05_安装Rancher(Rancher-高可用集群HA部署-离线安装)

安装Rancher

1、添加helm仓库

1.1、添加helm仓库

使用helm repo add来添加仓库,不同的地址适应不同的 Rancher 版本,请替换命令中的<CHART_REPO>,替换为latest,stable或alpha。

[rancher@rancher1 ~]$  helm repo add rancher-stable https://releases.rancher.com/server-charts/stable

"rancher-stable" has been added to your repositories

1.2、获取最新的 Rancher Chart

获取最新的 Rancher Chart, tgz 文件会下载到本地。

[rancher@rancher1 ~]$ helm fetch rancher-stable/rancher

1.3、将tgz文件拷贝到rancher1中的rancher用户家目录下

将tgz文件(rancher-2.5.2.tgz)拷贝到内网rancher1中的rancher用户家目录下

[rancher@rancher1 ~]$ scp root@172.16.7.201:/home/rancher/rancher-2.5.2.tgz .

2、 使用 Rancher 默认的自签名证书

使用 Rancher 默认的自签名证书在公网环境下获取最新的cert-manager Chart

2.1 添加 cert-manager 仓库

在可以连接互联网的系统中,添加 cert-manager 仓库。

helm repo add jetstack https://charts.jetstack.io
helm repo update

2.2 获取最新的 cert-manager Chart

从 Helm Chart 仓库 中获取最新的 cert-manager Chart。

helm fetch jetstack/cert-manager --version v0.12.0

将生成的cert-manager-v0.12.0.tgz文件拷贝到rancher1中

[rancher@rancher1 ~]$ scp root@172.16.7.200:/home/rancher/cert-manager-v0.12.0.tgz .

2.3 渲染 chart 模板

使用您期望的参数渲染 chart 模板,切记设置image.repository以便从私有镜像仓库中拉取 Chart。这将生成一个包含相关 YAML 的名为cert-manager的文件夹。

helm template cert-manager ./cert-manager-v0.12.0.tgz --output-dir . \
    --namespace cert-manager \
    --set image.repository=172.16.7.199:80/quay.io/jetstack/cert-manager-controller \
    --set webhook.image.repository=172.16.7.199:80/quay.io/jetstack/cert-manager-webhook \
    --set cainjector.image.repository=172.16.7.199:80/quay.io/jetstack/cert-manager-cainjector

输出内容如下:

WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /home/rancher/.kube/config
wrote ./cert-manager/templates/cainjector-serviceaccount.yaml
wrote ./cert-manager/templates/serviceaccount.yaml
wrote ./cert-manager/templates/webhook-serviceaccount.yaml
wrote ./cert-manager/templates/cainjector-rbac.yaml
wrote ./cert-manager/templates/rbac.yaml
wrote ./cert-manager/templates/rbac.yaml
wrote ./cert-manager/templates/rbac.yaml
wrote ./cert-manager/templates/rbac.yaml
wrote ./cert-manager/templates/rbac.yaml
wrote ./cert-manager/templates/rbac.yaml
wrote ./cert-manager/templates/rbac.yaml
wrote ./cert-manager/templates/rbac.yaml
wrote ./cert-manager/templates/webhook-rbac.yaml
wrote ./cert-manager/templates/cainjector-rbac.yaml
wrote ./cert-manager/templates/rbac.yaml
wrote ./cert-manager/templates/rbac.yaml
wrote ./cert-manager/templates/rbac.yaml
wrote ./cert-manager/templates/rbac.yaml
wrote ./cert-manager/templates/rbac.yaml
wrote ./cert-manager/templates/rbac.yaml
wrote ./cert-manager/templates/webhook-rbac.yaml
wrote ./cert-manager/templates/cainjector-rbac.yaml
wrote ./cert-manager/templates/rbac.yaml
wrote ./cert-manager/templates/cainjector-rbac.yaml
wrote ./cert-manager/templates/rbac.yaml
wrote ./cert-manager/templates/webhook-rbac.yaml
wrote ./cert-manager/templates/service.yaml
wrote ./cert-manager/templates/webhook-service.yaml
wrote ./cert-manager/templates/cainjector-deployment.yaml
wrote ./cert-manager/templates/deployment.yaml
wrote ./cert-manager/templates/webhook-deployment.yaml
wrote ./cert-manager/templates/webhook-rbac.yaml
wrote ./cert-manager/templates/webhook-mutating-webhook.yaml
wrote ./cert-manager/templates/webhook-validating-webhook.yaml

执行完成会得到一个包含相关 YAML文件的cert-manager目录

[rancher@rancher1 ~]$ tree -L 3 cert-manager

输出内容如下:

cert-manager
└── templates
    ├── cainjector-deployment.yaml
    ├── cainjector-rbac.yaml
    ├── cainjector-serviceaccount.yaml
    ├── deployment.yaml
    ├── rbac.yaml
    ├── serviceaccount.yaml
    ├── service.yaml
    ├── webhook-deployment.yaml
    ├── webhook-mutating-webhook.yaml
    ├── webhook-rbac.yaml
    ├── webhook-serviceaccount.yaml
    ├── webhook-service.yaml
    └── webhook-validating-webhook.yaml

2.4 下载 cert-manager 所需的 CRD 文件。

curl -L -o cert-manager/cert-manager-crd.yaml https://raw.githubusercontent.com/jetstack/cert-manager/release-0.12/deploy/manifests/00-crds.yaml

说明:上面CRD文件需要梯子才能下载,梯子也要选哪条专线,不是每条都行。
内容如下:

见备份文件:cert-manager-crd.yaml

2.5 渲染 Rancher 模板

渲染 Rancher 模板,声明您选择的选项。使用下面的参考表替换每个占位符。需要将 Rancher 配置为在由 Rancher 启动 Kubernetes 集群或 Rancher 工具时,使用私有镜像库。

helm template rancher ./rancher-2.5.2.tgz --output-dir . \
--namespace cattle-system \
--set hostname=rancher-slb.techzsun.com \
--set certmanager.version=v0.12.0 \
--set rancherImage=172.16.7.199:80/rancher/rancher \
--set systemDefaultRegistry=172.16.7.199:80 \
--set useBundledSystemChart=true

输出内容如下:

WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /home/rancher/.kube/config
wrote ./rancher/templates/serviceAccount.yaml
wrote ./rancher/templates/clusterRoleBinding.yaml
wrote ./rancher/templates/service.yaml
wrote ./rancher/templates/deployment.yaml
wrote ./rancher/templates/ingress.yaml
wrote ./rancher/templates/issuer-rancher.yaml

2.6 安装 Cert-manager

(仅限使用 Rancher 默认自签名证书)

2.6.1 为 cert-manager 创建 namespace

[rancher@rancher1 ~]$ kubectl create namespace cert-manager
namespace/cert-manager created

2.6.2 创建 cert-manager CRD

kubectl apply -f cert-manager/cert-manager-crd.yaml

输出内容如下:

Warning: apiextensions.k8s.io/v1beta1 CustomResourceDefinition is deprecated in v1.16+, unavailable in v1.22+; use apiextensions.k8s.io/v1 CustomResourceDefinition
customresourcedefinition.apiextensions.k8s.io/certificaterequests.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/certificates.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/challenges.acme.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/clusterissuers.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/issuers.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/orders.acme.cert-manager.io created

2.6.3 启动 cert-manager

kubectl apply -R -f ./cert-manager

输出内容如下:

Warning: apiextensions.k8s.io/v1beta1 CustomResourceDefinition is deprecated in v1.16+, unavailable in v1.22+; use apiextensions.k8s.io/v1 CustomResourceDefinition
customresourcedefinition.apiextensions.k8s.io/certificaterequests.cert-manager.io unchanged
customresourcedefinition.apiextensions.k8s.io/certificates.cert-manager.io unchanged
customresourcedefinition.apiextensions.k8s.io/challenges.acme.cert-manager.io unchanged
customresourcedefinition.apiextensions.k8s.io/clusterissuers.cert-manager.io unchanged
customresourcedefinition.apiextensions.k8s.io/issuers.cert-manager.io unchanged
customresourcedefinition.apiextensions.k8s.io/orders.acme.cert-manager.io unchanged
deployment.apps/cert-manager-cainjector created
Warning: rbac.authorization.k8s.io/v1beta1 ClusterRole is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 ClusterRole
clusterrole.rbac.authorization.k8s.io/cert-manager-cainjector created
Warning: rbac.authorization.k8s.io/v1beta1 ClusterRoleBinding is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 ClusterRoleBinding
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-cainjector created
Warning: rbac.authorization.k8s.io/v1beta1 Role is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 Role
role.rbac.authorization.k8s.io/cert-manager-cainjector:leaderelection created
Warning: rbac.authorization.k8s.io/v1beta1 RoleBinding is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 RoleBinding
rolebinding.rbac.authorization.k8s.io/cert-manager-cainjector:leaderelection created
serviceaccount/cert-manager-cainjector created
deployment.apps/cert-manager created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-issuers created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-clusterissuers created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-certificates created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-orders created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-challenges created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-ingress-shim created
clusterrole.rbac.authorization.k8s.io/cert-manager-view created
clusterrole.rbac.authorization.k8s.io/cert-manager-edit created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-issuers created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-clusterissuers created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-certificates created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-orders created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-challenges created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-ingress-shim created
role.rbac.authorization.k8s.io/cert-manager:leaderelection created
rolebinding.rbac.authorization.k8s.io/cert-manager:leaderelection created
service/cert-manager created
serviceaccount/cert-manager created
deployment.apps/cert-manager-webhook created
Warning: admissionregistration.k8s.io/v1beta1 MutatingWebhookConfiguration is deprecated in v1.16+, unavailable in v1.22+; use admissionregistration.k8s.io/v1 MutatingWebhookConfiguration
mutatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook created
clusterrole.rbac.authorization.k8s.io/cert-manager-webhook:webhook-requester created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-webhook:auth-delegator created
rolebinding.rbac.authorization.k8s.io/cert-manager-webhook:webhook-authentication-reader created
service/cert-manager-webhook created
serviceaccount/cert-manager-webhook created
Warning: admissionregistration.k8s.io/v1beta1 ValidatingWebhookConfiguration is deprecated in v1.16+, unavailable in v1.22+; use admissionregistration.k8s.io/v1 ValidatingWebhookConfiguration
validatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook created

2.6.7 安装Rancher

kubectl create namespace cattle-system
kubectl -n cattle-system apply -R -f ./rancher

报错内容输出

clusterrolebinding.rbac.authorization.k8s.io/rancher created
deployment.apps/rancher created
Warning: extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress
ingress.extensions/rancher created
service/rancher created
serviceaccount/rancher created
Error from server (InternalError): error when creating "rancher/templates/issuer-rancher.yaml": Internal error occurred: failed calling webhook "webhook.cert-manager.io": Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=30s": dial tcp 10.43.17.204:443: connect: connection refused