安装helm
curl http://rancher-mirror.cnrancher.com/helm/v3.5.4/helm-v3.5.4-linux-amd64.tar.gz |tar zx;
\cp -f linux-amd64/helm /usr/local/bin;
chmod u+x /usr/local/bin/helm;
安装rancher的helm charts源
helm repo add rancher-latest http://rancher-mirror.oss-cn-beijing.aliyuncs.com/server-charts/latest;
下载rancher的charts文件
文章编辑时rancher最新版本为2.5.8
helm pull rancher-latest/rancher;
tar zxvf rancher-2.5.8.tgz;
cd rancher/templates;
修改rancher的service文件为externalIPs模式
修改service的port
单节点可以增加externalIPs,否则使用nodeport
apiVersion: v1
kind: Service
metadata:
name: {{ template "rancher.fullname" . }}
labels:
{{ include "rancher.labels" . | indent 4 }}
spec:
ports:
- port: 82
targetPort: 80
protocol: TCP
name: http
- port: 444
targetPort: 444
protocol: TCP
name: https-internal
selector:
app: {{ template "rancher.fullname" . }}
externalIPs:
- xxx.xxx.xxx.xxx
修改rancher的service文件为nodePort模式
修改service的port
nodeport只需要改80端口的nodeport端口
自己随便定义port和nodeport字段的值,不要冲突就行。
apiVersion: v1
kind: Service
metadata:
name: {{ template "rancher.fullname" . }}
labels:
{{ include "rancher.labels" . | indent 4 }}
spec:
ports:
- port: 82
targetPort: 80
protocol: TCP
name: http
nodePort: 30100
- port: 444
targetPort: 444
protocol: TCP
name: https-internal
selector:
app: {{ template "rancher.fullname" . }}
安装rancher
返回rancher的charts文件夹,安装rancher。
hostname就是访问的域名,rancherImage是镜像源地址,tls开启外部ssl终止,禁用ingress。
helm install rancher rancher --namespace cattle-system --create-namespace \
--set hostname=xxx.cn \
--set rancherImage=registry.cn-hangzhou.aliyuncs.com/rancher/rancher \
--set tls=external \
--set ingress.enabled=false
配置nginx
centos8可以使用tls1.3,nginx编译的时候要加上。
rancher需要websocket、http/2还有几个http头。
我密钥是放在conf的文件夹里面,以xxx.cn.pem那样命名,所以就直接$server_name.pem这样参数代替了。
map $http_upgrade $connection_upgrade {
default Upgrade;
'' close;
}
server {
listen 443 ssl http2 reuseport;
server_name xxx.cn;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_certificate $server_name.pem;
ssl_certificate_key $server_name.key;
location / {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://10.10.10.62:82;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
# This allows the ability for the execute shell window to remain open for up to 15 minutes. Without this parameter, the default is 1 minute and will automatically close.
proxy_read_timeout 900s;
proxy_buffering off;
}
}
server {
listen 80;
server_name xxx.cn;
return 301 https://$server_name$request_uri;
}