rancher部署

Rancher 是为使用容器的公司打造的容器管理平台。
Rancher 简化了使用 Kubernetes 的流程，开发者可以随处运行 Kubernetes（Run Kubernetes Everywhere），满足 IT 需求规范，赋能 DevOps 团队。

• docker运行rancher

hubDocker (opens new window)

docker run -d --restart=unless-stopped --privileged --name rancher -p 2443:443 -v /opt/rancher:/var/lib/rancher rancher/rancher:v2.6.12

cd /opt
echo 'Asia/Shanghai' >> /etc/timezone

cat >docker-compose-rancher.yml<<EOF
version: '3'

services:
  rancher:
    restart: always
    container_name: rancher
    image: rancher/rancher:v2.6.12
    working_dir: /var/lib/rancher
    environment:
    - CATTLE_SYSTEM_DEFAULT_REGISTRY=docker.1ms.run
    volumes:
      - /etc/localtime:/etc/localtime
      - /etc/timezone:/etc/timezone
      - ./rancher:/var/lib/rancher
    ports:
      - "80:80"
      - "443:443"
    privileged: true
    #entrypoint: ["entrypoint.sh","--acme-domain","rancher.yfklife.cn"]

EOF

docker-compose -f docker-compose-rancher.yml up -d

• 使用nginx代理

upstream rancher{
	server 127.0.0.1:2443;
}
server
{
    server_name rancher.yfklife.cn;
    listen 80;
    listen 443 ssl;
	
    #client_max_body_size 0;
    #proxy_max_temp_file_size 0;
    ssl_certificate ssl/yfklife.crt;
    ssl_certificate_key ssl/yfklife.key;
    ssl_session_timeout 10m;
    ssl_protocols TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_ciphers '!aNULL:!MD5:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-WITH-AES128-GCM-SHA256';

    location / {
        proxy_redirect off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Accept-Encoding 'gzip';
        
        ##配置使wss协议生效
        proxy_http_version 1.1;    
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        
        client_max_body_size 2G;
        proxy_pass       https://rancher;
    }
}

rancher tls证书更新

• 证书过期，日志

证书存放路径：${path}/rancher/k3s/server/tls/

2023-01-09 03:26:36.268080 I | http: TLS handshake error from 127.0.0.1:43456: remote error: tls: bad certificate
2023/01/09 03:26:36 [INFO] Waiting for server to become available: Get https://127.0.0.1:6443/version?timeout=30s: x509: certificate h not yet valid

• 修复命令，

docker exec -it rancher bash #进入容器
kubectl --insecure-skip-tls-verify -n kube-system delete secrets k3s-serving
kubectl --insecure-skip-tls-verify delete secret serving-cert -n cattle-system
rm -f /var/lib/rancher/k3s/server/tls/dynamic-cert.json
curl --insecure -sfL https://127.0.0.1:6443/v3
exit #退出容器

#重启容器
docker restart rancher

使用自有证书

• rancher-docker-compose.yml

提前创建目录：./etc/ssl ,放置证书 pem/cert 和key

echo 'Asia/Shanghai' > /etc/timezone

version: '3'
services:
  rancher:
    restart: always
    container_name: rancher
    image: rancher/rancher:v2.6.12
    working_dir: /var/lib/rancher
    environment:
    - CATTLE_SYSTEM_DEFAULT_REGISTRY=docker.1ms.run
    volumes:
      - /etc/localtime:/etc/localtime
      - /etc/timezone:/etc/timezone
      - ./lib:/var/lib/rancher
      - ./etc/ssl/cert.pem:/etc/rancher/ssl/cert.pem
      - ./etc/ssl/cert.key:/etc/rancher/ssl/key.pem
    extra_hosts:
    - "rancher.yfklife.cn:127.0.0.1"
    ports:
      - "38082:80"
      - "8443:443"
    privileged: true
    entrypoint: ["entrypoint.sh","--no-cacerts"]
    #entrypoint: ["entrypoint.sh","--acme-domain","rancher.yfklife.cn"]

• 配置nginx

vi /etc/nginx/conf.d/rancher.conf

server
{
    listen 80;
    listen 443 ssl;
    server_name rancher.yfklife.cn;

    ssl_certificate         ssl/yfklife.cn.pem;
    ssl_certificate_key     ssl/yfklife.cn.key;
    ssl_session_timeout     10m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!MD5:!EXPORT56:!EXP;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;

    location ^~ /
    {
        proxy_pass https://127.0.0.1:8443/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header REMOTE-HOST $remote_addr;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }
}