--namespace cattle-system \
--set hostname=<RANCHER.YOURDOMAIN.COM> \
--set rancherImage=<REGISTRY.YOURDOMAIN.COM:PORT>/rancher/rancher \
--set ingress.tls.source=secret \
--set systemDefaultRegistry=<REGISTRY.YOURDOMAIN.COM:PORT> \ # Set a default private registry to be used in Rancher
--set useBundledSystemChart=true # Use the packaged Rancher system charts
# 查看
kubectl get ingress,svc,pods -owide -n cattle-system
# 卸载
helm uninstall rancher -n cattle-system
# 彻底删除namespace
kubectl get namespace cattle-system -o json \
| tr -d "\n" | sed "s/\"finalizers\": \[[^]]\+\]/\"finalizers\": []/" \
| kubectl replace --raw /api/v1/namespaces/cattle-system/finalize -f -
登录
shell
# 登录一直报错,需要重置密码
# https://github.com/rancher/rancher/issues/34920
kubectl -n cattle-system exec $(kubectl -n cattle-system get pods -l app=rancher | grep '1/1' | head -1 | awk '{ print $1 }') -- reset-password
# 登录页面修改密码 左侧边栏 Users & Authentication
admin@123456