Skip to main content

Rancher Kubernetes Management Platform: Cert Manager Helm Deployment, Rancher Helm Deployment with Rancher CA certificate, Export Root CA Certificate, Ingress Resource, Access Rancher with TLS Encryption

1068 words·
Kubernetes K3s Rancher Cert Manager Helm
Table of Contents

Overview
#

In this tutorial, I’m using a K3s Kubernetes cluster based on Debian 12 servers:

192.168.30.20 debian-01 # Master / Worker
192.168.30.21 debian-02 # Worker 2
192.168.30.22 debian-03 # Worker 3

Specific K3s Version
#

Note: It was necessary to use an older Kubernetes version, with the latest version I got the following error from the Rancher Helm deployment:

Error: INSTALLATION FAILED: chart requires kubeVersion: < 1.29.0-0 which is incompatible with Kubernetes v1.29.5
debian@node1:~/namespaces-limits

Available K3s versions: https://github.com/k3s-io/k3s/tags

# Install K3s with specific version
curl -sfL https://get.k3s.io | INSTALL_K3S_VERSION=v1.28.10+k3s1 sh -

# Add Nodes with specific version
curl -sfL https://get.k3s.io | INSTALL_K3S_VERSION=v1.28.10+k3s1 K3S_URL=https://192.168.30.20:6443 K3S_TOKEN=K1009dd351e6950251edc2cd6e1296a9a9a3465f8bccd371cbe0c6bb170e9edb79e::server:7cf7d21edc104d9eced1be5744a40081 sh -

Cert Manager
#

Helm Repository
#

# Add the Jetstack Helm repository
helm repo add jetstack https://charts.jetstack.io --force-update

# Update package index
helm repo update

Install Cert Manager
#

Install Cert Manager with CustomResourceDefinitions (CRDs):

helm install \
  cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --create-namespace \
  --version v1.14.5 \
  --set installCRDs=true
# Shell output:
NAME: cert-manager
LAST DEPLOYED: Sat Jun  1 15:21:17 2024
NAMESPACE: cert-manager
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
cert-manager v1.14.5 has been deployed successfully!

In order to begin issuing certificates, you will need to set up a ClusterIssuer
or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer).

More information on the different types of issuers and how to configure them
can be found in our documentation:

https://cert-manager.io/docs/configuration/

For information on how to configure cert-manager to automatically provision
Certificates for Ingress resources, take a look at the `ingress-shim`
documentation:

https://cert-manager.io/docs/usage/ingress/

Verify the Installation
#

# List pods
kubectl get pods --namespace cert-manager

# Shell output:
NAME                                      READY   STATUS    RESTARTS   AGE
cert-manager-796cbd6574-6xlg6             1/1     Running   0          31s
cert-manager-cainjector-9b74bc658-7skw7   1/1     Running   0          31s
cert-manager-webhook-7ddfd7c4bd-jg8nw     1/1     Running   0          31s

Kubernetes Rancher
#

Helm Repository
#

# Add the Rancher Helm repository
helm repo add rancher-stable https://releases.rancher.com/server-charts/stable

# Update package index
helm repo update

Optional: List available versions in the repository

# List Rancher versions available in the Helm repository
helm search repo rancher-stable/rancher --versions

# Shell output:
NAME                    CHART VERSION   APP VERSION     DESCRIPTION
rancher-stable/rancher  2.8.4           v2.8.4          Install Rancher Server to manage Kubernetes clu...
rancher-stable/rancher  2.8.3           v2.8.3          Install Rancher Server to manage Kubernetes clu...
rancher-stable/rancher  2.8.2           v2.8.2          Install Rancher Server to manage Kubernetes clu...
...

Rancher Namespace
#

# Create the namespace for Rancher
kubectl create namespace cattle-system

Install Rancher
#

With this option ingress.tls.source=rancher, Rancher will generate a CA certificate and sign a cert using that CA.

# Install Rancher
helm install rancher rancher-stable/rancher \
  --namespace cattle-system \
  --set hostname=rancher.k8s-jkw.local \
  --set bootstrapPassword=admin \
  --set ingress.tls.source=rancher
# Shell output:
NAME: rancher
LAST DEPLOYED: Sat Jun  1 15:22:59 2024
NAMESPACE: cattle-system
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
Rancher Server has been installed.

NOTE: Rancher may take several minutes to fully initialize. Please standby while Certificates are being issued, Containers are started and the Ingress rule comes up.

Check out our docs at https://rancher.com/docs/

If you provided your own bootstrap password during installation, browse to https://rancher.k8s-jkw.local to get started.

If this is the first time you installed Rancher, get started by running this command and clicking the URL it generates:

echo https://rancher.k8s-jkw.local/dashboard/?setup=$(kubectl get secret --namespace cattle-system bootstrap-secret -o go-template='{{.data.bootstrapPassword|base64decode}}')

To get just the bootstrap password on its own, run:

kubectl get secret --namespace cattle-system bootstrap-secret -o go-template='{{.data.bootstrapPassword|base64decode}}{{ "\n" }}'

Happy Containering!

Watch the Rollout Status
#

# Check the rollout status
kubectl -n cattle-system rollout status deploy/rancher

# Shell output:
Waiting for deployment "rancher" rollout to finish: 2 of 3 updated replicas are available...
deployment "rancher" successfully rolled out

Verify the Rancher Resources
#

# List Rancher resources
kubectl get all -n cattle-system

# Shell output:
NAME                                   READY   STATUS      RESTARTS   AGE
pod/rancher-95d5f798-7n5dk             1/1     Running     0          4m35s
pod/rancher-95d5f798-kxj9l             1/1     Running     0          4m35s
pod/rancher-95d5f798-hm6bq             1/1     Running     0          4m35s
pod/helm-operation-rpphf               0/2     Completed   0          2m9s
pod/helm-operation-vj8th               0/2     Completed   0          91s
pod/rancher-webhook-54fdc5bf58-kqvc9   1/1     Running     0          82s
pod/helm-operation-w5bqh               0/2     Completed   0          84s
pod/helm-operation-bt48b               0/2     Completed   0          53s

NAME                      TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)          AGE
service/rancher           ClusterIP   10.43.45.204   <none>        80/TCP,443/TCP   4m35s
service/rancher-webhook   ClusterIP   10.43.58.158   <none>        443/TCP          82s

NAME                              READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/rancher           3/3     3            3           4m35s
deployment.apps/rancher-webhook   1/1     1            1           82s

NAME                                         DESIRED   CURRENT   READY   AGE
replicaset.apps/rancher-95d5f798             3         3         3       4m35s
replicaset.apps/rancher-webhook-54fdc5bf58   1         1         1       82s

Check Logs
#

# List logs
kubectl logs -n cattle-system -l app=rancher --tail=50

Expose Rancher
#

Port Forwarding: For Testing
#

# Port Forwarding
kubectl -n cattle-system port-forward --address 0.0.0.0 service/rancher 8443:443

# Access Rancher
https://192.168.30.20:8443/

Ingress Resource
#

An Ingress resource manages external access to the services in a cluster. Ingress controllers can route traffic to multiple services under different hostnames and paths from a single IP address provided by an Ingress controller. Unlike LoadBalancer services, Ingress allows to define complex routing rules based on the request host or path.

# Create Ingress resource configuration
vi rancher-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: rancher-ingress
  namespace: cattle-system
spec:
  rules:
  - host: rancher.k8s-jkw.local
    http:
      paths:
      - pathType: ImplementationSpecific
        path: "/"
        backend:
          service:
            name: rancher
            port:
              number: 80
# Deploy the Ingress resource for Rancher
kubectl apply -f rancher-ingress.yaml

Verify the Ingress Resource
#

# Verify the ingres deployment
kubectl get ingress rancher-ingress -n cattle-system

# Shell output
NAME              CLASS     HOSTS                   ADDRESS                                     PORTS   AGE
rancher-ingress   traefik   rancher.k8s-jkw.local   192.168.30.20,192.168.30.21,192.168.30.22   80      2m39s

TLS Encryption / Root Certificate
#

Export the Root CA Certificate
#

kubectl get secrets -n cattle-system

# Shell output:
NAME                                    TYPE                                  DATA   AGE
bootstrap-secret                        Opaque                                1      15m
sh.helm.release.v1.rancher.v1           helm.sh/release.v1                    1      15m
rancher-token-cqtqr                     kubernetes.io/service-account-token   3      14m
tls-rancher                             kubernetes.io/tls                     2      13m
tls-rancher-internal-ca                 kubernetes.io/tls                     2      13m
git-webhook-api-service-token-8mcnh     kubernetes.io/service-account-token   3      13m
serving-cert                            kubernetes.io/tls                     2      13m
tls-rancher-ingress                     kubernetes.io/tls                     3      13m
helm-operation-2fqd8                    Opaque                                3      13m
pod-impersonation-helm-op-jbn7w-token   kubernetes.io/service-account-token   3      13m
helm-operation-9xvtn                    Opaque                                3      12m
pod-impersonation-helm-op-4x9z9-token   kubernetes.io/service-account-token   3      12m
helm-operation-6dhlt                    Opaque                                3      12m
pod-impersonation-helm-op-96qhn-token   kubernetes.io/service-account-token   3      12m
cattle-webhook-ca                       kubernetes.io/tls                     2      12m
cattle-webhook-tls                      kubernetes.io/tls                     2      12m
tls-rancher-internal                    kubernetes.io/tls                     2      13m
helm-operation-2nrjl                    Opaque                                3      11m
pod-impersonation-helm-op-vpwjf-token   kubernetes.io/service-account-token   3      11m
helm-operation-l6jfw                    Opaque                                3      8m1s
pod-impersonation-helm-op-8spbb-token   kubernetes.io/service-account-token   3      8m3s
sh.helm.release.v1.rancher-webhook.v1   helm.sh/release.v1                    1      12m
sh.helm.release.v1.rancher-webhook.v2   helm.sh/release.v1                    1      7m59s
# Extract the certificate into the file "rancher-ca.crt"
kubectl get secret tls-rancher-ingress -n cattle-system -o jsonpath='{.data.ca\.crt}' | base64 --decode > rancher-ca.crt

Copy the rancher-ca.crt certificate and import it into the Windows MMC Certificate Manager for local computer.

Windows Certificate Manager
#

Open the MMC Certificate Manager for local computer:

# Run 
certlm.msc

Access Rancher
#

# Access Rancher 
https://rancher.k8s-jkw.local/

# Enter the Bootstrap Password
admin

# Set a new password

# Set the server URL
https://rancher.k8s-jkw.local

Links #

# Rancher Documentation
https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster

# Cert Manager Installation
https://cert-manager.io/docs/installation/helm/