Moment For Technology

K8s cluster HELM installed rancher

Posted on June 26, 2022, 2:14 a.m. by Yashvi Jaggi
Category: The back-end Tag: kubernetes

1. Environment introduction

[root@master ingress]# kubectl get node NAME STATUS ROLES AGE VERSION master Ready control-plane,master 4h57m v1.20.5 Node1 Ready  None  4h56m v1.20.5 Node2 Ready  None  4h56m v1.20.5 [root@master ingress]# helm version Version. BuildInfo {version: "v3.2.0 GitCommit:" e11b7ce3b12db2941e90399e874513fbd24bcb71 GitTreeState: "clean", GoVersion: "go1.13.10}"Copy the code

2. Add Rancher Helm Chart

helm repo add rancher-stable https://releases.rancher.com/server-charts/stable
Copy the code

To view

[root@master ~]# helm  repo list
NAME          	URL                                              
ingress-nginx 	https://kubernetes.github.io/ingress-nginx       
aliyuncs      	https://apphub.aliyuncs.com                      
rancher-stable	https://releases.rancher.com/server-charts/stable

Copy the code

Create a namespace for Rancher

[root@master ~]#  kubectl create namespace  cattle-system
namespace/cattle-system created
Copy the code

4. Create the certificate script

  • cert.sh
#! /bin/bash -e help () { echo ' ================================================================ ' echo ' --ssl-domain: If the primary domain name is not specified, the default domain name is localhost. If IP access services are used, the primary domain name can be ignored. 'echo' -- SSL-trusted - IP: generally, an SSL certificate trusts only the access requests of the domain name. Sometimes, you need to use the IP address to access the server. In this case, you need to add extended IP addresses to the SSL certificate. 'echo' -- SSL-trusted -domain: If you want to access multiple domains, add the extended domain name (SSL_TRUSTED_DOMAIN), separated by commas. 'echo' --ssl-size: SSL encryption bits (default: 2048); 'echo' --ssl-date: indicates the SSL validity period. The default value is 10 years. 'echo' --ca-date: indicates the ca validity period. The default value is 10 years. 'echo' --ssl-cn: country code (2-letter code), default cn; /create_self-signed-cert.sh --ssl-domain=www.test.com --ssl-trusted-domain=www.test2.com \ ' Echo '-- SSL - trusted - IP = 1.1.1.1 2.2.2.2, 3.3.3.3 - SSL - size = 2048 - SSL - date = 3650' echo ' ================================================================' } case "$1" in -h|--help) help; exit;; esac if [[ $1 == '' ]]; then help; exit; fi CMDOPTS="$*" for OPTS in $CMDOPTS; do key=$(echo ${OPTS} | awk -F"=" '{print $1}' ) value=$(echo ${OPTS} | awk -F"=" '{print $2}' ) case "$key" in --ssl-domain) SSL_DOMAIN=$value ;; --ssl-trusted-ip) SSL_TRUSTED_IP=$value ;; --ssl-trusted-domain) SSL_TRUSTED_DOMAIN=$value ;; --ssl-size) SSL_SIZE=$value ;; --ssl-date) SSL_DATE=$value ;; --ca-date) CA_DATE=$value ;; --ssl-cn) CN=$value ;; CA_DATE=${CA_DATE:-3650} CA_KEY=${CA_KEY:-cakey.pem} CA_CERT=${CA_CERT:-cacerts.pem} CA_CERT=${CA_CERT:-cacerts.pem} SSL_CONFIG=${SSL_CONFIG:-$PWD/openssl.cnf} SSL_DOMAIN=${SSL_DOMAIN:-localhost} SSL_DATE=${SSL_DATE:-3650} SSL_SIZE=${SSL_SIZE:-2048} CN=${CN:-CN} SSL_KEY=$SSL_DOMAIN.key SSL_CSR=$SSL_DOMAIN.csr SSL_CERT=$SSL_DOMAIN.crt echo -e "\033[32m -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- \ [0 m "echo - e" 033\033 [32 m | generated SSL Cert | \ [0 m "echo - e" 033\033 [32 m -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- \ [0 033 m "if [[- e. / ${CA_KEY}]]; then the echo - e" 033 \ [32 m = = = =  1. Found existing CA private key, ${CA_KEY} = ${CA_KEY} \033[0m" mv ${CA_KEY}" ${CA_KEY}"-bak openssl genrsa -out ${CA_KEY} ${SSL_SIZE} else echo -e "\033[32m ==== 1 ${CA_KEY} \033[0m" openssl genrsa -out ${CA_KEY} ${SSL_SIZE} fi if [[-e./${CA_CERT}]]; then echo -e "\ [033 32 m = = = =  2. Found existing CA certificate, first backup" ${CA_CERT} "to" ${CA_CERT} "- bak, \033[0m" mv ${CA_CERT}" ${CA_CERT}"-bak openssl req-x509-sha256-new-nodes -key ${CA_KEY} -days ${CA_DATE} - out ${CA_CERT} - subj "/ C = ${CN} / CN = ${CA_DOMAIN}" the else echo - e \ 033 "[32 m = = = =  2. Generate new CA certificate ${CA_CERT} \ 033 [0 m" openssl req -x509 -sha256 -new -nodes -key ${CA_KEY} -days ${CA_DATE} -out ${CA_CERT} -subj "/C=${CN}/CN=${CA_DOMAIN}" fi echo -e "\033[32m ==== 3. Generate the Openssl configuration file ${SSL_CONFIG} \033[0m" cat  ${SSL_CONFIG} EOM [req] req_extensions = v3_req distinguished_name = req_distinguished_name [req_distinguished_name] [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = clientAuth, serverAuth EOM if [[ -n ${SSL_TRUSTED_IP} || -n ${SSL_TRUSTED_DOMAIN} ]]; then cat  ${SSL_CONFIG} EOM subjectAltName  = @alt_names [alt_names] EOM IFS="," dns=(${SSL_TRUSTED_DOMAIN}) dns+=(${SSL_DOMAIN}) for i in "${!dns[@]}"; do echo DNS.$((i+1)) = ${dns[$i]}  ${SSL_CONFIG} done if [[ -n ${SSL_TRUSTED_IP} ]]; then ip=(${SSL_TRUSTED_IP}) for i in "${! IP / @}"; do echo IP $(+ 1) (I) = ${IP [$I]}   ${SSL_CONFIG} done fi fi echo - e \ 033 "[32 m = = = =  4. SSL KEY generation service ${SSL_KEY} \033[0m" openssl genrsa -out ${SSL_KEY} ${SSL_SIZE} echo -e "\033[32m ==== 5. \033[0m" openssl req -sha256 -new -key ${SSL_KEY} -out ${SSL_CSR} -subj "/C=${CN}/CN=${SSL_DOMAIN}" -config ${SSL_CONFIG} echo -e "\033[32m ==== 6. Generate service SSL CERT ${SSL_CERT} \033[0m" openssl x509-sha256-req -in ${SSL_CSR} -ca ${CA_CERT} \ -CAkey ${CA_KEY} -CAcreateserial -out ${SSL_CERT} \ -days ${SSL_DATE} -extensions v3_req \ -extfile ${SSL_CONFIG} echo -e "\033[32m ==== 7. Certificate making is complete \033[0m" echo echo -e "\033[32m ==== 8. Output result \033[0m" echo in YAML format "----------------------------------------------------------" echo "ca_key: |" cat $CA_KEY | sed 's/^/ /' echo echo "ca_cert: |" cat $CA_CERT | sed 's/^/ /' echo echo "ssl_key: |" cat $SSL_KEY | sed 's/^/ /' echo echo "ssl_csr: |" cat $SSL_CSR | sed 's/^/ /' echo echo "ssl_cert: | "cat $SSL_CERT | sed 's ^ / / /' echo echo - e" 033 \ [32 m = = = =  9. Additional CA certificate to the Cert file \ [0 033 m "cat ${CA_CERT}   ${SSL_CERT} echo "ssl_cert: | "cat $SSL_CERT | sed 's ^ / / /' echo echo - e" 033 \ [32 m = = = =  10. Rename the service certificate \ 033 [0 m "echo" cp ${SSL_DOMAIN} key TLS. Key "cp  ${SSL_DOMAIN}.key tls.key echo "cp ${SSL_DOMAIN}.crt tls.crt" cp ${SSL_DOMAIN}.crt tls.crtCopy the code

5. Create a certificate

bash  cert.sh --ssl-domain=rancher.zhang.com --ssl-size=2048 --ssl-date=3650
Copy the code

6. Service certificate and private key ciphertext

kubectl -n cattle-system create secret tls tls-rancher-ingress --cert=./tls.crt --key=./tls.key
Copy the code

7. Ca certificate ciphertext

kubectl -n cattle-system create secret generic tls-ca --from-file=./cacerts.pem
Copy the code

8. Helm install Rancher

helm install rancher rancher-stable/rancher \
--namespace cattle-system \
--set hostname=rancher.zhang.com \
--set ingress.tls.source=secret \
--set privateCA=true
Copy the code

process

[root@master ~]# helm install rancher rancher-stable/rancher \
 --namespace cattle-system \
 --set hostname=rancher.zhang.com \
 --set ingress.tls.source=secret \
 --set privateCA=true
NAME: rancher
LAST DEPLOYED: Thu Mar 25 14:59:52 2021
NAMESPACE: cattle-system
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
Rancher Server has been installed.

NOTE: Rancher may take several minutes to fully initialize. Please standby while Certificates are being issued and Ingress comes up.

Check out our docs at https://rancher.com/docs/rancher/v2.x/en/

Browse to https://rancher.zhang.com

Happy Containering!

Copy the code

9. Check the running status of the POD

[root@master ~]# kubectl get pod -n cattle-system
NAME                      READY   STATUS    RESTARTS   AGE
rancher-cb4695754-7qw4x   1/1     Running   0          4m
rancher-cb4695754-q58z6   1/1     Running   0          4m
rancher-cb4695754-vs748   1/1     Running   0          4m
[root@master ~]# kubectl get ingress -n cattle-system
NAME      CLASS    HOSTS               ADDRESS   PORTS     AGE
rancher   none   rancher.zhang.com             80, 443   4m7s
Copy the code

10. Bind hosts to the browser

Search
About
mo4tech.com (Moment For Technology) is a global community with thousands techies from across the global hang out!Passionate technologists, be it gadget freaks, tech enthusiasts, coders, technopreneurs, or CIOs, you would find them all here.