Illumina Innovates with Rancher and Kubernetes
Rancher is installed using the Helm package manager for Kubernetes. Helm charts provide templating syntax for Kubernetes YAML manifest documents.
With Helm, we can create configurable deployments instead of just using static files. For more information about creating your own catalog of deployments, check out the docs at https://helm.sh/.
For systems without direct internet access, see Air Gap: Kubernetes install.
To choose a Rancher version to install, refer to Choosing a Rancher Version.
To choose a version of Helm to install Rancher with, refer to the Helm version requirements
Note: The installation instructions assume you are using Helm 3. For migration of installs started with Helm 2, refer to the official Helm 2 to 3 migration docs. This section provides a copy of the older installation instructions for Rancher installed on Kubernetes with Helm 2, and it is intended to be used if upgrading to Helm 3 is not feasible.
Helm requires a simple CLI tool to be installed. Refer to the instructions provided by the Helm project for your specific platform.
Use helm repo add command to add the Helm chart repository that contains charts to install Rancher. For more information about the repository choices and which is best for your use case, see Choosing a Version of Rancher.
helm repo add
Latest: Recommended for trying out the newest features
Stable: Recommended for production environments
Alpha: Experimental preview of upcoming releases. Note: Upgrades are not supported to, from, or between Alphas.
helm repo add rancher-<CHART_REPO> https://releases.rancher.com/server-charts/<CHART_REPO>
We’ll need to define a namespace where the resources created by the Chart should be installed. This should always be cattle-system:
cattle-system
kubectl create namespace cattle-system
Rancher Server is designed to be secure by default and requires SSL/TLS configuration.
There are three recommended options for the source of the certificate.
Note: If you want terminate SSL/TLS externally, see TLS termination on an External Load Balancer.
ingress.tls.source=rancher
ingress.tls.source=letsEncrypt
ingress.tls.source=secret
Rancher relies on cert-manager to issue certificates from Rancher’s own generated CA or to request Let’s Encrypt certificates.
cert-manager is only required for certificates issued by Rancher’s generated CA (ingress.tls.source=rancher) and Let’s Encrypt issued certificates (ingress.tls.source=letsEncrypt). You should skip this step if you are using your own certificate files (option ingress.tls.source=secret) or if you use TLS termination on an External Load Balancer.
cert-manager
Important: Due to an issue with Helm v2.12.0 and cert-manager, please use Helm v2.12.1 or higher. Recent changes to cert-manager require an upgrade. If you are upgrading Rancher and using a version of cert-manager older than v0.11.0, please see our upgrade documentation.
Important: Due to an issue with Helm v2.12.0 and cert-manager, please use Helm v2.12.1 or higher.
Recent changes to cert-manager require an upgrade. If you are upgrading Rancher and using a version of cert-manager older than v0.11.0, please see our upgrade documentation.
These instructions are adapted from the official cert-manager documentation.
# Install the CustomResourceDefinition resources separately kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.12/deploy/manifests/00-crds.yaml > **Important:** > If you are running Kubernetes v1.15 or below, you will need to add the `--validate=false flag to your kubectl apply command above else you will receive a validation error relating to the x-kubernetes-preserve-unknown-fields field in cert-manager’s CustomResourceDefinition resources. This is a benign error and occurs due to the way kubectl performs resource validation. # Create the namespace for cert-manager kubectl create namespace cert-manager # Add the Jetstack Helm repository helm repo add jetstack https://charts.jetstack.io # Update your local Helm chart repository cache helm repo update # Install the cert-manager Helm chart helm install \ cert-manager jetstack/cert-manager \ --namespace cert-manager \ --version v0.12.0
Once you’ve installed cert-manager, you can verify it is deployed correctly by checking the cert-manager namespace for running pods:
kubectl get pods --namespace cert-manager NAME READY STATUS RESTARTS AGE cert-manager-5c6866597-zw7kh 1/1 Running 0 2m cert-manager-cainjector-577f6d9fd7-tr77l 1/1 Running 0 2m cert-manager-webhook-787858fcdb-nlzsq 1/1 Running 0 2m
Note: You need to have cert-manager installed before proceeding.
The default is for Rancher to generate a CA and uses cert-manager to issue the certificate for access to the Rancher server interface. Because rancher is the default option for ingress.tls.source, we are not specifying ingress.tls.source when running the helm install command.
rancher
ingress.tls.source
helm install
hostname
--devel
helm install rancher rancher-<CHART_REPO>/rancher \ --namespace cattle-system \ --set hostname=rancher.my.org
Wait for Rancher to be rolled out:
kubectl -n cattle-system rollout status deploy/rancher Waiting for deployment "rancher" rollout to finish: 0 of 3 updated replicas are available... deployment "rancher" successfully rolled out
This option uses cert-manager to automatically request and renew Let’s Encrypt certificates. This is a free service that provides you with a valid certificate as Let’s Encrypt is a trusted CA. This configuration uses HTTP validation (HTTP-01) so the load balancer must have a public DNS record and be accessible from the internet.
HTTP-01
letsEncrypt
letsEncrypt.email
helm install rancher rancher-<CHART_REPO>/rancher \ --namespace cattle-system \ --set hostname=rancher.my.org \ --set ingress.tls.source=letsEncrypt \ --set letsEncrypt.email=me@example.org
Create Kubernetes secrets from your own certificates for Rancher to use.
Note: The Common Name or a Subject Alternative Names entry in the server certificate must match the hostname option, or the ingress controller will fail to configure correctly. Although an entry in the Subject Alternative Names is technically required, having a matching Common Name maximizes compatibility with older browsers/applications. If you want to check if your certificates are correct, see How do I check Common Name and Subject Alternative Names in my server certificate?
Common Name
Subject Alternative Names
secret
--set privateCA=true
helm install rancher rancher-<CHART_REPO>/rancher \ --namespace cattle-system \ --set hostname=rancher.my.org \ --set ingress.tls.source=secret
Now that Rancher is deployed, see Adding TLS Secrets to publish the certificate files so Rancher and the ingress controller can use them.
After adding the secrets, check if Rancher was rolled out successfully:
If you see the following error: error: deployment "rancher" exceeded its progress deadline, you can check the status of the deployment by running the following command:
error: deployment "rancher" exceeded its progress deadline
kubectl -n cattle-system get deploy rancher NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE rancher 3 3 3 3 3m
It should show the same count for DESIRED and AVAILABLE.
DESIRED
AVAILABLE
The Rancher chart configuration has many options for customizing the install to suit your specific environment. Here are some common advanced scenarios.
See the Chart Options for the full list of options.
Make sure you save the --set options you used. You will need to use the same options when you upgrade Rancher to new versions with Helm.
--set
That’s it you should have a functional Rancher server. Point a browser at the hostname you picked and you should be greeted by the colorful login page.
Doesn’t work? Take a look at the Troubleshooting Page