一、背景
Rancher HA有多种部署方式:
- Helm HA安装,将Rancher部署在已有的Kubernetes集群中,Rancher将使用集群的etcd存储数据,并利用Kubernetes调度实现高可用性。
- RKE HA安装,使用RKE工具安装独立的Kubernetes集群,专门用于Rancher HA部署运行,RKE HA安装仅支持Rancher v2.0.8以及之前的版本,Rancher v2.0.8之后的版本使用helm安装Rancher。
本方案将基于已有的Kubernetes集群,利用Helm安装Rancher HA,并采用四层负载均衡方式。
![利用Helm部署高可用rancher集群]()
二、添加Chart仓库地址
使用helm repo add命令添加Rancher chart仓库地址
Rancher tag和Chart版本选择参考:https://www.cnrancher.com/docs/rancher/v2.x/cn/installation/server-tags/
#替换<CHART_REPO>为您要使用的Helm仓库分支(即latest或stable)。
helm repo add rancher-stable https://releases.rancher.com/server-charts/stable
三、使用自签名证书安装Rancher server
Rancher server设计默认需要开启SSL/TLS配置来保证安全,将ssl证书以Kubernetes Secret卷的形式传递给rancher server或Ingress Controller。首先创建证书密文,以便Rancher和Ingress Controller可以使用。
1、 生成自签名证书
#脚本
一键生成自签名证书脚本
#执行脚本生成证书
sh create_self-signed-cert.sh --ssl-domain=rancher.sumapay.com --ssl-trusted-ip=172.16.1.21,172.16.1.22 --ssl-size=2048 --ssl-date=3650
2、使用kubectl创建tls类型的secrets
#创建命名空间
[root@k8s-master03 ~]# kubectl create namespace cattle-system
namespace/rancher-system created
#服务证书和私钥密文
[root@k8s-master03 self_CA]# kubectl -n cattle-system create secret tls tls-rancher-ingress --cert=./tls.crt --key=./tls.key
secret/tls-rancher-ingress created
#ca证书密文
[root@k8s-master03 self_CA]# kubectl -n cattle-system create secret generic tls-ca --from-file=cacerts.pem
secret/tls-ca created
3、安装rancher server
#使用helm安装rancher HA
[root@k8s-master03 ~]# helm install rancher-stable/rancher --name rancher2 --namespace cattle-system --set hostname=rancher.sumapay.com --set ingress.tls.source=secret --set privateCA=true
NAME: rancher2
LAST DEPLOYED: Fri Apr 26 14:03:51 2019
NAMESPACE: cattle-system
STATUS: DEPLOYED
RESOURCES:
==> v1/ClusterRoleBinding
NAME AGE
rancher2 0s
==> v1/Deployment
NAME READY UP-TO-DATE AVAILABLE AGE
rancher2 0/3 3 0 0s
==> v1/Pod(related)
NAME READY STATUS RESTARTS AGE
rancher-55c884bbf7-2xqpl 0/1 ContainerCreating 0 0s
rancher-55c884bbf7-bqvjh 0/1 ContainerCreating 0 0s
rancher-55c884bbf7-hhlvh 0/1 ContainerCreating 0 0s
==> v1/Service
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
rancher2 ClusterIP 10.110.148.105 <none> 80/TCP 0s
==> v1/ServiceAccount
NAME SECRETS AGE
rancher2 1 0s
==> v1beta1/Ingress
NAME HOSTS ADDRESS PORTS AGE
rancher2 rancher.sumapay.com 80, 443 0s
NOTES:
Rancher Server has been installed.
NOTE: Rancher may take several minutes to fully initialize. Please standby while Certificates are being issued and Ingress comes up.
Check out our docs at https://rancher.com/docs/rancher/v2.x/en/
Browse to https://rancher.sumapay.com
Happy Containering!
#查看创建
[root@k8s-master03 ~]# kubectl get ns
NAME STATUS AGE
cattle-global-data Active 2d5h
cattle-system Active 2d5h
[root@k8s-master03 ~]# kubectl get ingress -n cattle-system
NAME HOSTS ADDRESS PORTS AGE
rancher2 rancher.sumapay.com 80, 443 57m
[root@k8s-master03 ~]# kubectl get service -n cattle-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
rancher2 ClusterIP 10.111.16.80 <none> 80/TCP 54m
[root@k8s-master03 ~]# kubectl get serviceaccount -n cattle-system
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
rancher2 ClusterIP 10.111.16.80 <none> 80/TCP 51m
[root@k8s-master03 ~]# kubectl get ClusterRoleBinding -n cattle-system -l app=rancher2 -o wide
NAME AGE ROLE USERS GROUPS SERVICEACCOUNTS
rancher2 58m ClusterRole/cluster-admin cattle-system/rancher2
[root@k8s-master03 ~]# kubectl get pods -n cattle-system
NAME READY STATUS RESTARTS AGE
cattle-cluster-agent-594b8f79bb-pgmdt 1/1 Running 5 2d2h
cattle-node-agent-lg44f 1/1 Running 0 2d2h
cattle-node-agent-zgdms 1/1 Running 5 2d2h
rancher2-9774897c-622sc 1/1 Running 0 50m
rancher2-9774897c-czxxx 1/1 Running 0 50m
rancher2-9774897c-sm2n5 1/1 Running 0 50m
[root@k8s-master03 ~]# kubectl get deployment -n cattle-system
NAME READY UP-TO-DATE AVAILABLE AGE
cattle-cluster-agent 1/1 1 1 2d4h
rancher2 3/3 3 3 55m
4、为Agent Pod添加主机别名(/etc/hosts)
如果你没有内部DNS服务器而是通过添加/etc/hosts主机别名的方式指定的Rancher server域名,那么不管通过哪种方式(自定义、导入、Host驱动等)创建K8S集群,K8S集群运行起来之后,因为cattle-cluster-agent Pod和cattle-node-agent无法通过DNS记录找到Rancher server,最终导致无法通信。
解决方法
可以通过给cattle-cluster-agent Pod和cattle-node-agent添加主机别名(/etc/hosts),让其可以正常通信(前提是IP地址可以互通)。
#cattle-cluster-agent pod
kubectl -n cattle-system \
patch deployments cattle-cluster-agent --patch '{
"spec": {
"template": {
"spec": {
"hostAliases": [
{
"hostnames":
[
"rancher.sumapay.com"
],
"ip": "四层负载均衡地址"
}
]
}
}
}
}'
#cattle-node-agent pod
kubectl -n cattle-system \
patch daemonsets cattle-node-agent --patch '{
"spec": {
"template": {
"spec": {
"hostAliases": [
{
"hostnames":
[
"rancher.sumapay.com"
],
"ip": "四层负载均衡地址"
}
]
}
}
}
}'
至此,rancher HA已部署完毕,由于不是NodePort形式,在没有部署ingress-controller情况下,我们还不能直接去访问rancher服务。
ingress-controller部署请参考traefik部署与使用。
参考:
https://www.cnrancher.com/docs/rancher/v2.x/cn/installation/ha-install/helm-rancher/tcp-l4/rancher-install/
