rancher默认启动用的是自己的签名证书,这个证书只有一年的期限,到期无法继续使用,必须使用自己的证书,很多朋友都在使用rancher的过程中忽略这个小问题;
rancher部署完成证书详情如下:
1 现有运行的rancher环境如下:
rancher-master:192.168.104.111
node-1: 192.168.104.117
node-2: 192.168.104.124
centos7:
4cpu,8GB,100GB
[root@master ssl]# cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)
docker 安装rancher集群系统:
注意:
A centos7系统开启forward转发功能;
B centos7 系统设置好hostname,关闭防火墙和selinux;
C docker安装最新版本,docker的加速器要有华为云或者着阿里云,要不然node节点无法注册到master上去;
2 切换前准备:这个是官方提供的方法,我这边没按照这个操作没法执行,如果有人做了下面的测试可以和我沟通;
因为替换证书之后,Rancher Agent 需要修使用域名连接 Rancher Server,业务集群会出现无法连接的情况,所以需要提前从 Rancher UI 下载业务集群的 kubeconfig,并且将context切换到demo-rancher-demo2。切换后,可以不通过 Rancher api 直接访问 k8s api-server。
# kubectl config get-contexts CURRENT NAME CLUSTER AUTHINFO NAMESPACE * demo demo demo demo-rancher-demo2 demo-rancher-demo2 demo
# kubectl config use-context demo-rancher-demo2 Switched to context "demo-rancher-demo2".
# kubectl config current-context demo-rancher-demo2
# kubectl get nodes
NAME STATUS ROLES AGE VERSION
rancher-demo2 Ready controlplane,etcd,worker 58m v1.19.6
3 Rancher Server 替换证书官方给出的建议是let's Encrypt证书,关于申请证书的方法官方很详细这里不在讲述;
Let's Encrypt是一个于2015年三季度推出的数字证书认证机构,旨在以自动化流程消除手动创建和安装证书的复杂流程,并推广使万维网服务器的加密连接无所不在,为安全网站提供免费的传输层安全性协议(TLS)证书
- 备份docker 安装的 Rancher Server
# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
b0e3062667a2 rancher/rancher "entrypoint.sh" 2 hours ago Up 2 hours 0.0.0.0:8081->80/tcp, 0.0.0.0:4443->443/tcp rancher-master
# docker stop rancher-master
rancher-master
# docker create --volumes-from silly_swanson --name rancher-data rancher/rancher
e265b3939d8c46e090f527bce7c82561a2982a64754aa307c05e47ab4f989d7c
- 基于备份,使用自定义证书启动 Rancher Server
docker run -d --privileged --volumes-from rancher-data \--name rancher-master --restart=unless-stopped \ -p 80:80 -p 443:443 \ -v /opt/rancher/ssl/cert.pem:/etc/rancher/ssl/cert.pem \ -v /opt/rancher/ssl/key.pem:/etc/rancher/ssl/key.pem \ -v /opt/rancher/ssl/ca.pem:/etc/rancher/ssl/cacerts.pem \ --privileged \ rancher/rancher:v2.5.9
注意:
- 如果你的需求只是为了要替换证书,请不要修改 Rancher Server 镜像的版本号,保持和之前版本一致,本例为:
rancher/rancher:v2.5.9,否则将执行升级的操作。
操作记录
[root@master ~]# cd testrancher.yssdata.net
[root@master testrancher.yssdata.net]# ls
cert1.pem chain1.pem fullchain1.pem privkey1.pem
[root@master testrancher.yssdata.net]# mv * /opt/rancher/ssl/
[root@master testrancher.yssdata.net]# cd ../
[root@master ~]# ls
anaconda-ks.cfg testrancher.yssdata.net testrancher.yssdata.net.tar.gz
[root@master ~]# rm -rf testrancher.yssdata.net
[root@master ~]# cd /opt/rancher/ssl/
[root@master ssl]# ls
cert1.pem chain1.pem fullchain1.pem privkey1.pem
[root@master ssl]# cp cert1.pem cert.pem
[root@master ssl]# cp privkey1.pem key.pem
[root@master ssl]# cp fullchain1.pem cacerts.pem
[root@master ssl]# docker stop rancher-master
rancher-master
[root@master ssl]# docker create --volumes-from rancher-master --name rancher-data rancher/rancher
e265b3939d8c46e090f527bce7c82561a2982a64754aa307c05e47ab4f989d7c重新启动rancher-master
docker run -d --privileged --volumes-from rancher-data \
--name rancher-master \
--restart=unless-stopped \
-p 8081:80 -p 4443:443 \
-v/opt/rancher/ssl/cert.pem:/etc/rancher/ssl/cert.pem\
-v /opt/rancher/ssl/key.pem:/etc/rancher/ssl/key.pem \
-v /opt/rancher/ssl/cacerts.pem:/etc/rancher/ssl/cacerts.pem\
--privileged \
rancher/rancher:v2.5.92 更新完证书以后的浏览器访问如下:
suny集群处于unavailable状态;
A 修复集群内部问题:
1 进入到Setting-> Advanced Settings页面,修改server-url的地址为你定义的域名,本例为: testrancher.yssdata.net
确定的rancher的访问地址是不是正确;
2 再rancher新建用户在 Rancher UI 上创建 API token(用户-> API & Keys)并保存Bearer Token
3 进入rancher-master 容器进行修复:
rancher-master 容器里面需要url和jq两个命令,url容器里面自带, jq需要单独安装,安装命令为:apt-get install jq -y
命令详解:
# Rancher URLRANCHERURL="https://testrancher.yssdata.net:4443" ###rancher-master的url的访问地址# Cluster IDCLUSTERID="c-kcgm5" ### rancher-master访问内部集群的clustid人员下图浏览器里面# TokenTOKEN="token-qq5d9:tqgfsh66lcv2vj8j7tknn9j46drv9dc7gb2hbbrdlx2n7lq6fz9l79" ###创建新的api和key保留的Bearer Token# Valid certificatescurl -s -H "Authorization: Bearer ${TOKEN}" "${RANCHERURL}/v3/clusterregistrationtokens?clusterId=${CLUSTERID}" | jq -r '.data[] | select(.name != "system") | .command'# Self signed certificatescurl -s -k -H "Authorization: Bearer ${TOKEN}" "${RANCHERURL}/v3/clusterregistrationtokens?clusterId=${CLUSTERID}" | jq -r '.data[] | select(.name != "system") | .insecureCommand' ####执行完这条命令会生成一条命令继续执行让集群内部自我修复,修复时间为20分钟;
root@d1b844f63b65:/var/lib/rancher# RANCHERURL="https://testrancher.yssdata.net:4443"
root@d1b844f63b65:/var/lib/rancher# CLUSTERID="c-kcgm5"
root@d1b844f63b65:/var/lib/rancher# TOKEN="token-qq5d9:tqgfsh66lcv2vj8j7tknn9j46drv9dc7gb2hbbrdlx2n7lq6fz9l79"
root@d1b844f63b65:/var/lib/rancher# apt-get install jq -y
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
libjq1 libonig4
The following NEW packages will be installed:
jq libjq1 libonig4
0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 276 kB of archives.
After this operation, 930 kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu bionic/universe amd64 libonig4 amd64 6.7.0-1 [119 kB]
Get:2 http://archive.ubuntu.com/ubuntu bionic/universe amd64 libjq1 amd64 1.5+dfsg-2 [111 kB]
Get:3 http://archive.ubuntu.com/ubuntu bionic/universe amd64 jq amd64 1.5+dfsg-2 [45.6 kB]
Fetched 276 kB in 3s (108 kB/s)
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package libonig4:amd64.
(Reading database ... 7873 files and directories currently installed.)
Preparing to unpack .../libonig4_6.7.0-1_amd64.deb ...
Unpacking libonig4:amd64 (6.7.0-1) ...
Selecting previously unselected package libjq1:amd64.
Preparing to unpack .../libjq1_1.5+dfsg-2_amd64.deb ...
Unpacking libjq1:amd64 (1.5+dfsg-2) ...
Selecting previously unselected package jq.
Preparing to unpack .../jq_1.5+dfsg-2_amd64.deb ...
Unpacking jq (1.5+dfsg-2) ...
Setting up libonig4:amd64 (6.7.0-1) ...
Setting up libjq1:amd64 (1.5+dfsg-2) ...
Setting up jq (1.5+dfsg-2) ...
Processing triggers for libc-bin (2.27-3ubuntu1.4) ...
root@d1b844f63b65:/var/lib/rancher# curl -s -H "Authorization: Bearer ${TOKEN}" "${RANCHERURL}/v3/clusterregistrationtokens?clusterId=${CLUSTERID}" | jq -r '.data[] | select(.name != "system") | .command'
root@d1b844f63b65:/var/lib/rancher# curl -s -k -H "Authorization: Bearer ${TOKEN}" "${RANCHERURL}/v3/clusterregistrationtokens?clusterId=${CLUSTERID}" | jq -r '.data[] | select(.name != "system") | .insecureCommand'
curl --insecure -sfL https://testrancher.yssdata.net:4443/v3/import/lrhzvcs8vhmtcql77bsg72ngl7svc7m6fhsvfl6qjlnk6wv9dskr4g_c-kcgm5.yaml | kubectl apply -f -
root@d1b844f63b65:/var/lib/rancher# curl --insecure -sfL https://testrancher.yssdata.net:4443/v3/import/lrhzvcs8vhmtcql77bsg72ngl7svc7m6fhsvfl6qjlnk6wv9dskr4g_c-kcgm5.yaml | kubectl apply -f -
clusterrole.rbac.authorization.k8s.io/proxy-clusterrole-kubeapiserver unchanged
clusterrolebinding.rbac.authorization.k8s.io/proxy-role-binding-kubernetes-master unchanged
namespace/cattle-system unchanged
serviceaccount/cattle unchanged
clusterrolebinding.rbac.authorization.k8s.io/cattle-admin-binding unchanged
secret/cattle-credentials-159e21c unchanged
clusterrole.rbac.authorization.k8s.io/cattle-admin unchanged
deployment.apps/cattle-cluster-agent configured
daemonset.apps/cattle-node-agent unchanged
root@d1b844f63b65:/var/lib/rancher#
root@d1b844f63b65:/var/lib/rancher# kubectl -n cattle-system get pods
NAME READY STATUS RESTARTS AGE
cattle-cluster-agent-d746d9697-jdcks 0/1 ContainerCreating 0 10m
cattle-node-agent-f2qcb 0/1 ContainerCreating 0 10m
helm-operation-z78dp 0/2 Completed 0 4 集群恢复展示:
项目中的服务一切正常:
证书已经更新:
至此,替换rancher中的原有ssl证书已经完成,参考官方文档url如下:
https://mp.weixin.qq.com/s/7Ym6VKGdRsj2qnJT2_zqRA
有其他问题欢迎留言我会即时解答。
