05_安装Rancher（Rancher-高可用集群HA部署-离线安装）

<p>安装Rancher</p> <h1>1、添加helm仓库</h1> <h2>1.1、添加helm仓库</h2> <p>使用helm repo add来添加仓库，不同的地址适应不同的 Rancher 版本，请替换命令中的<CHART_REPO>，替换为latest，stable或alpha。</p> <pre><code class="language-bash">[rancher@rancher1 ~]$ helm repo add rancher-stable https://releases.rancher.com/server-charts/stable "rancher-stable" has been added to your repositories</code></pre> <h2>1.2、获取最新的 Rancher Chart</h2> <p>获取最新的 Rancher Chart， tgz 文件会下载到本地。</p> <pre><code class="language-bash">[rancher@rancher1 ~]$ helm fetch rancher-stable/rancher </code></pre> <h2>1.3、将tgz文件拷贝到rancher1中的rancher用户家目录下</h2> <p>将tgz文件(rancher-2.5.2.tgz)拷贝到内网rancher1中的rancher用户家目录下</p> <pre><code class="language-bash">[rancher@rancher1 ~]$ scp root@172.16.7.201:/home/rancher/rancher-2.5.2.tgz .</code></pre> <h1>2、使用 Rancher 默认的自签名证书</h1> <p>使用 Rancher 默认的自签名证书在公网环境下获取最新的cert-manager Chart</p> <h2>2.1 添加 cert-manager 仓库</h2> <p>在可以连接互联网的系统中，添加 cert-manager 仓库。</p> <pre><code class="language-bash">helm repo add jetstack https://charts.jetstack.io helm repo update</code></pre> <h2>2.2 获取最新的 cert-manager Chart</h2> <p>从 Helm Chart 仓库中获取最新的 cert-manager Chart。</p> <pre><code class="language-bash">helm fetch jetstack/cert-manager --version v0.12.0</code></pre> <p>将生成的cert-manager-v0.12.0.tgz文件拷贝到rancher1中</p> <pre><code class="language-bash">[rancher@rancher1 ~]$ scp root@172.16.7.200:/home/rancher/cert-manager-v0.12.0.tgz .</code></pre> <h2>2.3 渲染 chart 模板</h2> <p>使用您期望的参数渲染 chart 模板，切记设置image.repository以便从私有镜像仓库中拉取 Chart。这将生成一个包含相关 YAML 的名为cert-manager的文件夹。</p> <pre><code class="language-bash">helm template cert-manager ./cert-manager-v0.12.0.tgz --output-dir . \ --namespace cert-manager \ --set image.repository=172.16.7.199:80/quay.io/jetstack/cert-manager-controller \ --set webhook.image.repository=172.16.7.199:80/quay.io/jetstack/cert-manager-webhook \ --set cainjector.image.repository=172.16.7.199:80/quay.io/jetstack/cert-manager-cainjector</code></pre> <p>输出内容如下：</p> <pre><code class="language-bash">WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /home/rancher/.kube/config wrote ./cert-manager/templates/cainjector-serviceaccount.yaml wrote ./cert-manager/templates/serviceaccount.yaml wrote ./cert-manager/templates/webhook-serviceaccount.yaml wrote ./cert-manager/templates/cainjector-rbac.yaml wrote ./cert-manager/templates/rbac.yaml wrote ./cert-manager/templates/rbac.yaml wrote ./cert-manager/templates/rbac.yaml wrote ./cert-manager/templates/rbac.yaml wrote ./cert-manager/templates/rbac.yaml wrote ./cert-manager/templates/rbac.yaml wrote ./cert-manager/templates/rbac.yaml wrote ./cert-manager/templates/rbac.yaml wrote ./cert-manager/templates/webhook-rbac.yaml wrote ./cert-manager/templates/cainjector-rbac.yaml wrote ./cert-manager/templates/rbac.yaml wrote ./cert-manager/templates/rbac.yaml wrote ./cert-manager/templates/rbac.yaml wrote ./cert-manager/templates/rbac.yaml wrote ./cert-manager/templates/rbac.yaml wrote ./cert-manager/templates/rbac.yaml wrote ./cert-manager/templates/webhook-rbac.yaml wrote ./cert-manager/templates/cainjector-rbac.yaml wrote ./cert-manager/templates/rbac.yaml wrote ./cert-manager/templates/cainjector-rbac.yaml wrote ./cert-manager/templates/rbac.yaml wrote ./cert-manager/templates/webhook-rbac.yaml wrote ./cert-manager/templates/service.yaml wrote ./cert-manager/templates/webhook-service.yaml wrote ./cert-manager/templates/cainjector-deployment.yaml wrote ./cert-manager/templates/deployment.yaml wrote ./cert-manager/templates/webhook-deployment.yaml wrote ./cert-manager/templates/webhook-rbac.yaml wrote ./cert-manager/templates/webhook-mutating-webhook.yaml wrote ./cert-manager/templates/webhook-validating-webhook.yaml</code></pre> <p>执行完成会得到一个包含相关 YAML文件的cert-manager目录</p> <pre><code class="language-bash">[rancher@rancher1 ~]$ tree -L 3 cert-manager</code></pre> <p>输出内容如下：</p> <pre><code class="language-bash">cert-manager └── templates ├── cainjector-deployment.yaml ├── cainjector-rbac.yaml ├── cainjector-serviceaccount.yaml ├── deployment.yaml ├── rbac.yaml ├── serviceaccount.yaml ├── service.yaml ├── webhook-deployment.yaml ├── webhook-mutating-webhook.yaml ├── webhook-rbac.yaml ├── webhook-serviceaccount.yaml ├── webhook-service.yaml └── webhook-validating-webhook.yaml</code></pre> <h2>2.4 下载 cert-manager 所需的 CRD 文件。</h2> <pre><code class="language-bash">curl -L -o cert-manager/cert-manager-crd.yaml https://raw.githubusercontent.com/jetstack/cert-manager/release-0.12/deploy/manifests/00-crds.yaml</code></pre> <p>说明：上面CRD文件需要梯子才能下载，梯子也要选哪条专线，不是每条都行。内容如下：</p> <pre><code class="language-bash">见备份文件：cert-manager-crd.yaml</code></pre> <h2>2.5 渲染 Rancher 模板</h2> <p>渲染 Rancher 模板，声明您选择的选项。使用下面的参考表替换每个占位符。需要将 Rancher 配置为在由 Rancher 启动 Kubernetes 集群或 Rancher 工具时，使用私有镜像库。</p> <pre><code class="language-bash">helm template rancher ./rancher-2.5.2.tgz --output-dir . \ --namespace cattle-system \ --set hostname=rancher-slb.techzsun.com \ --set certmanager.version=v0.12.0 \ --set rancherImage=172.16.7.199:80/rancher/rancher \ --set systemDefaultRegistry=172.16.7.199:80 \ --set useBundledSystemChart=true</code></pre> <p>输出内容如下：</p> <pre><code class="language-bash">WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /home/rancher/.kube/config wrote ./rancher/templates/serviceAccount.yaml wrote ./rancher/templates/clusterRoleBinding.yaml wrote ./rancher/templates/service.yaml wrote ./rancher/templates/deployment.yaml wrote ./rancher/templates/ingress.yaml wrote ./rancher/templates/issuer-rancher.yaml</code></pre> <h2>2.6 安装 Cert-manager</h2> <p>（仅限使用 Rancher 默认自签名证书）</p> <h3>2.6.1 为 cert-manager 创建 namespace</h3> <pre><code class="language-bash">[rancher@rancher1 ~]$ kubectl create namespace cert-manager namespace/cert-manager created</code></pre> <h3>2.6.2 创建 cert-manager CRD</h3> <pre><code class="language-bash">kubectl apply -f cert-manager/cert-manager-crd.yaml</code></pre> <p>输出内容如下：</p> <pre><code class="language-bash">Warning: apiextensions.k8s.io/v1beta1 CustomResourceDefinition is deprecated in v1.16+, unavailable in v1.22+; use apiextensions.k8s.io/v1 CustomResourceDefinition customresourcedefinition.apiextensions.k8s.io/certificaterequests.cert-manager.io created customresourcedefinition.apiextensions.k8s.io/certificates.cert-manager.io created customresourcedefinition.apiextensions.k8s.io/challenges.acme.cert-manager.io created customresourcedefinition.apiextensions.k8s.io/clusterissuers.cert-manager.io created customresourcedefinition.apiextensions.k8s.io/issuers.cert-manager.io created customresourcedefinition.apiextensions.k8s.io/orders.acme.cert-manager.io created</code></pre> <h3>2.6.3 启动 cert-manager</h3> <pre><code class="language-bash">kubectl apply -R -f ./cert-manager</code></pre> <p>输出内容如下：</p> <pre><code class="language-bash">Warning: apiextensions.k8s.io/v1beta1 CustomResourceDefinition is deprecated in v1.16+, unavailable in v1.22+; use apiextensions.k8s.io/v1 CustomResourceDefinition customresourcedefinition.apiextensions.k8s.io/certificaterequests.cert-manager.io unchanged customresourcedefinition.apiextensions.k8s.io/certificates.cert-manager.io unchanged customresourcedefinition.apiextensions.k8s.io/challenges.acme.cert-manager.io unchanged customresourcedefinition.apiextensions.k8s.io/clusterissuers.cert-manager.io unchanged customresourcedefinition.apiextensions.k8s.io/issuers.cert-manager.io unchanged customresourcedefinition.apiextensions.k8s.io/orders.acme.cert-manager.io unchanged deployment.apps/cert-manager-cainjector created Warning: rbac.authorization.k8s.io/v1beta1 ClusterRole is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 ClusterRole clusterrole.rbac.authorization.k8s.io/cert-manager-cainjector created Warning: rbac.authorization.k8s.io/v1beta1 ClusterRoleBinding is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 ClusterRoleBinding clusterrolebinding.rbac.authorization.k8s.io/cert-manager-cainjector created Warning: rbac.authorization.k8s.io/v1beta1 Role is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 Role role.rbac.authorization.k8s.io/cert-manager-cainjector:leaderelection created Warning: rbac.authorization.k8s.io/v1beta1 RoleBinding is deprecated in v1.17+, unavailable in v1.22+; use rbac.authorization.k8s.io/v1 RoleBinding rolebinding.rbac.authorization.k8s.io/cert-manager-cainjector:leaderelection created serviceaccount/cert-manager-cainjector created deployment.apps/cert-manager created clusterrole.rbac.authorization.k8s.io/cert-manager-controller-issuers created clusterrole.rbac.authorization.k8s.io/cert-manager-controller-clusterissuers created clusterrole.rbac.authorization.k8s.io/cert-manager-controller-certificates created clusterrole.rbac.authorization.k8s.io/cert-manager-controller-orders created clusterrole.rbac.authorization.k8s.io/cert-manager-controller-challenges created clusterrole.rbac.authorization.k8s.io/cert-manager-controller-ingress-shim created clusterrole.rbac.authorization.k8s.io/cert-manager-view created clusterrole.rbac.authorization.k8s.io/cert-manager-edit created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-issuers created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-clusterissuers created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-certificates created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-orders created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-challenges created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-controller-ingress-shim created role.rbac.authorization.k8s.io/cert-manager:leaderelection created rolebinding.rbac.authorization.k8s.io/cert-manager:leaderelection created service/cert-manager created serviceaccount/cert-manager created deployment.apps/cert-manager-webhook created Warning: admissionregistration.k8s.io/v1beta1 MutatingWebhookConfiguration is deprecated in v1.16+, unavailable in v1.22+; use admissionregistration.k8s.io/v1 MutatingWebhookConfiguration mutatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook created clusterrole.rbac.authorization.k8s.io/cert-manager-webhook:webhook-requester created clusterrolebinding.rbac.authorization.k8s.io/cert-manager-webhook:auth-delegator created rolebinding.rbac.authorization.k8s.io/cert-manager-webhook:webhook-authentication-reader created service/cert-manager-webhook created serviceaccount/cert-manager-webhook created Warning: admissionregistration.k8s.io/v1beta1 ValidatingWebhookConfiguration is deprecated in v1.16+, unavailable in v1.22+; use admissionregistration.k8s.io/v1 ValidatingWebhookConfiguration validatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook created</code></pre> <h3>2.6.7 安装Rancher</h3> <pre><code class="language-bash">kubectl create namespace cattle-system kubectl -n cattle-system apply -R -f ./rancher</code></pre> <p>报错内容输出</p> <pre><code class="language-bash">clusterrolebinding.rbac.authorization.k8s.io/rancher created deployment.apps/rancher created Warning: extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress ingress.extensions/rancher created service/rancher created serviceaccount/rancher created Error from server (InternalError): error when creating "rancher/templates/issuer-rancher.yaml": Internal error occurred: failed calling webhook "webhook.cert-manager.io": Post "https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=30s": dial tcp 10.43.17.204:443: connect: connection refused</code></pre>

miaoyun+Rancher+K8S学习与实践

05_安装Rancher（Rancher-高可用集群HA部署-离线安装）

页面列表