Skip to main content

Rancher Kubernetes Management Platform: Cert Manager Helm Deployment, Rancher Helm Deployment with Rancher CA certificate, Export Root CA Certificate, Ingress Resource, Access Rancher with TLS Encryption

1068 words·
Kubernetes K3s Rancher Cert Manager Helm
Table of Contents
Kubernetes-Components - This article is part of a series.
Part 1: This Article
Part 2: Velero Open-Source Kubernetes Backups: Velero Helm Deployment, Backup and Restore a Kubernetes Namespace from an AWS S3 Bucket
Part 3: Kubernetes Deployment Components: Pods - Multi Container Pod Example, Container Networking Within a Pod; Replication Controller; Services - ClusterIP, NodePort & LoadBalancer Services, Services for Pods, Replication Controllers, External Resources & Deployments
Part 4: Kubernetes Resource Management: Define Resource Requests and Limits; Deploy Kubernetes Metrics Server, Verify Resource Usage with kubectl top
Part 5: Kubernetes Security: Immutable Deployment - Deploy Container with ReadOnly-Filesystem and Writable-Volume
Part 6: Kubernetes Security: Pod Security Admission (PSA) - Overview, Enforce Pod Security Standard at a Namespace; Example Nginx Pod SecurityContext for Restricted PSS
Part 7: Kubernetes Volumes: Nginx Pod and Deployment Examples with NFS Volume, Pod and Deployment Examples with EmptyDir Volume, Deployment Example with PersistentVolume, External Storage Provider with NFS
Part 8: Kubernetes Secrets: Opaque Secret Configuration, Pod Examples with Environment Variable Secrets and Volume Secrets; SSH Authentication Secret with Pod Example
Part 9: Kubernetes Horizontal Pod Autoscaling: Install Kubernetes Metrics Server, Example Deployment with Horizontal Pod Autoscaler (HPA)
Part 10: Kubernetes DNS: CoreDNS custom Hosts entry (K3s & K8s Version), Deployment with custom Hosts entry; Backup and Restore the CoreDNS ConfigMap; DNS Troubleshooting
Part 11: Kubernetes Liveness & Readiness Probes: TCP Readiness Probes (Single Pod and Multi Pod Dependency), TCP Liveness Probe
Part 12: Kubernetes Network Policies: Ingress and Egress Policy Examples
Part 13: Kubernetes Role Based Access Control (RBAC): RBAC Overview, Create Service Account, Example Role and RoleBinding
Part 14: Kubernetes Kubeconfig: Create example Kubeconfig with new (RBAC) Service Account and ClusterRole / ClusterRole Binding
Part 15: Kubernetes Container Storage Interface (CSI): NFS CSI Driver Example, Dynamically create PersistentVolumes using a CSI StorageClass and PVC
Part 16: Kubernetes Container Storage Interface (CSI): Ceph CSI Driver Example, Dynamically provision RBD Images in a Ceph Storage Pool
Part 17: Kubernetes Container Storage Interface (CSI): Longhorn Distributed Block Storage System - Deploy Longhorn via Helm Chart, Define Custom Storage Mountpoints; StorageClass & PVC Example
Part 18: Kubernetes Container Storage Interface (CSI): Samba - Deploy SMB CSI via Helm, Create example PVC and Pod
Part 19: Kubernetes Etcd Snapshot: Etcd Snapshot and Restore with Etcdctl, Verify Etcd Member Health; Etcdctl Commands
Part 20: Kubernetes Helm Charts: Create a Custom Helm Chart
Part 21: Kubernetes Kustomize: Kustomize Configuration Management Example
Part 22: Kubernetes ReplicaSets & DaemonSets: Overview, Example ReplicaSets and DaemonSets with and without NodeSelector & Node Labeling
Part 23: Kubernetes Jobs: Jobs Overview, Basic Non-parallel & Parallel Job Examples; CronJob & RBAC Example that Restarts a Deployment
Part 24: Kubernetes Commands: Cluster Nodes, Namespaces, LimitRange Resource Limits, Pods, Deployments, Replication Controllers, Services, HPA, Secrets, Cronjobs, Helm, Logs, K9s TUI

Overview
#

In this tutorial, I’m using a K3s Kubernetes cluster based on Debian 12 servers:

192.168.30.20 debian-01 # Master / Worker
192.168.30.21 debian-02 # Worker 2
192.168.30.22 debian-03 # Worker 3

Specific K3s Version
#

Note: It was necessary to use an older Kubernetes version, with the latest version I got the following error from the Rancher Helm deployment:

Error: INSTALLATION FAILED: chart requires kubeVersion: < 1.29.0-0 which is incompatible with Kubernetes v1.29.5
debian@node1:~/namespaces-limits

Available K3s versions: https://github.com/k3s-io/k3s/tags

# Install K3s with specific version
curl -sfL https://get.k3s.io | INSTALL_K3S_VERSION=v1.28.10+k3s1 sh -

# Add Nodes with specific version
curl -sfL https://get.k3s.io | INSTALL_K3S_VERSION=v1.28.10+k3s1 K3S_URL=https://192.168.30.20:6443 K3S_TOKEN=K1009dd351e6950251edc2cd6e1296a9a9a3465f8bccd371cbe0c6bb170e9edb79e::server:7cf7d21edc104d9eced1be5744a40081 sh -

Cert Manager
#

Helm Repository
# 

# Add the Jetstack Helm repository
helm repo add jetstack https://charts.jetstack.io --force-update

# Update package index
helm repo update

Install Cert Manager
#

Install Cert Manager with CustomResourceDefinitions (CRDs):

helm install \
  cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --create-namespace \
  --version v1.14.5 \
  --set installCRDs=true

# Shell output:
NAME: cert-manager
LAST DEPLOYED: Sat Jun  1 15:21:17 2024
NAMESPACE: cert-manager
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
cert-manager v1.14.5 has been deployed successfully!

In order to begin issuing certificates, you will need to set up a ClusterIssuer
or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer).

More information on the different types of issuers and how to configure them
can be found in our documentation:

https://cert-manager.io/docs/configuration/

For information on how to configure cert-manager to automatically provision
Certificates for Ingress resources, take a look at the `ingress-shim`
documentation:

https://cert-manager.io/docs/usage/ingress/

Verify the Installation
# 

# List pods
kubectl get pods --namespace cert-manager

# Shell output:
NAME                                      READY   STATUS    RESTARTS   AGE
cert-manager-796cbd6574-6xlg6             1/1     Running   0          31s
cert-manager-cainjector-9b74bc658-7skw7   1/1     Running   0          31s
cert-manager-webhook-7ddfd7c4bd-jg8nw     1/1     Running   0          31s

Kubernetes Rancher
#

Helm Repository
# 

# Add the Rancher Helm repository
helm repo add rancher-stable https://releases.rancher.com/server-charts/stable

# Update package index
helm repo update

Optional: List available versions in the repository

# List Rancher versions available in the Helm repository
helm search repo rancher-stable/rancher --versions

# Shell output:
NAME                    CHART VERSION   APP VERSION     DESCRIPTION
rancher-stable/rancher  2.8.4           v2.8.4          Install Rancher Server to manage Kubernetes clu...
rancher-stable/rancher  2.8.3           v2.8.3          Install Rancher Server to manage Kubernetes clu...
rancher-stable/rancher  2.8.2           v2.8.2          Install Rancher Server to manage Kubernetes clu...
...

Rancher Namespace
# 

# Create the namespace for Rancher
kubectl create namespace cattle-system

Install Rancher
#

With this option ingress.tls.source=rancher, Rancher will generate a CA certificate and sign a cert using that CA.

# Install Rancher
helm install rancher rancher-stable/rancher \
  --namespace cattle-system \
  --set hostname=rancher.k8s-jkw.local \
  --set bootstrapPassword=admin \
  --set ingress.tls.source=rancher

# Shell output:
NAME: rancher
LAST DEPLOYED: Sat Jun  1 15:22:59 2024
NAMESPACE: cattle-system
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
Rancher Server has been installed.

NOTE: Rancher may take several minutes to fully initialize. Please standby while Certificates are being issued, Containers are started and the Ingress rule comes up.

Check out our docs at https://rancher.com/docs/

If you provided your own bootstrap password during installation, browse to https://rancher.k8s-jkw.local to get started.

If this is the first time you installed Rancher, get started by running this command and clicking the URL it generates:

echo https://rancher.k8s-jkw.local/dashboard/?setup=$(kubectl get secret --namespace cattle-system bootstrap-secret -o go-template='{{.data.bootstrapPassword|base64decode}}')

To get just the bootstrap password on its own, run:

kubectl get secret --namespace cattle-system bootstrap-secret -o go-template='{{.data.bootstrapPassword|base64decode}}{{ "\n" }}'

Happy Containering!

Watch the Rollout Status
# 

# Check the rollout status
kubectl -n cattle-system rollout status deploy/rancher

# Shell output:
Waiting for deployment "rancher" rollout to finish: 2 of 3 updated replicas are available...
deployment "rancher" successfully rolled out

Verify the Rancher Resources
# 

# List Rancher resources
kubectl get all -n cattle-system

# Shell output:
NAME                                   READY   STATUS      RESTARTS   AGE
pod/rancher-95d5f798-7n5dk             1/1     Running     0          4m35s
pod/rancher-95d5f798-kxj9l             1/1     Running     0          4m35s
pod/rancher-95d5f798-hm6bq             1/1     Running     0          4m35s
pod/helm-operation-rpphf               0/2     Completed   0          2m9s
pod/helm-operation-vj8th               0/2     Completed   0          91s
pod/rancher-webhook-54fdc5bf58-kqvc9   1/1     Running     0          82s
pod/helm-operation-w5bqh               0/2     Completed   0          84s
pod/helm-operation-bt48b               0/2     Completed   0          53s

NAME                      TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)          AGE
service/rancher           ClusterIP   10.43.45.204   <none>        80/TCP,443/TCP   4m35s
service/rancher-webhook   ClusterIP   10.43.58.158   <none>        443/TCP          82s

NAME                              READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/rancher           3/3     3            3           4m35s
deployment.apps/rancher-webhook   1/1     1            1           82s

NAME                                         DESIRED   CURRENT   READY   AGE
replicaset.apps/rancher-95d5f798             3         3         3       4m35s
replicaset.apps/rancher-webhook-54fdc5bf58   1         1         1       82s

Check Logs
# 

# List logs
kubectl logs -n cattle-system -l app=rancher --tail=50

Expose Rancher
#

Port Forwarding: For Testing
# 

# Port Forwarding
kubectl -n cattle-system port-forward --address 0.0.0.0 service/rancher 8443:443

# Access Rancher
https://192.168.30.20:8443/

Ingress Resource
#

An Ingress resource manages external access to the services in a cluster. Ingress controllers can route traffic to multiple services under different hostnames and paths from a single IP address provided by an Ingress controller. Unlike LoadBalancer services, Ingress allows to define complex routing rules based on the request host or path.

# Create Ingress resource configuration
vi rancher-ingress.yaml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: rancher-ingress
  namespace: cattle-system
spec:
  rules:
  - host: rancher.k8s-jkw.local
    http:
      paths:
      - pathType: ImplementationSpecific
        path: "/"
        backend:
          service:
            name: rancher
            port:
              number: 80

# Deploy the Ingress resource for Rancher
kubectl apply -f rancher-ingress.yaml

Verify the Ingress Resource
# 

# Verify the ingres deployment
kubectl get ingress rancher-ingress -n cattle-system

# Shell output
NAME              CLASS     HOSTS                   ADDRESS                                     PORTS   AGE
rancher-ingress   traefik   rancher.k8s-jkw.local   192.168.30.20,192.168.30.21,192.168.30.22   80      2m39s

TLS Encryption / Root Certificate
#

Export the Root CA Certificate
# 

kubectl get secrets -n cattle-system

# Shell output:
NAME                                    TYPE                                  DATA   AGE
bootstrap-secret                        Opaque                                1      15m
sh.helm.release.v1.rancher.v1           helm.sh/release.v1                    1      15m
rancher-token-cqtqr                     kubernetes.io/service-account-token   3      14m
tls-rancher                             kubernetes.io/tls                     2      13m
tls-rancher-internal-ca                 kubernetes.io/tls                     2      13m
git-webhook-api-service-token-8mcnh     kubernetes.io/service-account-token   3      13m
serving-cert                            kubernetes.io/tls                     2      13m
tls-rancher-ingress                     kubernetes.io/tls                     3      13m
helm-operation-2fqd8                    Opaque                                3      13m
pod-impersonation-helm-op-jbn7w-token   kubernetes.io/service-account-token   3      13m
helm-operation-9xvtn                    Opaque                                3      12m
pod-impersonation-helm-op-4x9z9-token   kubernetes.io/service-account-token   3      12m
helm-operation-6dhlt                    Opaque                                3      12m
pod-impersonation-helm-op-96qhn-token   kubernetes.io/service-account-token   3      12m
cattle-webhook-ca                       kubernetes.io/tls                     2      12m
cattle-webhook-tls                      kubernetes.io/tls                     2      12m
tls-rancher-internal                    kubernetes.io/tls                     2      13m
helm-operation-2nrjl                    Opaque                                3      11m
pod-impersonation-helm-op-vpwjf-token   kubernetes.io/service-account-token   3      11m
helm-operation-l6jfw                    Opaque                                3      8m1s
pod-impersonation-helm-op-8spbb-token   kubernetes.io/service-account-token   3      8m3s
sh.helm.release.v1.rancher-webhook.v1   helm.sh/release.v1                    1      12m
sh.helm.release.v1.rancher-webhook.v2   helm.sh/release.v1                    1      7m59s

# Extract the certificate into the file "rancher-ca.crt"
kubectl get secret tls-rancher-ingress -n cattle-system -o jsonpath='{.data.ca\.crt}' | base64 --decode > rancher-ca.crt

Copy the rancher-ca.crt certificate and import it into the Windows MMC Certificate Manager for local computer.

Windows Certificate Manager
#

Open the MMC Certificate Manager for local computer:

# Run 
certlm.msc

Access Rancher
# 

# Access Rancher 
https://rancher.k8s-jkw.local/

# Enter the Bootstrap Password
admin

# Set a new password

# Set the server URL
https://rancher.k8s-jkw.local

Links # 

# Rancher Documentation
https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster

# Cert Manager Installation
https://cert-manager.io/docs/installation/helm/
Kubernetes-Components - This article is part of a series.
Part 1: This Article
Part 2: Velero Open-Source Kubernetes Backups: Velero Helm Deployment, Backup and Restore a Kubernetes Namespace from an AWS S3 Bucket
Part 3: Kubernetes Deployment Components: Pods - Multi Container Pod Example, Container Networking Within a Pod; Replication Controller; Services - ClusterIP, NodePort & LoadBalancer Services, Services for Pods, Replication Controllers, External Resources & Deployments
Part 4: Kubernetes Resource Management: Define Resource Requests and Limits; Deploy Kubernetes Metrics Server, Verify Resource Usage with kubectl top
Part 5: Kubernetes Security: Immutable Deployment - Deploy Container with ReadOnly-Filesystem and Writable-Volume
Part 6: Kubernetes Security: Pod Security Admission (PSA) - Overview, Enforce Pod Security Standard at a Namespace; Example Nginx Pod SecurityContext for Restricted PSS
Part 7: Kubernetes Volumes: Nginx Pod and Deployment Examples with NFS Volume, Pod and Deployment Examples with EmptyDir Volume, Deployment Example with PersistentVolume, External Storage Provider with NFS
Part 8: Kubernetes Secrets: Opaque Secret Configuration, Pod Examples with Environment Variable Secrets and Volume Secrets; SSH Authentication Secret with Pod Example
Part 9: Kubernetes Horizontal Pod Autoscaling: Install Kubernetes Metrics Server, Example Deployment with Horizontal Pod Autoscaler (HPA)
Part 10: Kubernetes DNS: CoreDNS custom Hosts entry (K3s & K8s Version), Deployment with custom Hosts entry; Backup and Restore the CoreDNS ConfigMap; DNS Troubleshooting
Part 11: Kubernetes Liveness & Readiness Probes: TCP Readiness Probes (Single Pod and Multi Pod Dependency), TCP Liveness Probe
Part 12: Kubernetes Network Policies: Ingress and Egress Policy Examples
Part 13: Kubernetes Role Based Access Control (RBAC): RBAC Overview, Create Service Account, Example Role and RoleBinding
Part 14: Kubernetes Kubeconfig: Create example Kubeconfig with new (RBAC) Service Account and ClusterRole / ClusterRole Binding
Part 15: Kubernetes Container Storage Interface (CSI): NFS CSI Driver Example, Dynamically create PersistentVolumes using a CSI StorageClass and PVC
Part 16: Kubernetes Container Storage Interface (CSI): Ceph CSI Driver Example, Dynamically provision RBD Images in a Ceph Storage Pool
Part 17: Kubernetes Container Storage Interface (CSI): Longhorn Distributed Block Storage System - Deploy Longhorn via Helm Chart, Define Custom Storage Mountpoints; StorageClass & PVC Example
Part 18: Kubernetes Container Storage Interface (CSI): Samba - Deploy SMB CSI via Helm, Create example PVC and Pod
Part 19: Kubernetes Etcd Snapshot: Etcd Snapshot and Restore with Etcdctl, Verify Etcd Member Health; Etcdctl Commands
Part 20: Kubernetes Helm Charts: Create a Custom Helm Chart
Part 21: Kubernetes Kustomize: Kustomize Configuration Management Example
Part 22: Kubernetes ReplicaSets & DaemonSets: Overview, Example ReplicaSets and DaemonSets with and without NodeSelector & Node Labeling
Part 23: Kubernetes Jobs: Jobs Overview, Basic Non-parallel & Parallel Job Examples; CronJob & RBAC Example that Restarts a Deployment
Part 24: Kubernetes Commands: Cluster Nodes, Namespaces, LimitRange Resource Limits, Pods, Deployments, Replication Controllers, Services, HPA, Secrets, Cronjobs, Helm, Logs, K9s TUI