05_安装Rancher(Rancher-高可用集群HA部署-离线安装)
<p>安装Rancher</p>
<h1>1、添加helm仓库</h1>
<h2>1.1、添加helm仓库</h2>
<p>使用helm repo add来添加仓库,不同的地址适应不同的 Rancher 版本,请替换命令中的<CHART_REPO>,替换为latest,stable或alpha。</p>
<pre><code class="language-bash">[rancher@rancher1 ~]$ helm repo add rancher-stable https://releases.rancher.com/server-charts/stable
"rancher-stable" has been added to your repositories</code></pre>
<h2>1.2、获取最新的 Rancher Chart</h2>
<p>获取最新的 Rancher Chart, tgz 文件会下载到本地。</p>
<pre><code class="language-bash">[rancher@rancher1 ~]$ helm fetch rancher-stable/rancher </code></pre>
<h2>1.3、将tgz文件拷贝到rancher1中的rancher用户家目录下</h2>
<p>将tgz文件(rancher-2.5.2.tgz)拷贝到内网rancher1中的rancher用户家目录下</p>
<pre><code class="language-bash">[rancher@rancher1 ~]$ scp root@172.16.7.201:/home/rancher/rancher-2.5.2.tgz .</code></pre>
<h1>2、 使用 Rancher 默认的自签名证书</h1>
<p>使用 Rancher 默认的自签名证书在公网环境下获取最新的cert-manager Chart</p>
<h2>2.1 添加 cert-manager 仓库</h2>
<p>在可以连接互联网的系统中,添加 cert-manager 仓库。</p>
<pre><code class="language-bash">helm repo add jetstack https://charts.jetstack.io
helm repo update</code></pre>
<h2>2.2 获取最新的 cert-manager Chart</h2>
<p>从 Helm Chart 仓库 中获取最新的 cert-manager Chart。</p>
<pre><code class="language-bash">helm fetch jetstack/cert-manager --version v0.12.0</code></pre>
<p>将生成的cert-manager-v0.12.0.tgz文件拷贝到rancher1中</p>
<pre><code class="language-bash">[rancher@rancher1 ~]$ scp root@172.16.7.200:/home/rancher/cert-manager-v0.12.0.tgz .</code></pre>
<h2>2.3 渲染 chart 模板</h2>
<p>使用您期望的参数渲染 chart 模板,切记设置image.repository以便从私有镜像仓库中拉取 Chart。这将生成一个包含相关 YAML 的名为cert-manager的文件夹。</p>
<pre><code class="language-bash">helm template cert-manager ./cert-manager-v0.12.0.tgz --output-dir . \
--namespace cert-manager \
--set image.repository=172.16.7.199:80/quay.io/jetstack/cert-manager-controller \
--set webhook.image.repository=172.16.7.199:80/quay.io/jetstack/cert-manager-webhook \
--set cainjector.image.repository=172.16.7.199:80/quay.io/jetstack/cert-manager-cainjector</code></pre>
<p>输出内容如下:</p>
<pre><code class="language-bash">WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /home/rancher/.kube/config
wrote ./cert-manager/templates/cainjector-serviceaccount.yaml
wrote ./cert-manager/templates/serviceaccount.yaml
wrote ./cert-manager/templates/webhook-serviceaccount.yaml
wrote ./cert-manager/templates/cainjector-rbac.yaml
wrote ./cert-manager/templates/rbac.yaml
wrote ./cert-manager/templates/rbac.yaml
wrote ./cert-manager/templates/rbac.yaml
wrote ./cert-manager/templates/rbac.yaml
wrote ./cert-manager/templates/rbac.yaml
wrote ./cert-manager/templates/rbac.yaml
wrote ./cert-manager/templates/rbac.yaml
wrote ./cert-manager/templates/rbac.yaml
wrote ./cert-manager/templates/webhook-rbac.yaml
wrote ./cert-manager/templates/cainjector-rbac.yaml
wrote ./cert-manager/templates/rbac.yaml
wrote ./cert-manager/templates/rbac.yaml
wrote ./cert-manager/templates/rbac.yaml
wrote ./cert-manager/templates/rbac.yaml
wrote ./cert-manager/templates/rbac.yaml
wrote ./cert-manager/templates/rbac.yaml
wrote ./cert-manager/templates/webhook-rbac.yaml
wrote ./cert-manager/templates/cainjector-rbac.yaml
wrote ./cert-manager/templates/rbac.yaml
wrote ./cert-manager/templates/cainjector-rbac.yaml
wrote ./cert-manager/templates/rbac.yaml
wrote ./cert-manager/templates/webhook-rbac.yaml
wrote ./cert-manager/templates/service.yaml
wrote ./cert-manager/templates/webhook-service.yaml
wrote ./cert-manager/templates/cainjector-deployment.yaml
wrote ./cert-manager/templates/deployment.yaml
wrote ./cert-manager/templates/webhook-deployment.yaml
wrote ./cert-manager/templates/webhook-rbac.yaml
wrote ./cert-manager/templates/webhook-mutating-webhook.yaml
wrote ./cert-manager/templates/webhook-validating-webhook.yaml</code></pre>
<p>执行完成会得到一个包含相关 YAML文件的cert-manager目录</p>
<pre><code class="language-bash">[rancher@rancher1 ~]$ tree -L 3 cert-manager</code></pre>
<p>输出内容如下:</p>
<pre><code class="language-bash">cert-manager
└── templates
├── cainjector-deployment.yaml
├── cainjector-rbac.yaml
├── cainjector-serviceaccount.yaml
├── deployment.yaml
├── rbac.yaml
├── serviceaccount.yaml
├── service.yaml
├── webhook-deployment.yaml
├── webhook-mutating-webhook.yaml
├── webhook-rbac.yaml
├── webhook-serviceaccount.yaml
├── webhook-service.yaml
└── webhook-validating-webhook.yaml</code></pre>
<h2>2.4 下载 cert-manager 所需的 CRD 文件。</h2>
<pre><code class="language-bash">curl -L -o cert-manager/cert-manager-crd.yaml https://raw.githubusercontent.com/jetstack/cert-manager/release-0.12/deploy/manifests/00-crds.yaml</code></pre>
<p>说明:上面CRD文件需要梯子才能下载,梯子也要选哪条专线,不是每条都行。
内容如下:</p>
<pre><code class="language-bash">见备份文件:cert-manager-crd.yaml</code></pre>
<h2>2.5 渲染 Rancher 模板</h2>
<p>渲染 Rancher 模板,声明您选择的选项。使用下面的参考表替换每个占位符。需要将 Rancher 配置为在由 Rancher 启动 Kubernetes 集群或 Rancher 工具时,使用私有镜像库。</p>
<pre><code class="language-bash">helm template rancher ./rancher-2.5.2.tgz --output-dir . \
--namespace cattle-system \
--set hostname=rancher-slb.techzsun.com \
--set certmanager.version=v0.12.0 \
--set rancherImage=172.16.7.199:80/rancher/rancher \
--set systemDefaultRegistry=172.16.7.199:80 \
--set useBundledSystemChart=true</code></pre>
<p>输出内容如下:</p>
<pre><code class="language-bash">WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /home/rancher/.kube/config
wrote ./rancher/templates/serviceAccount.yaml
wrote ./rancher/templates/clusterRoleBinding.yaml
wrote ./rancher/templates/service.yaml
wrote ./rancher/templates/deployment.yaml
wrote ./rancher/templates/ingress.yaml
wrote ./rancher/templates/issuer-rancher.yaml</code></pre>
<h2>2.6 安装 Cert-manager</h2>
<p>(仅限使用 Rancher 默认自签名证书)</p>
<h3>2.6.1 为 cert-manager 创建 namespace</h3>
<pre><code class="language-bash">[rancher@rancher1 ~]$ kubectl create namespace cert-manager
namespace/cert-manager created</code></pre>
<h3>2.6.2 创建 cert-manager CRD</h3>
<pre><code class="language-bash">kubectl apply -f cert-manager/cert-manager-crd.yaml</code></pre>
<p>输出内容如下:</p>
<pre><code class="language-bash">Warning: apiextensions.k8s.io/v1beta1 CustomResourceDefinition is deprecated in v1.16+, unavailable in v1.22+; use apiextensions.k8s.io/v1 CustomResourceDefinition
customresourcedefinition.apiextensions.k8s.io/certificaterequests.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/certificates.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/challenges.acme.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/clusterissuers.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/issuers.cert-manager.io created
customresourcedefinition.apiextensions.k8s.io/orders.acme.cert-manager.io created</code></pre>
<h3>2.6.3 启动 cert-manager</h3>
<pre><code class="language-bash">kubectl apply -R -f ./cert-manager</code></pre>
<p>输出内容如下:</p>
<pre><code class="language-bash">Warning: apiextensions.k8s.io/v1beta1 CustomResourceDefinition is deprecated in v1.16+, unavailable in v1.22+; use apiextensions.k8s.io/v1 CustomResourceDefinition
customresourcedefinition.apiextensions.k8s.io/certificaterequests.cert-manager.io unchanged
customresourcedefinition.apiextensions.k8s.io/certificates.cert-manager.io unchanged
customresourcedefinition.apiextensions.k8s.io/challenges.acme.cert-manager.io unchanged
customresourcedefinition.apiextensions.k8s.io/clusterissuers.cert-manager.io unchanged
customresourcedefinition.apiextensions.k8s.io/issuers.cert-manager.io unchanged
customresourcedefinition.apiextensions.k8s.io/orders.acme.cert-manager.io unchanged
deployment.apps/cert-manager-cainjector created
Warning: rbac.authorization.k8s.io/v1beta1 ClusterRole is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 ClusterRole
clusterrole.rbac.authorization.k8s.io/cert-manager-cainjector created
Warning: rbac.authorization.k8s.io/v1beta1 ClusterRoleBinding is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 ClusterRoleBinding
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-cainjector created
Warning: rbac.authorization.k8s.io/v1beta1 Role is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 Role
role.rbac.authorization.k8s.io/cert-manager-cainjector:leaderelection created
Warning: rbac.authorization.k8s.io/v1beta1 RoleBinding is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 RoleBinding
rolebinding.rbac.authorization.k8s.io/cert-manager-cainjector:leaderelection created
serviceaccount/cert-manager-cainjector created
deployment.apps/cert-manager created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-issuers created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-clusterissuers created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-certificates created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-orders created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-challenges created
clusterrole.rbac.authorization.k8s.io/cert-manager-controller-ingress-shim created
clusterrole.rbac.authorization.k8s.io/cert-manager-view created
clusterrole.rbac.authorization.k8s.io/cert-manager-edit created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-issuers created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-clusterissuers created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-certificates created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-orders created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-challenges created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-ingress-shim created
role.rbac.authorization.k8s.io/cert-manager:leaderelection created
rolebinding.rbac.authorization.k8s.io/cert-manager:leaderelection created
service/cert-manager created
serviceaccount/cert-manager created
deployment.apps/cert-manager-webhook created
Warning: admissionregistration.k8s.io/v1beta1 MutatingWebhookConfiguration is deprecated in v1.16+, unavailable in v1.22+; use admissionregistration.k8s.io/v1 MutatingWebhookConfiguration
mutatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook created
clusterrole.rbac.authorization.k8s.io/cert-manager-webhook:webhook-requester created
clusterrolebinding.rbac.authorization.k8s.io/cert-manager-webhook:auth-delegator created
rolebinding.rbac.authorization.k8s.io/cert-manager-webhook:webhook-authentication-reader created
service/cert-manager-webhook created
serviceaccount/cert-manager-webhook created
Warning: admissionregistration.k8s.io/v1beta1 ValidatingWebhookConfiguration is deprecated in v1.16+, unavailable in v1.22+; use admissionregistration.k8s.io/v1 ValidatingWebhookConfiguration
validatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook created</code></pre>
<h3>2.6.7 安装Rancher</h3>
<pre><code class="language-bash">kubectl create namespace cattle-system
kubectl -n cattle-system apply -R -f ./rancher</code></pre>
<p>报错内容输出</p>
<pre><code class="language-bash">clusterrolebinding.rbac.authorization.k8s.io/rancher created
deployment.apps/rancher created
Warning: extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress
ingress.extensions/rancher created
service/rancher created
serviceaccount/rancher created
Error from server (InternalError): error when creating "rancher/templates/issuer-rancher.yaml": Internal error occurred: failed calling webhook "webhook.cert-manager.io": Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=30s": dial tcp 10.43.17.204:443: connect: connection refused</code></pre>