安装Rancher
1、添加helm仓库
1.1、添加helm仓库
使用helm repo add来添加仓库,不同的地址适应不同的 Rancher 版本,请替换命令中的<CHART_REPO>,替换为latest,stable或alpha。
[rancher@rancher1 ~]$ helm repo add rancher-stable https://releases.rancher.com/server-charts/stable
"rancher-stable" has been added to your repositories
1.2、获取最新的 Rancher Chart
获取最新的 Rancher Chart, tgz 文件会下载到本地。
[rancher@rancher1 ~]$ helm fetch rancher-stable/rancher
1.3、将tgz文件拷贝到rancher1中的rancher用户家目录下
将tgz文件(rancher-2.5.2.tgz)拷贝到内网rancher1中的rancher用户家目录下
[rancher@rancher1 ~]$ scp root@172.16.7.201:/home/rancher/rancher-2.5.2.tgz .
2、 使用 Rancher 默认的自签名证书
使用 Rancher 默认的自签名证书在公网环境下获取最新的cert-manager Chart
2.1 添加 cert-manager 仓库
在可以连接互联网的系统中,添加 cert-manager 仓库。
helm repo add jetstack https://charts.jetstack.io
helm repo update
2.2 获取最新的 cert-manager Chart
从 Helm Chart 仓库 中获取最新的 cert-manager Chart。
helm fetch jetstack/cert-manager --version v0.12.0
将生成的cert-manager-v0.12.0.tgz文件拷贝到rancher1中
[rancher@rancher1 ~]$ scp root@172.16.7.200:/home/rancher/cert-manager-v0.12.0.tgz .
2.3 渲染 chart 模板
使用您期望的参数渲染 chart 模板,切记设置image.repository以便从私有镜像仓库中拉取 Chart。这将生成一个包含相关 YAML 的名为cert-manager的文件夹。
helm template cert-manager ./cert-manager-v0.12.0.tgz --output-dir . \
--namespace cert-manager \
--set image.repository=172.16.7.199:80/quay.io/jetstack/cert-manager-controller \
--set webhook.image.repository=172.16.7.199:80/quay.io/jetstack/cert-manager-webhook \
--set cainjector.image.repository=172.16.7.199:80/quay.io/jetstack/cert-manager-cainjector
输出内容如下:
WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /home/rancher/.kube/config
wrote ./cert-manager/templates/cainjector-serviceaccount.yaml
wrote ./cert-manager/templates/serviceaccount.yaml
wrote ./cert-manager/templates/webhook-serviceaccount.yaml
wrote ./cert-manager/templates/cainjector-rbac.yaml
wrote ./cert-manager/templates/rbac.yaml
wrote ./cert-manager/templates/rbac.yaml
wrote ./cert-manager/templates/rbac.yaml
wrote ./cert-manager/templates/rbac.yaml
wrote ./cert-manager/templates/rbac.yaml
wrote ./cert-manager/templates/rbac.yaml
wrote ./cert-manager/templates/rbac.yaml
wrote ./cert-manager/templates/rbac.yaml
wrote ./cert-manager/templates/webhook-rbac.yaml
wrote ./cert-manager/templates/cainjector-rbac.yaml
wrote ./cert-manager/templates/rbac.yaml
wrote ./cert-manager/templates/rbac.yaml
wrote ./cert-manager/templates/rbac.yaml
wrote ./cert-manager/templates/rbac.yaml
wrote ./cert-manager/templates/rbac.yaml
wrote ./cert-manager/templates/rbac.yaml
wrote ./cert-manager/templates/webhook-rbac.yaml
wrote ./cert-manager/templates/cainjector-rbac.yaml
wrote ./cert-manager/templates/rbac.yaml
wrote ./cert-manager/templates/cainjector-rbac.yaml
wrote ./cert-manager/templates/rbac.yaml
wrote ./cert-manager/templates/webhook-rbac.yaml
wrote ./cert-manager/templates/service.yaml
wrote ./cert-manager/templates/webhook-service.yaml
wrote ./cert-manager/templates/cainjector-deployment.yaml
wrote ./cert-manager/templates/deployment.yaml
wrote ./cert-manager/templates/webhook-deployment.yaml
wrote ./cert-manager/templates/webhook-rbac.yaml
wrote ./cert-manager/templates/webhook-mutating-webhook.yaml
wrote ./cert-manager/templates/webhook-validating-webhook.yaml
执行完成会得到一个包含相关 YAML文件的cert-manager目录
[rancher@rancher1 ~]$ tree -L 3 cert-manager
输出内容如下:
cert-manager
└── templates
├── cainjector-deployment.yaml
├── cainjector-rbac.yaml
├── cainjector-serviceaccount.yaml
├── deployment.yaml
├── rbac.yaml
├── serviceaccount.yaml
├── service.yaml
├── webhook-deployment.yaml
├── webhook-mutating-webhook.yaml
├── webhook-rbac.yaml
├── webhook-serviceaccount.yaml
├── webhook-service.yaml
└── webhook-validating-webhook.yaml
2.4 下载 cert-manager 所需的 CRD 文件。
curl -L -o cert-manager/cert-manager-crd.yaml https://raw.githubusercontent.com/jetstack/cert-manager/release-0.12/deploy/manifests/00-crds.yaml
说明:上面CRD文件需要梯子才能下载,梯子也要选哪条专线,不是每条都行。
内容如下:
见备份文件:cert-manager-crd.yaml
2.5 渲染 Rancher 模板
渲染 Rancher 模板,声明您选择的选项。使用下面的参考表替换每个占位符。需要将 Rancher 配置为在由 Rancher 启动 Kubernetes 集群或 Rancher 工具时,使用私有镜像库。
helm template rancher ./rancher-2.5.2.tgz --output-dir . \
--namespace cattle-system \
--set hostname=rancher-slb.techzsun.com \
--set certmanager.version=v0.12.0 \
--set rancherImage=172.16.7.199:80/rancher/rancher \
--set systemDefaultRegistry=172.16.7.199:80 \
--set useBundledSystemChart=true
输出内容如下:
WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /home/rancher/.kube/config
wrote ./rancher/templates/serviceAccount.yaml
wrote ./rancher/templates/clusterRoleBinding.yaml
wrote ./rancher/templates/service.yaml
wrote ./rancher/templates/deployment.yaml
wrote ./rancher/templates/ingress.yaml
wrote ./rancher/templates/issuer-rancher.yaml
2.6 安装 Cert-manager
(仅限使用 Rancher 默认自签名证书)
2.6.1 为 cert-manager 创建 namespace
[rancher@rancher1 ~]$ kubectl create namespace cert-manager
namespace/cert-manager created
2.6.2 创建 cert-manager CRD
kubectl apply -f cert-manager/cert-manager-crd.yaml
输出内容如下:
Warning: apiextensions.k8s.io/v1beta1 CustomResourceDefinition is deprecated in v1.16+, unavailable in v1.22+; use apiextensions.k8s.io/v1 CustomResourceDefinition
customresourcedefinition.apiextensions.k8s.io/certificaterequests.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/certificates.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/challenges.acme.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/clusterissuers.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/issuers.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/orders.acme.cert-manager.io created
2.6.3 启动 cert-manager
kubectl apply -R -f ./cert-manager
输出内容如下:
Warning: apiextensions.k8s.io/v1beta1 CustomResourceDefinition is deprecated in v1.16+, unavailable in v1.22+; use apiextensions.k8s.io/v1 CustomResourceDefinition
customresourcedefinition.apiextensions.k8s.io/certificaterequests.cert-manager.io unchanged
customresourcedefinition.apiextensions.k8s.io/certificates.cert-manager.io unchanged
customresourcedefinition.apiextensions.k8s.io/challenges.acme.cert-manager.io unchanged
customresourcedefinition.apiextensions.k8s.io/clusterissuers.cert-manager.io unchanged
customresourcedefinition.apiextensions.k8s.io/issuers.cert-manager.io unchanged
customresourcedefinition.apiextensions.k8s.io/orders.acme.cert-manager.io unchanged
deployment.apps/cert-manager-cainjector created
Warning: rbac.authorization.k8s.io/v1beta1 ClusterRole is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 ClusterRole
clusterrole.rbac.authorization.k8s.io/cert-manager-cainjector created
Warning: rbac.authorization.k8s.io/v1beta1 ClusterRoleBinding is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 ClusterRoleBinding
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-cainjector created
Warning: rbac.authorization.k8s.io/v1beta1 Role is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 Role
role.rbac.authorization.k8s.io/cert-manager-cainjector:leaderelection created
Warning: rbac.authorization.k8s.io/v1beta1 RoleBinding is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 RoleBinding
rolebinding.rbac.authorization.k8s.io/cert-manager-cainjector:leaderelection created
serviceaccount/cert-manager-cainjector created
deployment.apps/cert-manager created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-issuers created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-clusterissuers created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-certificates created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-orders created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-challenges created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-ingress-shim created
clusterrole.rbac.authorization.k8s.io/cert-manager-view created
clusterrole.rbac.authorization.k8s.io/cert-manager-edit created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-issuers created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-clusterissuers created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-certificates created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-orders created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-challenges created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-ingress-shim created
role.rbac.authorization.k8s.io/cert-manager:leaderelection created
rolebinding.rbac.authorization.k8s.io/cert-manager:leaderelection created
service/cert-manager created
serviceaccount/cert-manager created
deployment.apps/cert-manager-webhook created
Warning: admissionregistration.k8s.io/v1beta1 MutatingWebhookConfiguration is deprecated in v1.16+, unavailable in v1.22+; use admissionregistration.k8s.io/v1 MutatingWebhookConfiguration
mutatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook created
clusterrole.rbac.authorization.k8s.io/cert-manager-webhook:webhook-requester created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-webhook:auth-delegator created
rolebinding.rbac.authorization.k8s.io/cert-manager-webhook:webhook-authentication-reader created
service/cert-manager-webhook created
serviceaccount/cert-manager-webhook created
Warning: admissionregistration.k8s.io/v1beta1 ValidatingWebhookConfiguration is deprecated in v1.16+, unavailable in v1.22+; use admissionregistration.k8s.io/v1 ValidatingWebhookConfiguration
validatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook created
2.6.7 安装Rancher
kubectl create namespace cattle-system
kubectl -n cattle-system apply -R -f ./rancher
报错内容输出
clusterrolebinding.rbac.authorization.k8s.io/rancher created
deployment.apps/rancher created
Warning: extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress
ingress.extensions/rancher created
service/rancher created
serviceaccount/rancher created
Error from server (InternalError): error when creating "rancher/templates/issuer-rancher.yaml": Internal error occurred: failed calling webhook "webhook.cert-manager.io": Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=30s": dial tcp 10.43.17.204:443: connect: connection refused