参考文档:https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster
Rancher Management Server 默认需要 SSL/TLS 配置来保证访问的安全性,可以从以下三种证书来源中选择一种,用于在 Rancher Server 中终止 TLS:
- Rancher 生成的 TLS 证书。
- Let’s Encrypt 下发的 TLS 证书。
- 使用已有的 CA 颁发的公有或私有证书。
此处测试第三种方式,即使用私有 CA 证书签名的证书安装 Rancher。
准备证书
参考文档中的脚本:https://docs.rancher.cn/docs/rancher2/installation/resources/advanced/self-signed-ssl/_index/#4-%E5%A6%82%E4%BD%95%E7%94%9F%E6%88%90%E8%87%AA%E7%AD%BE%E5%90%8D%E8%AF%81%E4%B9%A6
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| root@test-1:~/certs# ./create_self-signed-cert.sh --ssl-domain=test.warnerchen.com --ssl-trusted-ip=172.16.16.141 --ssl-size=2048 --ssl-date=3650
----------------------------
| 生成 SSL Cert |
----------------------------
====> 1. 生成新的 CA 私钥 cakey.pem
====> 2. 生成新的 CA 证书 cacerts.pem
====> 3. 生成 Openssl 配置文件 /root/certs/openssl.cnf
====> 4. 生成服务 SSL KEY test.warnerchen.com.key
====> 5. 生成服务 SSL CSR test.warnerchen.com.csr
====> 6. 生成服务 SSL CERT test.warnerchen.com.crt
Certificate request self-signature ok
subject=C = CN, CN = test.warnerchen.com
====> 7. 证书制作完成
====> 8. 以 YAML 格式输出结果
|
检查证书文件内容是否正确:
1
2
3
4
5
6
7
| root@test-1:~/certs# openssl verify -CAfile cacerts.pem tls.crt
tls.crt: OK
root@test-1:~/certs# openssl x509 -in tls.crt -noout -text | grep -E "CN|DNS|IP"
Issuer: C = CN, CN = cattle-ca
Subject: C = CN, CN = test.warnerchen.com
DNS:test.warnerchen.com, IP Address:172.16.16.141
|
创建 Secret
在安装 Rancher 之前,需要手动创建 Secret 存放证书文件,Rancher 才能够使用:
1
2
3
4
5
6
7
8
| kubectl create ns cattle-system
kubectl -n cattle-system create secret tls tls-rancher-ingress \
--cert=tls.crt \
--key=tls.key
kubectl -n cattle-system create secret generic tls-ca \
--from-file=cacerts.pem
|
安装 Rancher
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| helm repo add rancher-stable https://releases.rancher.com/server-charts/stable
helm repo update
helm upgrade --install rancher rancher-stable/rancher \
--namespace cattle-system \
--set hostname=test.warnerchen.com \
--set replicas=1 \
--set bootstrapPassword=xxx \
--set rancherImage=registry.cn-hangzhou.aliyuncs.com/rancher/rancher \
--set systemDefaultRegistry=registry.cn-hangzhou.aliyuncs.com \
--set ingress.tls.source=secret \
--set privateCA=true
|
检查是否使用了证书:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| kubectl -n cattle-system get ingress rancher -oyaml
...
tls:
- hosts:
- test.warnerchen.com
secretName: tls-rancher-ingress
...
kubectl -n cattle-system get deployments.apps rancher -oyaml
...
volumeMounts:
- mountPath: /etc/rancher/ssl/cacerts.pem
name: tls-ca-volume
readOnly: true
subPath: cacerts.pem
...
|
证书验证:
1
| openssl s_client -connect test.warnerchen.com:443 -servername test.warnerchen.com -CAfile cacerts.pem
|
外部 TLS 终止
如果在 Rancher 前面使用 LB,且使用的证书是私有 CA 签名的证书,那么需要将证书文件挂载到 LB 上:https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/installation-references/helm-chart-options#external-tls-termination
此处使用 Nginx 进行测试:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
| worker_processes 1;
worker_rlimit_nofile 40000;
events {
worker_connections 8192;
}
http {
upstream rancher {
server 172.16.16.141:80;
}
map $http_upgrade $connection_upgrade {
default Upgrade;
'' close;
}
server {
listen 443 ssl;
http2 on;
server_name test.warnerchen.com;
ssl_certificate /certs/tls.crt;
ssl_certificate_key /certs/tls.key;
location / {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://rancher;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
# 此项允许执行的 shell 窗口保持开启,最长可达15分钟。不使用此参数的话,默认1分钟后自动关闭。
proxy_read_timeout 900s;
proxy_buffering off;
}
}
server {
listen 80;
server_name test.warnerchen.com;
return 301 https://$server_name$request_uri;
}
}
|
1
| docker run -d --name nginx --restart=always -v $(pwd)/nginx.conf:/etc/nginx/nginx.conf -v $(pwd)/certs:/certs -p 443:443 harbor.warnerchen.com/library/nginx:mainline
|
Ingress 需要启用 use-forwarded-headers 配置:
RKE1
1
2
3
4
| ingress:
provider: nginx
options:
use-forwarded-headers: 'true'
|
RKE2
1
2
3
4
5
6
7
8
9
10
11
12
| cat <<EOF | kubectl apply -f -
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
name: rke2-ingress-nginx
namespace: kube-system
spec:
valuesContent: |-
controller:
config:
use-forwarded-headers: "true"
EOF
|
K3s
1
2
3
4
5
6
7
8
9
10
11
12
13
| cat <<EOF | kubectl apply -f -
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
name: traefik
namespace: kube-system
spec:
valuesContent: |-
ports:
web:
forwardedHeaders:
insecure: true
EOF
|
由于是使用私有 CA 签名的证书,所以需要创建 Secret:
1
2
3
4
| kubectl create ns cattle-system
kubectl -n cattle-system create secret generic tls-ca \
--from-file=cacerts.pem
|
安装 Rancher:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
| helm repo add rancher-stable https://releases.rancher.com/server-charts/stable
helm repo update
helm upgrade --install rancher rancher-stable/rancher \
--namespace cattle-system \
--set hostname=test.warnerchen.com \
--set replicas=1 \
--set bootstrapPassword=xxx \
--set rancherImage=registry.cn-hangzhou.aliyuncs.com/rancher/rancher \
--set systemDefaultRegistry=registry.cn-hangzhou.aliyuncs.com \
--set tls=external \
--set privateCA=true
|