Rancher Deployment (Helm)

Rancher Deployment (Helm)

前期准备

创建stl证书

# 模拟域名，公司可以申请内部域名
# VIP bigdata.harbor.com
# 10.83.195.250 bigdata.rancher.com

# 一般使用公司证书，模拟使用

mkdir -p /data/rancher_helm/stl && cd /data/rancher_helm/stl
# 生成 CA 证书私钥
openssl genrsa -out ca.key 4096
# 生成 CA 证书
openssl req -x509 -new -nodes -sha512 -days 36500 \
 -subj "/C=CN/ST=Guangdong/L=Shenzhen/O=rancher/OU=rancher/CN=bigdata.rancher.com" \
 -key ca.key \
 -out ca.crt
# 创建域名证书，生成私钥
openssl genrsa -out rancher.key 4096
# 生成证书签名请求 CSR
openssl req -sha512 -new \
    -subj "/C=CN/ST=Guangdong/L=Shenzhen/O=rancher/OU=rancher/CN=bigdata.rancher.com" \
    -key rancher.key \
    -out rancher.csr
# 生成 x509 v3 扩展
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1=bigdata.rancher.com
DNS.2=*..bigdata.rancher.com
DNS.3=hostname
EOF

#创建 rancher 访问证书
openssl x509 -req -sha512 -days 3650 \
    -extfile v3.ext \
    -CA ca.crt -CAkey ca.key -CAcreateserial \
    -in rancher.csr \
    -out rancher.crt

基于证书创建 secret

kubectl create namespace cattle-system 

# kubectl -n cattle-system create secret generic tls-ca --from-file=cacerts.pem=./ca.crt

# kubectl -n cattle-system create secret tls tls-rancher-ingress --cert=rancher.crt --key=rancher.key

kubectl -n cattle-system create secret generic tls-ca --from-file=cacerts.pem=./ky-tech.com.cn_bundle.crt

kubectl -n cattle-system create secret tls tls-rancher-ingress --cert=ky-tech.com.cn_bundle.crt --key=ky-tech.com.cn.key

kubectl get secret  -n cattle-system 

Rancher 部署

下载

helm repo add rancher-stable https://releases.rancher.com/server-charts/stable
# k8s 1.23只能使用 rancher 2.7版本，支持矩阵见：https://www.suse.com/suse-rancher/support-matrix/all-supported-versions/
helm pull rancher-stable/rancher --version 2.7.10
tar -zxvf rancher-2.7.10.tgz
cd rancher

# 收集镜像发布到私有仓库
# https://ranchermanager.docs.rancher.com/zh/v2.7/getting-started/installation-and-upgrade/other-installation-methods/air-gapped-helm-cli-install/publish-images

vim rancher/values.yaml
# 修改 ingressClass
ingressClassName: "nginx"
# 修改密码
bootstrapPassword: "admin@123"

安装

# Chart.yaml 上级目录下执行

   helm install rancher -n  cattle-system  ./rancher \
    --set hostname=bigdata.rancher.com \
     --set ingress.tls.source=tls-rancher-ingress \
    --set useBundledSystemChart=true 


   helm template rancher ./rancher-<VERSION>.tgz --output-dir . \
    --no-hooks \ # prevent files for Helm hooks from being generated
    --namespace cattle-system \
    --set hostname=<RANCHER.YOURDOMAIN.COM> \
    --set rancherImage=<REGISTRY.YOURDOMAIN.COM:PORT>/rancher/rancher \
    --set ingress.tls.source=secret \
    --set systemDefaultRegistry=<REGISTRY.YOURDOMAIN.COM:PORT> \ # Set a default private registry to be used in Rancher
    --set useBundledSystemChart=true # Use the packaged Rancher system charts

# 查看
kubectl get ingress,svc,pods -owide -n cattle-system 

# 卸载
helm uninstall rancher -n  cattle-system 

# 彻底删除namespace
kubectl get namespace cattle-system -o json \
| tr -d "\n" | sed "s/\"finalizers\": \[[^]]\+\]/\"finalizers\": []/" \
| kubectl replace --raw /api/v1/namespaces/cattle-system/finalize -f -

登录

# 登录一直报错，需要重置密码
# https://github.com/rancher/rancher/issues/34920
kubectl -n cattle-system exec $(kubectl -n cattle-system get pods -l app=rancher | grep '1/1' | head -1 | awk '{ print $1 }') -- reset-password


# 登录页面修改密码    左侧边栏 Users & Authentication
admin@123456