Skip to content

Latest commit

 

History

History
698 lines (564 loc) · 16.9 KB

rancher.md

File metadata and controls

698 lines (564 loc) · 16.9 KB

stuttgart-things/docs/rancher

SNIPPETS

DOWNLOAD KUBECONFIG FROM HA-SERVER BY CLUSTER NAME
# GET CLUSTER ID
RANCHER_HOST=ui.rancher-mgmt.sthings-pve.labul.sva.de
CLUSTER_NAME=andre-dev
BEARER_TOKEN=token-88kns:tm... # GET FROM RANCHER UI
CLUSTERID=`curl -ks "https://${RANCHER_HOST}/v3/clusters/?name=${CLUSTER_NAME}" -H 'content-type: application/json' -H "Authorization: Bearer ${BEARER_TOKEN}" | jq -r .data[0].id`
echo "Cluster ID: ${CLUSTERID}"

# GET KUBECONFIG
curl -ks -X POST -H "Authorization: Bearer ${BEARER_TOKEN}" https://${RANCHER_HOST}/v3/clusters/${CLUSTERID}?action=generateKubeconfig | jq -r ".config"
GITOPS: CREATORID ANNOTATION DOES NOT MATCH USER
kubectl delete mutatingwebhookconfigurations rancher.cattle.io
kubectl delete validatingwebhookconfigurations rancher.cattle.io
kubectl -n cattle-system delete service webhook-service
LONGHORN S3 BACKUPS MINIO
apiVersion: v1
data:
  AWS_ACCESS_KEY_ID: <BASE64-SECRET>
  AWS_CERT: <BASE64-SECRET>
  AWS_ENDPOINTS: aHR0cHM6Ly9hcnRpZmFjdHMuZ3VkZS5zdGhpbmdzLXB2ZS5sYWJ1bC5zdmEuZGU=
  AWS_SECRET_ACCESS_KEY: <BASE64-SECRET>
kind: Secret
metadata:
  name: s3-backup
  namespace: longhorn-system
type: Opaque
LONGHORN INSTALL UPGRADE DELETE

Add repo to helm (if not already present)

helm repo add longhorn https://charts.longhorn.io
helm repo update

Check longhorn versions

helm search repo --versions longhorn

Check values used for installation

helm ls -n longhorn-system
helm get values longhorn -n longhorn-system

Start longhorn upgrade

helm upgrade --install longhorn longhorn/longhorn -n longhorn-system --create-namespace --version 1.5.3
kubectl get po -n longhorn-system --watch

Portforward ui

kubectl port-forward services/longhorn-frontend 8080:http -n longhorn-system

Delete longhorn from cluster

kubectl -n longhorn-system patch -p '{"value": "true"}' --type=merge lhs deleting-confirmation-flag
helm uninstall longhorn -n longhorn-system

CREATE VSPHERE CLUSTER W/ CLUSTER API

VSPHERE-CREDENTIALS
apiVersion: v1
kind: Secret
metadata:
  name: labda-vsphere
  namespace: cattle-global-data
  annotations:
    field.cattle.io/description: "labda-vsphere"
    field.cattle.io/name: "labda-vsphere"
    provisioning.cattle.io/driver: "vmwarevsphere"
  labels:
    cattle.io/creator: norman
type: Opaque
stringData:
  vmwarevspherecredentialConfig-password: "<passwort for vshere>"
  vmwarevspherecredentialConfig-username: "<user>"
  vmwarevspherecredentialConfig-vcenter: "<vshere ip>"
  vmwarevspherecredentialConfig-vcenterPort: "<vshere port>"
VMWAREVSPHERECONFIG
apiVersion: rke-machine-config.cattle.io/v1
kind: VmwarevsphereConfig
metadata:
  name: <your-maschine-pool-name>-<cluster-name>
  namespace: fleet-default
common:
  cloudCredentialSecretName: cattle-global-data:labda-vsphere
cloneFrom: /NetApp-HCI-Datacenter/vm/stuttgart-things/vm-templates/u22-rke2-ipi
cfgparam:
  - disk.enableUUID=TRUE
datacenter: /NetApp-HCI-Datacenter
datastoreCluster: /NetApp-HCI-Datacenter/datastore/DatastoreCluster
hostsystem: null
folder: /NetApp-HCI-Datacenter/vm/stuttgart-things/rancher-things
network:
  - /NetApp-HCI-Datacenter/host/NetApp-HCI-Cluster-01/10.100.135.44/tiab-prod
cpuCount: "6"
diskSize: "20480"
memorySize: "6144"
creationType: template
sshPort: "22"
sshUser: docker
sshUserGroup: staff
tag: []
vappProperty: []
customAttribute: []
boot2dockerUrl: ""
contentLibrary: ""
vcenter: "10.100.135.50"
vcenterPort: "443"
vappTransport: null
vappIpallocationpolicy: null
vappIpprotocol: null
cloudinit: |
  runcmd:
    - wget -O /usr/local/share/ca-certificates/labda-vsphere-ca.crt https://vault-vsphere.tiab.labda.sva.de:8200/v1/pki/ca/pem --no-check-certificate
    - update-ca-certificates
CLUSTER
apiVersion: provisioning.cattle.io/v1
kind: Cluster
metadata:
  name: <clustername>
  namespace: fleet-default
  finalizers:
    - wrangler.cattle.io/provisioning-cluster-remove
spec:
  kubernetesVersion: v1.25.9+rke2r1
  cloudCredentialSecretName: cattle-global-data:labda-vsphere
  localClusterAuthEndpoint: {}
  rkeConfig:
    chartValues:
      rke2-calico: {}
    etcd:
      snapshotRetention: 5
      snapshotScheduleCron: 0 */5 * * *
    machineGlobalConfig:
      cni: calico
      disable:
        - rke2-ingress-nginx
        - rke2-metrics-server
      disable-kube-proxy: false
      etcd-expose-metrics: false
      profile: null
    machineSelectorConfig:
      - config:
          protect-kernel-defaults: false
          cloud-provider-name: vsphere
    machinePools:
      - name: <your-master-machine-pool-name>-<cluster-name>
        quantity: 1
        displayName: <your-master-machine-pool-name>-<cluster-name>
        controlPlaneRole: true
        etcdRole: true
        workerRole: false
        machineConfigRef:
          kind: VmwarevsphereConfig
          name: <your-vmwarevsphereconfig-name>
        paused: false
      - name: <your-worker-machine-pool-name>-<cluster-name>
        quantity: 1
        displayName: <your-worker-machine-pool-name>-<cluster-name>
        controlPlaneRole: false
        etcdRole: false
        workerRole: true
        machineConfigRef:
          kind: VmwarevsphereConfig
          name: <your-vmwarevsphereconfig-name>
        paused: false
    registries: {}
    upgradeStrategy:
      controlPlaneConcurrency: 10%
      controlPlaneDrainOptions:
        timeout: 0
      workerConcurrency: 10%
      workerDrainOptions:
        timeout: 0

For programmatically creating clusters via rest api calls you need to make sure that every cluster you want to create needs theire own and specific MaschinePoolConfig as well as VmwarevsphereConfig, in order to work properly. MachinepoolConfigs as well as VmwarevsphereConfig cant no be shared clusterwide as a global ressource.

GENERAL

CLOUD-INIT

PACKAGES/CMD/ANSIBLE EXAMPLE

EXAMPLE CLOUD-INIT CONFIG
#cloud-config
package_update: true
package_upgrade: true
packages:
  - git
  - curl
  - wget
  - git
resize_rootfs: true
growpart:
  mode: auto
  devices: ['/']
  ignore_growroot_disabled: false
ansible:
  package_name: ansible-core
  install_method: distro
  pull:
    url: "https://github.com/stuttgart-things/stuttgart-things.git"
    playbook_name: ansible/playbooks/base-os-cloudinit.yaml
  run_ansible:
    timeout: 5
  galaxy:
    actions:
      - ["ansible-galaxy", "collection", "install", "community.crypto"]
      - ["ansible-galaxy", "collection", "install", "community.general"]
      - ["ansible-galaxy", "collection", "install", "ansible.posix"]
      - ["ansible-galaxy", "install", "git+https://github.com/stuttgart-things/manage-filesystem.git"]
      - ["ansible-galaxy", "install", "git+https://github.com/stuttgart-things/install-configure-vault.git"]
      - ["ansible-galaxy", "install", "git+https://github.com/stuttgart-things/install-requirements.git"]
      - ["ansible-galaxy", "install", "git+https://github.com/stuttgart-things/download-install-binary.git"]
      - ["ansible-galaxy", "install", " git+https://github.com/stuttgart-things/create-os-user.git"]
      - ["ansible-galaxy", "install", " git+https://github.com/stuttgart-things/create-send-webhook.git"]
runcmd:
  - wget -O /usr/local/share/ca-certificates/labda-vsphere-ca.crt https://vault-vsphere.tiab.labda.sva.de:8200/v1/pki/ca/pem --no-check-certificate
  - wget -O /usr/local/share/ca-certificates/labul-vsphere-ca.crt https://vault-vsphere.labul.sva.de:8200/v1/pki/ca/pem --no-check-certificate
  - wget -O /usr/local/share/ca-certificates/labul-ca.crt https://vault.labul.sva.de:8200/v1/pki/ca/pem --no-check-certificate
  - wget -O /usr/local/share/ca-certificates/labda-ca.crt https://vault.tiab.labda.sva.de:8200/v1/pki/ca/pem --no-check-certificate
  - update-ca-certificates

DEBUG CLOUD-INIT

DEBUG W/ SYSTEMD
sudo systemctl status cloud-final.service
sudo cat /var/lib/cloud/data/status.json
KUBECONFIG
export KUBECONFIG=/etc/rancher/rke2/rke2.yaml
/var/lib/rancher/rke2/bin/kubectl get nodes
LIST CONTAINERS USING CTR
/var/lib/rancher/rke2/bin/ctr --address /run/k3s/containerd/containerd.sock --namespace k8s.io container ls
CRICTL
export CRI_CONFIG_FILE=/var/lib/rancher/rke2/agent/etc/crictl.yaml
/var/lib/rancher/rke2/bin/crictl ps

/var/lib/rancher/rke2/bin/crictl --runtime-endpoint unix:///run/k3s/containerd/containerd.sock ps -a
LOGGING
journalctl -f -u rke2-server
/var/lib/rancher/rke2/agent/containerd/containerd.log
/var/lib/rancher/rke2/agent/logs/kubelet.log

DEPLOY HA-SERVER (UPSTREAM)

INVENTORY FILE
cat << EOF > inventory
[initial_master_node]
hostname.<domain>
[additional_master_nodes]
# leave emptyfor singlenode cluster

[all:vars]
ansible_user=<USERNAME>
EOF
INSTALL REQUIREMENTS
cat << EOF > requirements.yaml
roles:
- src: https://github.com/stuttgart-things/deploy-configure-rke.git
  scm: git
- src: https://github.com/stuttgart-things/configure-rke-node.git
  scm: git
- src: https://github.com/stuttgart-things/install-requirements.git
  scm: git
- src: https://github.com/stuttgart-things/install-configure-docker.git
  scm: git
- src: https://github.com/stuttgart-things/create-os-user.git
  scm: git
- src: https://github.com/stuttgart-things/download-install-binary.git
  scm: git

collections:
- name: community.crypto
  version: 2.15.1
- name: community.general
  version: 7.3.0
- name: ansible.posix
  version: 1.5.2
- name: kubernetes.core
  version: 2.4.0
EOF

ansible-galaxy install -r requirements.yaml -vv

DEPLOY RKE2 W/ PLAYBOOK

DEPLOY RKE2 /W PLAYBOOK
cat << EOF > deployRKE2.yaml
- hosts: all
  become: true

  pre_tasks:
    - name: Include vars
      ansible.builtin.include_vars: "{{ path_to_vars_file }}.yaml"
      when: path_to_vars_file is defined

  vars:
    rke_version: 2
    rke2_k8s_version: 1.26.9 # or less
    rke2_release_kind: rke2r1
    rke2_airgapped_installation: true
    disable_rke2_components:
      - rke2-ingress-nginx
      - rke-snapshot-controller
    cluster_setup: multinode #singlenode
    deploy_helm_charts: false

  roles:
    - role: deploy-configure-rke
EOF

ansible-playbook -i inventory deployRKE2.yaml

INSTALL METALLB /W HELM

INSTALL METALLB /W HELM
helm repo add bitnami https://charts.bitnami.com/bitnami
helm repo update
helm upgrade --install metallb -n metallb-system --create-namespace bitnami/metallb

CREATE IPADDRESSPOOL

CREATE IPADDRESSPOOL
kubectl apply -f - << EOF
apiVersion: metallb.io/v1beta1
kind: IPAddressPool
metadata:
    name: ip-pool
    namespace: metallb-system
spec:
    addresses:
    - <ip-range-begin>-<ip-range-end>
EOF

CREATE L2ADVERTISEMENT

CREATE L2ADVERTISEMENT
kubectl apply -f - << EOF
apiVersion: metallb.io/v1beta1
kind: L2Advertisement
metadata:
    name: pool-advertisement
    namespace: metallb-system
spec:
    ipAddressPools:
    - ip-pool
EOF

DEPLOY INGRESSNGINX /W HELM

DEPLOY INGRESSNGINX
helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm upgrade --install ingress-nginx -n ingress-nginx --create-namespace ingress-nginx/ingress-nginx

CREATE DNS ENTRY FOR IP ADDRESS

depending on the infrastructure, you need to create an A-record for the Ingress IP-Address

CREATE SELFSIGNED-CERTS

INSTALL REQUIREMENTS
cat << EOF > requirements.yaml
roles:
- src: https://github.com/stuttgart-things/install-requirements.git
  scm: git
- src: https://github.com/stuttgart-things/generate-selfsigned-certs.git
  scm: git
EOF

ansible-galaxy install -r requirements.yaml
GENERATE SELFSIGNED-CERTS
cat << EOF > selfsignedcerts.yaml
---
- hosts: localhost
  become: true

  vars:
    ssl_subject: rancher-things.${INGRESS_HOSTNAME}.${INGRESS_DOMAIN}
    ssl_ip: <ingress-ip>
    ca_subject: stuttgart-things
    certs_copy_target: "/tmp/certs/"
    trustbundle_name: cacerts.pem
    key_name: tls.key
    crt_name: tls.crt
    remote_src: true
    generate_certs: true
    install_public_certs: false

  roles:
    - generate-selfsigned-certs
EOF

ansible-playbooks -i inventory selfsignedcerts.yaml -vv

OFFICIAL DOCUMENTATION

https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/resources/update-rancher-certificate

ADD NAMESPACE
kubectl create namespace cattle-system
DEPLOY CERTS IN CLUSTER
kubectl -n cattle-system create secret tls tls-rancher-ingress \
  --cert=/tmp/certs/tls.crt \
  --key=/tmp/certs/tls.key
kubectl -n cattle-system create secret generic tls-ca \
  --from-file=/tmp/certs/cacerts.pem
APPLY CRDS
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.2/cert-manager.crds.yaml
ADD HELM REPOS FOR RANCHER INSTALLATION
helm repo add rancher-stable https://releases.rancher.com/server-charts/stable
CREATE VALUES FILE FOR RANCHER BOOTSTRAP INSTALLATION
cat << EOF > values.yaml
global:
  cattle:
    psp:
      enabled: false
bootstrapPassword: ${BOOTSTRAP_PASSWORD}
hostname: ${INGRESS_HOSTNAME}.${INGRESS_DOMAIN}
privateCA: true
ingress:
  enabled: true
  ingressClassName: nginx
  servicePort: 80
EOF
INSTALL RANCHER /W HELM
helm upgrade --install rancher rancher-stable/rancher --version v2.7.9 \
  --values values.yaml -n cattle-system

TEST LOGIN /W BOOTSTRAP PASSWORD FROM VALUES.YAML

connect to rancher-things.${INGRESS_HOSTNAME}.${INGRESS_DOMAIN} in Browser and use bootstrap password from values.yaml for login

RANCHER CREATE NEW DOWNSTREAM CLUSTER

COPY/INSTALL CA-CERTS ON DOWNSTREAM CLUSTER

copy tls.crt to /usr/local/share/ca-certificates on new Host

update-ca-certificates
CREATE NEW DOWNSTREAM CLUSTER /W RANCHER

e.g. in Rancher Cluster Manager create a new cluster > copy Registration Command from web ui > execute on new Hosts cli

ADD ADDITIONAL CLUSTER NODE (TO HA SERVER)

GET TOKEN + CONFIG FROM MASTER NODE
cat /var/lib/rancher/rke2/token
cat /etc/rancher/rke2/config.yaml
CREATE DIRECTORY ON ADDITIONAL NODE
mkdir -p /etc/rancher/rke2
CREATE CONFIG YAML FOR CLUSTER
Add token to (copied) config
cat << EOF > /etc/rancher/rke2/config.yaml
---
write-kubeconfig-mode: 644
server: https://<master-ip-address>:9345
token: <token_from_master>
cni: <CNI> # e.g. canal
disable: # example
  - rke2-ingress-nginx
  - rke-snapshot-controller
EOF
SET ENV VARS
export INSTALL_RKE2_VERSION=v1.28.2+rke2r1 #example - check version/github
export INSTALL_RKE2_CHANNEL_URL=https://update.rke2.io/v1-release/channels #example
export INSTALL_RKE2_CHANNEL=stable #example
export INSTALL_RKE2_METHOD=tar #example

curl -sfL https://get.rke2.io | sh -
ENABLE SERVICE
systemctl enable --now rke2-server.service
RANCHER ADD CERTS w/ PRIVATE CA

rancher-certificate

CREATE
kubectl -n cattle-system create secret tls tls-rancher-ingress \
--cert=tls.crt \
--key=tls.key

kubectl -n cattle-system create secret generic tls-ca \
--from-file=cacerts.pem
HELM VALUES
#..
ingress:
  tls:
    source: secret
privateCA: true
UDPATE/UPGRADE CERTS
kubectl -n cattle-system create secret generic tls-ca \
--from-file=cacerts.pem

kubectl -n cattle-system create secret generic tls-ca \
--from-file=cacerts.pem \
--dry-run --save-config -o yaml | kubectl apply -f -

kubectl rollout restart deploy/rancher -n cattle-system