Skip to content

Instantly share code, notes, and snippets.

@clemenko
Created April 30, 2024 11:05
Show Gist options
  • Save clemenko/2556e83fa5d455b1e66a4a458b0b4011 to your computer and use it in GitHub Desktop.
Save clemenko/2556e83fa5d455b1e66a4a458b0b4011 to your computer and use it in GitHub Desktop.

Anyone Can install RKE2 and Rancher on a Node

  • RKE2 - Security focused Kubernetes
  • Rancher - Multi-Cluster Kubernetes Management
  • Longhorn - Unified storage layer

We will need a few tools for this guide. We will walk through how to install helm and kubectl.

A longer version of this install : Can a 12 y/o install the Rancher Stack?


Prerequisites

The prerequisites are fairly simple. We need a linux servers with access to the internet. We just need an ssh client to connect to the server. The recommended size of the node is 8 Cores and 16GB of memory with at least 100GB of storage.

name ip memory core disk os
rancher 142.93.189.52 16384 8 160 Rocky 9.3 x64

Rocky:

# Rocky instructions 
# stop the software firewall
systemctl disable --now firewalld

# get updates, install nfs, and apply
yum install -y nfs-utils cryptsetup iscsi-initiator-utils

# enable iscsi for Longhorn
systemctl enable --now iscsid.service 

# update all the things
yum update -y

# clean up
yum clean all

Cool, lets move on to the RKE2.

RKE2 Install

Curl all the things.

# On rancher1
curl -sfL https://get.rke2.io | INSTALL_RKE2_CHANNEL=v1.28 INSTALL_RKE2_TYPE=server sh - 

# start and enable for restarts - 
systemctl enable --now rke2-server.service

Perfect! Now we can start talking Kubernetes. We need to symlink the kubectl cli on rancher1 that gets installed from RKE2.

# symlink all the things - kubectl
ln -s $(find /var/lib/rancher/rke2/data/ -name kubectl) /usr/local/bin/kubectl

# add kubectl conf with persistence, as per Duane
echo "export KUBECONFIG=/etc/rancher/rke2/rke2.yaml PATH=$PATH:/usr/local/bin/:/var/lib/rancher/rke2/bin/" >> ~/.bashrc
source ~/.bashrc

# check node status
kubectl get node

Rancher Install

For Rancher we will need Helm. We are going to live on the edge! Here are the install docs for reference.

# on the server rancher1
# add helm
curl -#L https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash

# add needed helm charts
helm repo add rancher-latest https://releases.rancher.com/server-charts/latest
helm repo add jetstack https://charts.jetstack.io

Quick note about Rancher. Rancher needs jetstack/cert-manager to create the self signed TLS certificates. We need to install it with the Custom Resource Definition (CRD). Please pay attention to the helm install for Rancher. The URLrancher.142.93.189.52.nip.io will need to be changed to fit your FQDN. Also notice I am setting the bootstrapPassword and replicas. This allows us to skip a step later. :D

# helm install jetstack
helm upgrade -i cert-manager jetstack/cert-manager -n cert-manager --create-namespace --set installCRDs=true

# helm install rancher
helm upgrade -i rancher rancher-latest/rancher --create-namespace --namespace cattle-system --set hostname=rancher.142.93.189.52.nip.io --set bootstrapPassword=bootStrapAllTheThings --set replicas=1

We can also run a kubectl get pod -A to see if everything is running. Keep in mind it may take a minute or so for all the pods to come up. GUI time...

Rancher GUI

Navigate to https://rancher.142.93.189.52.nip.io the password is bootStrapAllTheThings.

Once past that you should see the following screen asking about the password. Remember the helm install? bootStrapAllTheThings is the password.

We need to validate the Server URL and accept the terms and conditions. And we are in!

Rancher Design

Let's take a second and talk about Ranchers Multi-cluster design. Bottom line, Rancher can operate in a Spoke and Hub model. Meaning one k8s cluster for Rancher and then "downstream" clusters for all the workloads. Personally I prefer the decoupled model where there is only one cluster per Rancher install. This allows for continued manageability during networks outages. For the purpose of the is guide we are concentrate on the single cluster deployment. There is good documentation on "importing" downstream clusters.

Longhorn

Longhorn Install

We are going to use the App Catalog built into Rancher to deploy.

tada!

For more fun check out my list of other content and videos at https://rfed.io/links.

@willipl1972
Copy link

My Rancher repos complain "SSL certificate problem: unable to get local issuer certificate". Installed on RHEL8. Looks like the only thing complaining is the SSL certificate problems for anything outside of the RKE2 cluster.

@clemenko
Copy link
Author

clemenko commented Jul 3, 2024

Where are you seeing the error? Is it on the helm install of Rancher itself? Are you able to get run kubectl get node?

@willipl1972
Copy link

willipl1972 commented Jul 4, 2024

Within the Rancher GUI. Under Apps -- Repositories:
Update failure: git -C /var/lib/rancher-data/local-catalogs/v2/rancher-partner-charts/8f17acdce9bffd6e05a58a3798840e408c4ea71783381ecd2e9af30baad65974 fetch origin -- main error: exit status 128, detail: fatal: unable to access 'https://git.rancher.io/partner-charts/': SSL certificate problem: unable to get local issuer certificate

When it first loaded, I could see apps. But then it refreshed and they all turned red, with the above error for each repository.

Charts Link:
There are no charts available, have you added any repos?

git clone https://git.rancher.io/charts/. .... works on the rancher/rke2 host

logs are full of this:
fatal: unable to access 'https://git.rancher.io/helm3-charts/': SSL certificate problem: unable to get local issuer certificate
seems like a quick fix, but not sure how to fix the local issuer.

@clemenko
Copy link
Author

clemenko commented Jul 4, 2024

AH. Do you have a proxy on your network? Feels like it. Check out https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/other-installation-methods/rancher-behind-an-http-proxy for setting both rke2 and rancher with proxy settings.

@willipl1972
Copy link

We do have a transparent proxy. In order to get out to the internet we add our root ca cert to the anchors. will I need to install this root CA cert into rke2 or rancher? is there an easy how to. I skimmed the docs and it looked a bit cumbersome, but if I have to, I have to.

@clemenko
Copy link
Author

clemenko commented Jul 4, 2024

Yes. you will need to add the root CA to both. you will have to add it. Especially since your proxy is re-certing the connection.

@willipl1972
Copy link

Heres what I did. Not sure if it was correct, but it worked.
kubectl -n cattle-system create secret generic tls-ca --from-file=ca.crt=./cacerts.pem

cacerts.pem is our RootCA cert used by our transparent proxy

Created a values file... values.yaml

rancher:
tls:
caBundle: |
-----BEGIN CERTIFICATE-----
<<<>>>>>>>>>>>
-----END CERTIFICATE-----

Re-ran helm with added options:
helm upgrade -i rancher rancher-latest/rancher --create-namespace --namespace cattle-system --set hostname=my.fqdn.net --set bootstrapPassword=bootStrapAllTheThings --set replicas=1 --set ingress.tls.source=secret --set privateCA=true -f ./values.yaml

Documentation makes it sound like as long as you have the cert added to the linux anchors and have ran update-ca-trust, rke2 should be fine.

@clemenko
Copy link
Author

clemenko commented Jul 5, 2024

There is an additional value that needs to be set. --set additionalTrustedCAs=true

https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/installation-references/helm-chart-options#additional-trusted-cas

this should fix it.
FYI proxies are the devil. ;)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment