JG-mirror/Kubernetes/Rancher-Deployment
2024-01-25 21:59:02 -07:00
..
readme.md Adding Ingress TLS notes to README 2024-01-25 21:59:02 -07:00

Install helm

curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
chmod 700 get_helm.sh
./get_helm.sh

Add Rancher Helm Repository

helm repo add rancher-latest https://releases.rancher.com/server-charts/latest
kubectl create namespace cattle-system

Install Cert-Manager

kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.2/cert-manager.crds.yaml
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--version v1.13.2
kubectl get pods --namespace cert-manager

Install Rancher

helm install rancher rancher-latest/rancher \
 --namespace cattle-system \
 --set hostname=rancher.my.org \
 --set bootstrapPassword=admin
kubectl -n cattle-system rollout status deploy/rancher
kubectl -n cattle-system get deploy rancher

Expose Rancher via Loadbalancer

kubectl get svc -n cattle-system
kubectl expose deployment rancher --name=rancher-lb --port=443 --type=LoadBalancer -n cattle-system
kubectl get svc -n cattle-system

Go to Rancher GUI

Hit the url… and create your account Be patient as it downloads and configures a number of pods in the background to support the UI (can be 5-10mins)

Bonus: Accessing Rancher through Ingress (Traefik)

Do you want that precious green lock in your URL bar? If you have Traefik (or another Kubernetes Ingress controller) deployed and a Let's Encrypt issuer with Cert-Manager, the Rancher Helm chart offers support to automatically configure an ingress route with TLS certificate injection to access the Rancher UI via the rancher Kubernetes Service created by the Helm install (kubectl -n cattle-system get service). This can be configured retroactively after your initial helm install ..., but is a bit simpler to set up as part of your initial Rancher installation if you have the prerequisites in place.

You first need to save the TLS certificate and key that you want Traefik to use for Rancher as a Kubernetes Secret called tls-rancher-ingress. You can do this manually, or let Cert-Manager generate a certificate for you and store it in a Secret, using kubectl to create a Kubernetes Certificate resource to generate the certificate and populate the Secret for you:

---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: rancher-my-org
  namespace: cattle-system
spec:
  commonName: rancher.my.org
  dnsNames:
    - rancher.my.org
  issuerRef:
    name: letsencrypt-production
    kind: ClusterIssuer
  secretName: tls-rancher-ingress

This can take anywhere from a few minutes to 15-20 minutes to generate, so sit tight. You'll know it is ready when the certificate's Ready status shows True in the output of:

kubectl -n cattle-system get certificate rancher-my-org

While you're waiting, make sure that your DNS record for rancher.my.org points to your Traefik deployment, instead of a LoadBalancer IP from kubeVIP. This can be an CNAME record using your Traefik FQDN, or an A record using the same IP address as Traefik.

Once the certificate and DNS record are ready, you can run your Rancher installation with one extra value set to configure your Ingress provider to use your custom certificate:

helm install rancher rancher-latest/rancher \
  --namespace cattle-system \
  --set hostname=rancher.my.org \
  --set bootstrapPassword=admin \
  --set ingress.tls.source=secret

If you are doing this after already installing Rancher (with the default setting of ingress.tls.source=rancher), you can overwrite the self-generated tls-rancher-ingress secret with your own certificate, then update your deployment. You may want to get your current Rancher version using helm ls -n cattle-system and provide it in your helm upgrade command so you don't unexpectedly upgrade your Rancher version.

helm upgrade rancher rancher-stable/rancher \
  --namespace cattle-system \
  --set hostname=rancher.my.org \
  --set ingress.tls.source=secret \
  --version <DEPLOYED_RANCHER_VERSION>

Ingress TLS Troubleshooting

You can validate the contents of your tls-rancher-ingress Secret using commands like this:

kubectl -n cattle-system get secret tls-rancher-ingress -o jsonpath='{.data}' | jq '."tls.crt"' | tr -d '"' | base64 --decode | openssl x509 -text

If you previously had your rancher.my.org DNS record associated with your LoadBalancer IP, your browser may be caching that old record. You may need to clear your browser's DNS cache, use an Incognito/Private window, etc.

There are also helpful instructions covering a handful of situations in Rancher's documentation: