我的书签
添加书签
移除书签When the Rancher server is deployed in the Docker container, a local Kubernetes cluster is installed within the container for Rancher to use. Because many features of Rancher run as deployments, and privileged mode is required to run containers within containers, you will need to install Rancher with the option.
Docker Instructions
If you want to continue the air gapped installation using Docker commands, skip the rest of this page and follow the instructions on
Kubernetes Instructions
Rancher recommends installing Rancher on a Kubernetes cluster. A highly available Kubernetes install is comprised of three nodes running the Rancher server components on a Kubernetes cluster. The persistence layer (etcd) is also replicated on these three nodes, providing redundancy and data duplication in case one of the nodes fails.
This section describes installing Rancher:
1. Add the Helm Chart Repository
From a system that has access to the internet, fetch the latest Helm chart and copy the resulting manifests to a system that has access to the Rancher server cluster.
If you haven’t already, install
helmlocally on a workstation that has internet access. Note: Refer to the Helm version requirements to choose a version of Helm to install Rancher.Use
helm repo addcommand to add the Helm chart repository that contains charts to install Rancher. For more information about the repository choices and which is best for your use case, see .Latest: Recommended for trying out the newest features
Stable: Recommended for production environments
Alpha: Experimental preview of upcoming releases.
Note: Upgrades are not supported to, from, or between Alphas.Fetch the latest Rancher chart. This will pull down the chart and save it in the current directory as a
.tgzfile.If you require a specific version of Rancher, you can fetch this with the Helm
--versionparameter like in the following example:helm fetch rancher-stable/rancher --version=v2.4.8
2. Choose your SSL Configuration
Rancher Server is designed to be secure by default and requires SSL/TLS configuration.
When Rancher is installed on an air gapped Kubernetes cluster, there are two recommended options for the source of the certificate.
Helm Chart Options for Air Gap Installations
When setting up the Rancher Helm template, there are several options in the Helm chart that are designed specifically for air gap installations.
3. Render the Rancher Helm Template
Based on the choice your made in , complete one of the procedures below.
Option A: Default Self-Signed Certificate
By default, Rancher generates a CA and uses cert-manager to issue the certificate for access to the Rancher server interface.
1. Add the cert-manager repo
From a system connected to the internet, add the cert-manager repo to Helm:
helm repo add jetstack https://charts.jetstack.iohelm repo update
2. Fetch the cert-manager chart
Fetch the latest cert-manager chart available from the .
helm fetch jetstack/cert-manager --version v1.0.4
Render the cert-manager template with the options you would like to use to install the chart. Remember to set the image.repository option to pull the image from your private registry. This will create a cert-manager directory with the Kubernetes manifest files.
4. Download the cert-manager CRD
Download the required CRD file for cert-manager:
curl -L -o cert-manager/cert-manager-crd.yaml https://github.com/jetstack/cert-manager/releases/download/v1.0.4/cert-manager.crds.yaml
5. Render the Rancher template
Render the Rancher template, declaring your chosen options. Use the reference table below to replace each placeholder. Rancher needs to be configured to use the private registry in order to provision any Rancher launched Kubernetes clusters or Rancher tools.
helm template rancher ./rancher-<VERSION>.tgz --output-dir . \--no-hooks \ # prevent files for Helm hooks from being generated--namespace cattle-system \--set hostname=<RANCHER.YOURDOMAIN.COM> \--set rancherImage=<REGISTRY.YOURDOMAIN.COM:PORT>/rancher/rancher \--set systemDefaultRegistry=<REGISTRY.YOURDOMAIN.COM:PORT> \ # Set a default private registry to be used in Rancher--set useBundledSystemChart=true # Use the packaged Rancher system charts
Optional: To install a specific Rancher version, set the rancherImageTag value, example: --set rancherImageTag=v2.5.8
helm template rancher ./rancher-<VERSION>.tgz --output-dir . \--namespace cattle-system \--set hostname=<RANCHER.YOURDOMAIN.COM> \--set certmanager.version=<CERTMANAGER_VERSION> \--set rancherImage=<REGISTRY.YOURDOMAIN.COM:PORT>/rancher/rancher \--set systemDefaultRegistry=<REGISTRY.YOURDOMAIN.COM:PORT> \ # Set a default private registry to be used in Rancher--set useBundledSystemChart=true # Use the packaged Rancher system charts
Optional: To install a specific Rancher version, set the rancherImageTag value, example: --set rancherImageTag=v2.5.6
Option B: Certificates From Files using Kubernetes Secrets
Create Kubernetes secrets from your own certificates for Rancher to use. The common name for the cert will need to match the hostname option in the command below, or the ingress controller will fail to provision the site for Rancher.
2. Render the Rancher template
Render the Rancher template, declaring your chosen options. Use the reference table below to replace each placeholder. Rancher needs to be configured to use the private registry in order to provision any Rancher launched Kubernetes clusters or Rancher tools.
helm template rancher ./rancher-<VERSION>.tgz --output-dir . \--no-hooks \ # prevent files for Helm hooks from being generated--namespace cattle-system \--set hostname=<RANCHER.YOURDOMAIN.COM> \--set rancherImage=<REGISTRY.YOURDOMAIN.COM:PORT>/rancher/rancher \--set ingress.tls.source=secret \--set useBundledSystemChart=true # Use the packaged Rancher system charts
If you are using a Private CA signed cert, add --set privateCA=true following :
Then refer to Adding TLS Secrets to publish the certificate files so Rancher and the ingress controller can use them.
helm template rancher ./rancher-<VERSION>.tgz --output-dir . \--namespace cattle-system \--set hostname=<RANCHER.YOURDOMAIN.COM> \--set rancherImage=<REGISTRY.YOURDOMAIN.COM:PORT>/rancher/rancher \--set ingress.tls.source=secret \--set systemDefaultRegistry=<REGISTRY.YOURDOMAIN.COM:PORT> \ # Set a default private registry to be used in Rancher--set useBundledSystemChart=true # Use the packaged Rancher system charts
If you are using a Private CA signed cert, add --set privateCA=true following --set ingress.tls.source=secret:
helm template rancher ./rancher-<VERSION>.tgz --output-dir . \--namespace cattle-system \--set hostname=<RANCHER.YOURDOMAIN.COM> \--set rancherImage=<REGISTRY.YOURDOMAIN.COM:PORT>/rancher/rancher \--set ingress.tls.source=secret \--set privateCA=true \--set systemDefaultRegistry=<REGISTRY.YOURDOMAIN.COM:PORT> \ # Set a default private registry to be used in Rancher--set useBundledSystemChart=true # Use the packaged Rancher system charts
Optional: To install a specific Rancher version, set the rancherImageTag value, example: --set rancherImageTag=v2.3.6
Then refer to to publish the certificate files so Rancher and the ingress controller can use them.
4. Install Rancher
Copy the rendered manifest directories to a system that has access to the Rancher server cluster to complete installation.
Use kubectl to create namespaces and apply the rendered manifests.
If you choose to use self-signed certificates in , install cert-manager.
For Self-Signed Certificate Installs, Install Cert-manager
Click to expand
If you are using self-signed certificates, install cert-manager:
Create the namespace for cert-manager.
kubectl create namespace cert-manager
Create the cert-manager CustomResourceDefinitions (CRDs).
kubectl apply -f cert-manager/cert-manager-crd.yaml
Launch cert-manager.
kubectl -n cattle-system apply -R -f ./rancher
The installation is complete.
Additional Resources
These resources could be helpful when installing Rancher:
