1. Environment introduction
[root@master ingress]# kubectl get node NAME STATUS ROLES AGE VERSION master Ready control-plane,master 4h57m v1.20.5 Node1 Ready < None > 4h56m v1.20.5 Node2 Ready < None > 4h56m v1.20.5 [root@master ingress]# helm version Version. BuildInfo {version: "v3.2.0 GitCommit:" e11b7ce3b12db2941e90399e874513fbd24bcb71 GitTreeState: "clean", GoVersion: "go1.13.10}"Copy the code2. Add Rancher Helm Chart
helm repo add rancher-stable https://releases.rancher.com/server-charts/stable
Copy the codeTo view
[root@master ~]# helm repo list
NAME URL
ingress-nginx https://kubernetes.github.io/ingress-nginx
aliyuncs https://apphub.aliyuncs.com
rancher-stable https://releases.rancher.com/server-charts/stable
Copy the codeCreate a namespace for Rancher
[root@master ~]# kubectl create namespace cattle-system
namespace/cattle-system created
Copy the code4. Create the certificate script
- cert.sh
#! /bin/bash -e help () { echo ' ================================================================ ' echo ' --ssl-domain: If the primary domain name is not specified, the default domain name is localhost. If IP access services are used, the primary domain name can be ignored. 'echo' -- SSL-trusted - IP: generally, an SSL certificate trusts only the access requests of the domain name. Sometimes, you need to use the IP address to access the server. In this case, you need to add extended IP addresses to the SSL certificate. 'echo' -- SSL-trusted -domain: If you want to access multiple domains, add the extended domain name (SSL_TRUSTED_DOMAIN), separated by commas. 'echo' --ssl-size: SSL encryption bits (default: 2048); 'echo' --ssl-date: indicates the SSL validity period. The default value is 10 years. 'echo' --ca-date: indicates the ca validity period. The default value is 10 years. 'echo' --ssl-cn: country code (2-letter code), default cn; /create_self-signed-cert.sh --ssl-domain=www.test.com --ssl-trusted-domain=www.test2.com \ ' Echo '-- SSL - trusted - IP = 1.1.1.1 2.2.2.2, 3.3.3.3 - SSL - size = 2048 - SSL - date = 3650' echo ' ================================================================' } case "$1" in -h|--help) help; exit;; esac if [[ $1 == '' ]]; then help; exit; fi CMDOPTS="$*" for OPTS in $CMDOPTS; do key=$(echo ${OPTS} | awk -F"=" '{print $1}' ) value=$(echo ${OPTS} | awk -F"=" '{print $2}' ) case "$key" in --ssl-domain) SSL_DOMAIN=$value ;; --ssl-trusted-ip) SSL_TRUSTED_IP=$value ;; --ssl-trusted-domain) SSL_TRUSTED_DOMAIN=$value ;; --ssl-size) SSL_SIZE=$value ;; --ssl-date) SSL_DATE=$value ;; --ca-date) CA_DATE=$value ;; --ssl-cn) CN=$value ;; CA_DATE=${CA_DATE:-3650} CA_KEY=${CA_KEY:-cakey.pem} CA_CERT=${CA_CERT:-cacerts.pem} CA_CERT=${CA_CERT:-cacerts.pem} SSL_CONFIG=${SSL_CONFIG:-$PWD/openssl.cnf} SSL_DOMAIN=${SSL_DOMAIN:-localhost} SSL_DATE=${SSL_DATE:-3650} SSL_SIZE=${SSL_SIZE:-2048} CN=${CN:-CN} SSL_KEY=$SSL_DOMAIN.key SSL_CSR=$SSL_DOMAIN.csr SSL_CERT=$SSL_DOMAIN.crt echo -e "\033[32m -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- \ [0 m "echo - e" 033\033 [32 m | generated SSL Cert | \ [0 m "echo - e" 033\033 [32 m -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- \ [0 033 m "if [[- e. / ${CA_KEY}]]; then the echo - e" 033 \ [32 m = = = = > 1. Found existing CA private key, ${CA_KEY} = ${CA_KEY} \033[0m" mv ${CA_KEY}" ${CA_KEY}"-bak openssl genrsa -out ${CA_KEY} ${SSL_SIZE} else echo -e "\033[32m ====> 1 ${CA_KEY} \033[0m" openssl genrsa -out ${CA_KEY} ${SSL_SIZE} fi if [[-e./${CA_CERT}]]; then echo -e "\ [033 32 m = = = = > 2. Found existing CA certificate, first backup" ${CA_CERT} "to" ${CA_CERT} "- bak, \033[0m" mv ${CA_CERT}" ${CA_CERT}"-bak openssl req-x509-sha256-new-nodes -key ${CA_KEY} -days ${CA_DATE} - out ${CA_CERT} - subj "/ C = ${CN} / CN = ${CA_DOMAIN}" the else echo - e \ 033 "[32 m = = = = > 2. Generate new CA certificate ${CA_CERT} \ 033 [0 m" openssl req -x509 -sha256 -new -nodes -key ${CA_KEY} -days ${CA_DATE} -out ${CA_CERT} -subj "/C=${CN}/CN=${CA_DOMAIN}" fi echo -e "\033[32m ====> 3. Generate the Openssl configuration file ${SSL_CONFIG} \033[0m" cat > ${SSL_CONFIG} <<EOM [req] req_extensions = v3_req distinguished_name = req_distinguished_name [req_distinguished_name] [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = clientAuth, serverAuth EOM if [[ -n ${SSL_TRUSTED_IP} || -n ${SSL_TRUSTED_DOMAIN} ]]; then cat >> ${SSL_CONFIG} <<EOM subjectAltName = @alt_names [alt_names] EOM IFS="," dns=(${SSL_TRUSTED_DOMAIN}) dns+=(${SSL_DOMAIN}) for i in "${!dns[@]}"; do echo DNS.$((i+1)) = ${dns[$i]} >> ${SSL_CONFIG} done if [[ -n ${SSL_TRUSTED_IP} ]]; then ip=(${SSL_TRUSTED_IP}) for i in "${! IP / @}"; do echo IP $(+ 1) (I) = ${IP [$I]} > > ${SSL_CONFIG} done fi fi echo - e \ 033 "[32 m = = = = > 4. SSL KEY generation service ${SSL_KEY} \033[0m" openssl genrsa -out ${SSL_KEY} ${SSL_SIZE} echo -e "\033[32m ====> 5. \033[0m" openssl req -sha256 -new -key ${SSL_KEY} -out ${SSL_CSR} -subj "/C=${CN}/CN=${SSL_DOMAIN}" -config ${SSL_CONFIG} echo -e "\033[32m ====> 6. Generate service SSL CERT ${SSL_CERT} \033[0m" openssl x509-sha256-req -in ${SSL_CSR} -ca ${CA_CERT} \ -CAkey ${CA_KEY} -CAcreateserial -out ${SSL_CERT} \ -days ${SSL_DATE} -extensions v3_req \ -extfile ${SSL_CONFIG} echo -e "\033[32m ====> 7. Certificate making is complete \033[0m" echo echo -e "\033[32m ====> 8. Output result \033[0m" echo in YAML format "----------------------------------------------------------" echo "ca_key: |" cat $CA_KEY | sed 's/^/ /' echo echo "ca_cert: |" cat $CA_CERT | sed 's/^/ /' echo echo "ssl_key: |" cat $SSL_KEY | sed 's/^/ /' echo echo "ssl_csr: |" cat $SSL_CSR | sed 's/^/ /' echo echo "ssl_cert: | "cat $SSL_CERT | sed 's ^ / / /' echo echo - e" 033 \ [32 m = = = = > 9. Additional CA certificate to the Cert file \ [0 033 m "cat ${CA_CERT} > > ${SSL_CERT} echo "ssl_cert: | "cat $SSL_CERT | sed 's ^ / / /' echo echo - e" 033 \ [32 m = = = = > 10. Rename the service certificate \ 033 [0 m "echo" cp ${SSL_DOMAIN} key TLS. Key "cp ${SSL_DOMAIN}.key tls.key echo "cp ${SSL_DOMAIN}.crt tls.crt" cp ${SSL_DOMAIN}.crt tls.crtCopy the code5. Create a certificate
bash cert.sh --ssl-domain=rancher.zhang.com --ssl-size=2048 --ssl-date=3650
Copy the code6. Service certificate and private key ciphertext
kubectl -n cattle-system create secret tls tls-rancher-ingress --cert=./tls.crt --key=./tls.key
Copy the code7. Ca certificate ciphertext
kubectl -n cattle-system create secret generic tls-ca --from-file=./cacerts.pem
Copy the code8. Helm install Rancher
helm install rancher rancher-stable/rancher \
--namespace cattle-system \
--set hostname=rancher.zhang.com \
--set ingress.tls.source=secret \
--set privateCA=true
Copy the codeprocess
[root@master ~]# helm install rancher rancher-stable/rancher \
> --namespace cattle-system \
> --set hostname=rancher.zhang.com \
> --set ingress.tls.source=secret \
> --set privateCA=true
NAME: rancher
LAST DEPLOYED: Thu Mar 25 14:59:52 2021
NAMESPACE: cattle-system
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
Rancher Server has been installed.
NOTE: Rancher may take several minutes to fully initialize. Please standby while Certificates are being issued and Ingress comes up.
Check out our docs at https://rancher.com/docs/rancher/v2.x/en/
Browse to https://rancher.zhang.com
Happy Containering!
Copy the code9. Check the running status of the POD
[root@master ~]# kubectl get pod -n cattle-system
NAME READY STATUS RESTARTS AGE
rancher-cb4695754-7qw4x 1/1 Running 0 4m
rancher-cb4695754-q58z6 1/1 Running 0 4m
rancher-cb4695754-vs748 1/1 Running 0 4m
[root@master ~]# kubectl get ingress -n cattle-system
NAME CLASS HOSTS ADDRESS PORTS AGE
rancher <none> rancher.zhang.com 80, 443 4m7s
Copy the code
