RKE安装k8s及部署高可用rancher之证书通过cert-manager

?1.安装rke和local集群

[root@nginx 2.5.8]# rke -v
rke version v1.5.1

?[root@nginx cert-manager]# rke up --config locale-cluster.ym
[root@nginx 2.5.8]# cat locale-cluster.yml 
nodes:
  - address: 192.168.1.65
    internal_address: 192.168.1.65
    hostname_override: 192.168.1.65
    labels: 
      app: rke-local-master
    user: wubo
    role: [controlplane, worker, etcd]
    ssh_key_path: /home/wubo/.ssh/id_rsa
    port: 22

services:
  etcd:
    extra_args:
      auto-compaction-retention: 240 #(单位小时)
      quota-backend-bytes: '6442450944'
    backup_config:
      enabled: true         # 设置true启用ETCD自动备份，设置false禁用；
      interval_hours: 12    # 快照创建间隔时间，不加此参数，默认5分钟；
      retention: 6          # etcd备份保留份数；
    snapshot: true
    creation: 6h
    retention: 24h

ingress:
  provider: nginx
#  extra_args:
#    default-ssl-certificate: "ingress-nginx/ingress-default-cert"
#  options:
#    use-forwarded-headers: "true"
#  #hostnetwork: true

cluster_name: local
ignore_docker_version: true
prefix_path: /opt/rke
#kubernetes_version: v1.13.5-rancher1-2 #rke 0.2.2 https://github.com/rancher/rke/releases/tag/v1.1.0
#kubernetes_version: v1.17.4-rancher1-3 #rke 1.1.0
#kubernetes_version: v1.17.4-rancher1-2 #rke 1.1.0
kubernetes_version: v1.20.10-rancher1-1 #rke 1.2.12
dns:
  provider: coredns
  upstreamnameservers:
    - 192.168.99.42
    - 114.114.114.114
network:
  plugin: calico
  mtu: 0
  options:
    flannel_backend_type: vxlan

private_registries:
  - url: harbor.jettech.com
    user: admin
    password: Harbor12345
    is_default: true
services:
  kube-api:
    service_node_port_range: 30000-32767
    always_pull_images: true
  kubelet:
    cluster_domain: jettech.com
    fail_swap_on: false

2.安装cert-manager证书管理

Install/Upgrade Rancher on a Kubernetes Cluster | Rancher

Release v1.13.3 · cert-manager/cert-manager · GitHub?

Rancher默认生成一个自签名CA，并用于cert-manager颁发访问Rancher服务器接口的证书。

因为rancher是 的默认选项，所以我们在运行命令时ingress.tls.source没有指定。ingress.tls.sourcehelm install

• 设置hostname为解析到您的负载均衡器的 DNS 记录。
• 设置replicas用于 Rancher 部署的副本数量。默认为 3；如果集群中的节点少于 3 个，则应相应减少。
• 要安装特定的 Rancher 版本，请使用该--version标志，例如：--version 2.3.6。
• 如果您要安装 alpha 版本，Helm 需要将该--devel选项添加到命令中。

wget https://github.com/cert-manager/cert-manager/releases/download/v1.13.3/cert-manager.crds.yaml

[root@nginx cert-manager]# kubectl create -f cert-manager.yaml

[root@nginx cert]# watch kubectl get all -A

Every 2.0s: kubectl get all -A                                                                                                       Mon Jan 15 16:38:56 2024

NAMESPACE                 NAME                                           READY   STATUS      RESTARTS   AGE

cert-manager              pod/cert-manager-cainjector-55f4d8d98c-zjzb6   1/1     Running     0          42m
cert-manager              pod/cert-manager-df54459bf-bzs28               1/1     Running     0          42m
cert-manager              pod/cert-manager-webhook-789576979c-jv2sv	 1/1     Running     0          42m

?3.安装rancher集群

[root@nginx cert-manager]# helm install  rancher rancher-stable/rancher --namespace cattle-system --set hostname=jetto.jettech.com --set rancherImage=harbor.jettech.com/rancher/rancher --set rancherImageTag=v2.5.8 --set replicas=1 --set systemDefaultRegistry=harbor.jettech.com

4.nginx?

[root@nginx cert-manager]# cat ../../nginx/conf/nginx.conf
worker_processes 4;
worker_rlimit_nofile 40000;
events {
    worker_connections 8192;
}
 
stream {
    upstream rancher_servers_https {
        least_conn;
        server 192.168.1.65:443 max_fails=3 fail_timeout=5s;
    }
    server {
        listen     443;
        proxy_pass rancher_servers_https;
    }
}