24 rancher 离线部署

镜像离线打包脚本

docker pull rancher/coreos-etcd:v3.4.3-rancher1
docker pull rancher/rke-tools:v0.1.59
docker pull rancher/k8s-dns-kube-dns:1.15.2
docker pull rancher/k8s-dns-dnsmasq-nanny:1.15.2
docker pull rancher/k8s-dns-sidecar:1.15.2
docker pull rancher/cluster-proportional-autoscaler:1.7.1
docker pull rancher/coredns-coredns:1.6.9
docker pull rancher/k8s-dns-node-cache:1.15.7
docker pull rancher/hyperkube:v1.18.6-rancher1
docker pull rancher/coreos-flannel:v0.12.0
docker pull rancher/flannel-cni:v0.3.0-rancher6
docker pull rancher/calico-node:v3.13.4
docker pull rancher/calico-cni:v3.13.4
docker pull rancher/calico-kube-controllers:v3.13.4
docker pull rancher/calico-ctl:v3.13.4
docker pull rancher/calico-pod2daemon-flexvol:v3.13.4
docker pull weaveworks/weave-kube:2.6.4
docker pull weaveworks/weave-npc:2.6.4
docker pull rancher/pause:3.1
docker pull rancher/nginx-ingress-controller:nginx-0.32.0-rancher1
docker pull rancher/nginx-ingress-controller-defaultbackend:1.5-rancher1
docker pull rancher/metrics-server:v0.3.6

[root@uat-rancher-node01 rancher]# ll *.tar
-rw-rw-r-- 1 root root  226441216 Aug 29 20:53 calico-cni.tar
-rw-rw-r-- 1 root root   48206848 Aug 29 20:51 calico-ctl.tar
-rw-rw-r-- 1 root root   56617984 Aug 29 20:50 calico-kube-controllers.tar
-rw-rw-r-- 1 root root  265684992 Aug 29 20:55 calico-node.tar
-rw-rw-r-- 1 root root  114141696 Aug 29 20:54 calico-pod2daemon-flexvol.tar
-rw-rw-r-- 1 root root   41323520 Aug 29 20:42 cluster-proportional-autoscaler.tar
-rw-rw-r-- 1 root root   43297792 Aug 29 20:47 coredns-coredns.tar
-rw-rw-r-- 1 root root   85169664 Aug 29 20:46 coreos-etcd.tar
-rw-rw-r-- 1 root root 1552846336 Aug 29 20:59 hyperkube.tar
-rw-rw-r-- 1 root root   40140288 Aug 29 20:34 k8s-dns-dnsmasq-nanny.tar
-rw-rw-r-- 1 root root   88547328 Aug 29 20:38 k8s-dns-kube-dns.tar
-rw-rw-r-- 1 root root   92754944 Aug 29 20:43 k8s-dns-node-cache.tar
-rw-rw-r-- 1 root root   80885760 Aug 29 20:39 k8s-dns-sidecar.tar
-rw-rw-r-- 1 root root   41199616 Aug 29 20:44 metrics-server.tar
-rw-rw-r-- 1 root root    5144064 Aug 29 20:34 nginx-ingress-controller-defaultbackend.tar
-rw-rw-r-- 1 root root  331629056 Aug 29 20:48 nginx-ingress-controller.tar
-rw-rw-r-- 1 root root     754176 Aug 29 20:34 pause.tar
-rw-rw-r-- 1 root root  135227392 Aug 29 20:56 rke-tools.tar

[root@uat-rancher-node01 rancher]# ll *.tar|awk '{print $NF}'
calico-cni.tar
calico-ctl.tar
calico-kube-controllers.tar
calico-node.tar
calico-pod2daemon-flexvol.tar
cluster-proportional-autoscaler.tar
coredns-coredns.tar
coreos-etcd.tar
hyperkube.tar
k8s-dns-dnsmasq-nanny.tar
k8s-dns-kube-dns.tar
k8s-dns-node-cache.tar
k8s-dns-sidecar.tar
metrics-server.tar
nginx-ingress-controller-defaultbackend.tar
nginx-ingress-controller.tar
pause.tar
rke-tools.tar
[root@uat-rancher-node01 rancher]# 
[root@uat-rancher-node01 rancher]# ll *.tar|awk '{print $NF}'|sed -r 's#(.*)#docker load -i \1#' |bash
b76aa58f4c23: Loading layer [==================================================>]  107.4MB/107.4MB
566d20c1ccdf: Loading layer [==================================================>]  20.48kB/20.48kB
f3e35332f964: Loading layer [==================================================>]  101.2MB/101.2MB
109a0c66209a: Loading layer [==================================================>]  10.24kB/10.24kB
6ac59be9ed64: Loading layer [==================================================>]   2.56kB/2.56kB
3b481276ac88: Loading layer [==================================================>]  17.79MB/17.79MB
11703ffeceb1: Loading layer [==================================================>]  13.82kB/13.82kB
Loaded image: rancher/calico-cni:v3.13.4
1b3ee35aacca: Loading layer [==================================================>]   5.84MB/5.84MB
419eaad88244: Loading layer [==================================================>]  42.35MB/42.35MB
Loaded image: rancher/calico-ctl:v3.13.4
7bd4affc29eb: Loading layer [==================================================>]  13.82kB/13.82kB
523c4550fd32: Loading layer [==================================================>]  53.52MB/53.52MB
b5dadf89acf5: Loading layer [==================================================>]   3.07MB/3.07MB
Loaded image: rancher/calico-kube-controllers:v3.13.4
f80c95f61fff: Loading layer [==================================================>]  108.5MB/108.5MB
eddba477a8ae: Loading layer [==================================================>]  20.48kB/20.48kB
76224ad063b6: Loading layer [==================================================>]  2.781MB/2.781MB
2ca638bbce84: Loading layer [==================================================>]  3.298MB/3.298MB
62b8adc82952: Loading layer [==================================================>]  3.072kB/3.072kB
2e1e28e9c135: Loading layer [==================================================>]  75.24MB/75.24MB
1fa8cad5d0e3: Loading layer [==================================================>]  4.096kB/4.096kB
af19fd058de9: Loading layer [==================================================>]  7.185MB/7.185MB
4ba854688443: Loading layer [==================================================>]  6.052MB/6.052MB
db5b88cbf87f: Loading layer [==================================================>]  2.048kB/2.048kB
9fcde00c5e9a: Loading layer [==================================================>]  13.82kB/13.82kB
5f956aaa317c: Loading layer [==================================================>]  61.32MB/61.32MB
151cbe937db5: Loading layer [==================================================>]  1.251MB/1.251MB
Loaded image: rancher/calico-node:v3.13.4
724362325411: Loading layer [==================================================>]  2.048kB/2.048kB
689becca0610: Loading layer [==================================================>]  13.82kB/13.82kB
1140aa2f2fa9: Loading layer [==================================================>]   5.12kB/5.12kB
6c83a0e86620: Loading layer [==================================================>]  5.606MB/5.606MB
Loaded image: rancher/calico-pod2daemon-flexvol:v3.13.4
932da5156413: Loading layer [==================================================>]  3.062MB/3.062MB
7b00adda7217: Loading layer [==================================================>]  38.25MB/38.25MB
Loaded image: rancher/cluster-proportional-autoscaler:1.7.1
225df95e717c: Loading layer [==================================================>]  336.4kB/336.4kB
8762ba1e4767: Loading layer [==================================================>]  42.95MB/42.95MB
Loaded image: rancher/coredns-coredns:1.6.9
fe9a8b4f1dcc: Loading layer [==================================================>]  43.87MB/43.87MB
816dcf8208f7: Loading layer [==================================================>]  23.72MB/23.72MB
4da29af72f7f: Loading layer [==================================================>]  17.55MB/17.55MB
e94602b7c460: Loading layer [==================================================>]   2.56kB/2.56kB
e74140cc410f: Loading layer [==================================================>]  3.072kB/3.072kB
0c356e885c8a: Loading layer [==================================================>]  3.072kB/3.072kB
Loaded image: rancher/coreos-etcd:v3.4.3-rancher1
82a5cde9d9a9: Loading layer [==================================================>]  53.87MB/53.87MB
a2b38eae1b39: Loading layer [==================================================>]  21.62MB/21.62MB
f378e9487360: Loading layer [==================================================>]  5.168MB/5.168MB
a35a0b8b55f5: Loading layer [==================================================>]  4.608kB/4.608kB
dea351e760ec: Loading layer [==================================================>]  8.192kB/8.192kB
d57a645c2b0c: Loading layer [==================================================>]  8.704kB/8.704kB
80c8b272a31c: Loading layer [==================================================>]  9.728kB/9.728kB
588868021aa0: Loading layer [==================================================>]  1.824MB/1.824MB
0a514e5f8343: Loading layer [==================================================>]   5.12kB/5.12kB
e46a9dd0cf8f: Loading layer [==================================================>]  23.04kB/23.04kB
ea3e975f63d4: Loading layer [==================================================>]  349.1MB/349.1MB
488428ef6ca2: Loading layer [==================================================>]  72.17MB/72.17MB
8cff9f524c8b: Loading layer [==================================================>]  469.4MB/469.4MB
9105b0079c7f: Loading layer [==================================================>]  3.584kB/3.584kB
03a3faf297ee: Loading layer [==================================================>]  579.6MB/579.6MB
Loaded image: rancher/hyperkube:v1.18.6-rancher1
d9ff549177a9: Loading layer [==================================================>]  4.671MB/4.671MB
257e31c9cb28: Loading layer [==================================================>]   2.56kB/2.56kB
e3418a4c0703: Loading layer [==================================================>]    362kB/362kB
39fe80c5a89b: Loading layer [==================================================>]  3.584kB/3.584kB
295a83faf517: Loading layer [==================================================>]  35.08MB/35.08MB
Loaded image: rancher/k8s-dns-dnsmasq-nanny:1.15.2
47d8bc5560bb: Loading layer [==================================================>]  44.66MB/44.66MB
Loaded image: rancher/k8s-dns-kube-dns:1.15.2
35c35a973795: Loading layer [==================================================>]  2.276MB/2.276MB
d71bb3de1e76: Loading layer [==================================================>]  46.59MB/46.59MB
Loaded image: rancher/k8s-dns-node-cache:1.15.7
e3b0318787d0: Loading layer [==================================================>]     37MB/37MB
Loaded image: rancher/k8s-dns-sidecar:1.15.2
7bf3709d22bb: Loading layer [==================================================>]  38.13MB/38.13MB
Loaded image: rancher/metrics-server:v0.3.6
b108d4968233: Loading layer [==================================================>]  5.134MB/5.134MB
Loaded image: rancher/nginx-ingress-controller-defaultbackend:1.5-rancher1
beee9f30bc1f: Loading layer [==================================================>]  5.862MB/5.862MB
378129e7fefc: Loading layer [==================================================>]  161.4MB/161.4MB
2c4876c55341: Loading layer [==================================================>]  6.144kB/6.144kB
a5cd644ea51c: Loading layer [==================================================>]  30.43MB/30.43MB
f99824ffc859: Loading layer [==================================================>]  16.91MB/16.91MB
e816d879e6f5: Loading layer [==================================================>]  4.096kB/4.096kB
d43abedb29d5: Loading layer [==================================================>]  8.042MB/8.042MB
bfa0001530d1: Loading layer [==================================================>]  50.41MB/50.41MB
4becb331f71a: Loading layer [==================================================>]  6.656kB/6.656kB
b2a014433f54: Loading layer [==================================================>]  37.57MB/37.57MB
7863f1fb0c1e: Loading layer [==================================================>]   20.9MB/20.9MB
909651a2178f: Loading layer [==================================================>]  6.656kB/6.656kB
Loaded image: rancher/nginx-ingress-controller:nginx-0.32.0-rancher1
e17133b79956: Loading layer [==================================================>]  744.4kB/744.4kB
Loaded image: rancher/pause:3.1
f1b5933fe4b5: Loading layer [==================================================>]  5.796MB/5.796MB
2bdf88b2699d: Loading layer [==================================================>]  17.72MB/17.72MB
519b820c8bb3: Loading layer [==================================================>]  1.603MB/1.603MB
eed905e10fc1: Loading layer [==================================================>]  24.45MB/24.45MB
126480a1531c: Loading layer [==================================================>]  3.072kB/3.072kB
021ed1072f21: Loading layer [==================================================>]  56.38MB/56.38MB
25f3c3b9821e: Loading layer [==================================================>]  3.509MB/3.509MB
b5449afc16e1: Loading layer [==================================================>]  16.08MB/16.08MB
8122015cea19: Loading layer [==================================================>]  4.096kB/4.096kB
06002c2e3403: Loading layer [==================================================>]  4.096kB/4.096kB
3f81d91d9bbb: Loading layer [==================================================>]  5.632kB/5.632kB
c6382345d3ee: Loading layer [==================================================>]   12.8kB/12.8kB
4ab3470e2725: Loading layer [==================================================>]  9.601MB/9.601MB
Loaded image: rancher/rke-tools:v0.1.59
[root@uat-rancher-node01 rancher]# docker image ls 
REPOSITORY                                        TAG                     IMAGE ID            CREATED             SIZE
rancher/hyperkube                                 v1.18.6-rancher1        5a1e9f24e782        6 weeks ago         1.51GB
rancher/rke-tools                                 v0.1.59                 904d2afa34c8        7 weeks ago         132MB
rancher/calico-node                               v3.13.4                 c91d49e6f044        3 months ago        261MB
rancher/calico-pod2daemon-flexvol                 v3.13.4                 c5dca18c0346        3 months ago        112MB
rancher/calico-cni                                v3.13.4                 9e1176a74e85        3 months ago        225MB
rancher/calico-ctl                                v3.13.4                 cbd105686d60        3 months ago        47.9MB
rancher/calico-kube-controllers                   v3.13.4                 f9f70a2e922f        3 months ago        56.6MB
rancher/nginx-ingress-controller                  nginx-0.32.0-rancher1   eda78cfd6f9d        3 months ago        328MB
rancher/coredns-coredns                           1.6.9                   4e797b323460        5 months ago        43.2MB
rancher/coreos-etcd                               v3.4.3-rancher1         a0b920cf970d        10 months ago       83.6MB
rancher/metrics-server                            v0.3.6                  9dd718864ce6        10 months ago       39.9MB
rancher/k8s-dns-node-cache                        1.15.7                  ce4f91502e1b        10 months ago       91MB
rancher/cluster-proportional-autoscaler           1.7.1                   14afc47fd5af        12 months ago       40.1MB
rancher/k8s-dns-sidecar                           1.15.2                  ffc7ccc8fded        16 months ago       79.3MB
rancher/k8s-dns-kube-dns                          1.15.2                  4ad5e24b1ad2        16 months ago       87MB
rancher/k8s-dns-dnsmasq-nanny                     1.15.2                  c4d9bb9e5ff0        16 months ago       39.8MB
rancher/nginx-ingress-controller-defaultbackend   1.5-rancher1            b5af743e5984        23 months ago       5.13MB
rancher/pause                                     3.1                     da86e6ba6ca1        2 years ago         742kB
[root@uat-rancher-node01 rancher]#

批量下载镜像并打包推送到harbor镜像仓库

[root@salt-master ~]# docker push 10.182.220.240:80/rancher/calico-pod2daemon-flexvol:v3.13.4 
The push refers to a repository [10.182.220.240:80/rancher/calico-pod2daemon-flexvol]
6c83a0e86620: Pushed 
1140aa2f2fa9: Pushed 
689becca0610: Pushed 
724362325411: Pushed 
eddba477a8ae: Mounted from rancher/calico-node 
f80c95f61fff: Mounted from rancher/calico-node 
v3.13.4: digest: sha256:3a12c023e964104ebf8af330bc74fa25831e961c871f8024bd6917c1357a57a6 size: 1571
[root@salt-master ~]#

Harbor私有镜像仓库部署
[root@harbor harbor]# vim harbor.yml

harbor证书配置

[root@harbor harbor]# cat key.sh 
#!/bin/bash
# 在该目录下操作生成证书，正好供harbor.yml使用
#mkdir -p /data/cert
cd /app/docker-compose/harbor/key
openssl genrsa -out ca.key 4096
openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=www.harbor.mobi" -key ca.key -out ca.crt
openssl genrsa -out www.harbor.mobi.key 4096
openssl req -sha512 -new -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=www.harbor.mobi" -key www.harbor.mobi.key -out www.harbor.mobi.csr
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=www.harbor.mobi
DNS.2=harbor
DNS.3=ks-allinone
EOF
openssl x509 -req -sha512 -days 3650 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in www.harbor.mobi.csr -out www.harbor.mobi.crt
openssl x509 -inform PEM -in www.harbor.mobi.crt -out www.harbor.mobi.cert
cp www.harbor.mobi.crt /etc/pki/ca-trust/source/anchors/www.harbor.mobi.crt 
update-ca-trust
[root@harbor harbor]#

[root@harbor harbor]# tree /app/docker-compose/harbor/key/
/app/docker-compose/harbor/key/
├── ca.crt
├── ca.key
├── ca.srl
├── v3.ext
├── www.harbor.mobi.cert
├── www.harbor.mobi.crt
├── www.harbor.mobi.csr
└── www.harbor.mobi.key
0 directories, 8 files
[root@harbor harbor]#

新建一个目录
www.harbor.mobi
复制到各个dockers节点的www.harbor.mobi

[rancher@uat-rancher-node01 ~]$ tree /etc/docker/certs.d/www.harbor.mobi/
/etc/docker/certs.d/www.harbor.mobi/
├── ca.crt
├── www.harbor.mobi.cert
└── www.harbor.mobi.key
0 directories, 3 files
[rancher@uat-rancher-node01 ~]$

//“registry-mirrors”: [“https://10.182.220.240“],
“insecure-registries”: [“https://10.182.220.240“],

[root@uat-rancher-node04 ~]# docker login https://10.182.220.240
Username: liwm
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@uat-rancher-node04 ~]# docker login 10.182.220.242
Username: admin
Password: 
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
[root@uat-rancher-node04 ~]# cat /etc/docker/daemon.json 
{
"graph": "/app/docker",
"max-concurrent-downloads": 3,
"max-concurrent-uploads": 5,
"insecure-registries": ["https://10.182.220.240","http://10.182.220.242"],
"storage-driver": "overlay2",
"storage-opts": ["overlay2.override_kernel_check=true"],
"log-driver": "json-file",
"log-opts": {"max-size": "100m","max-file": "3"}
}
[root@uat-rancher-node04 ~]#

配置多个私有仓库

[rancher@uat-rancher-node01 ~]$ cat /etc/docker/daemon.json 
{
"graph": "/app/docker",
"max-concurrent-downloads": 3,
"max-concurrent-uploads": 5,
"insecure-registries": ["https://10.182.220.240"],
"storage-driver": "overlay2",
"storage-opts": ["overlay2.override_kernel_check=true"],
"log-driver": "json-file",
"log-opts": {"max-size": "100m","max-file": "3"}
}
[rancher@uat-rancher-node01 ~]$

rke部署kubernetes集群
##配置私有仓库地址（需要配置证书）

修改rke cluster.yml部署配置文件

[rancher@uat-rancher-node01 ~]$ cat cluster.yml 
nodes:
  - address: 10.182.220.241
    hostname_override: uat-rancher-node01
    internal_address:
    user: rancher
    role: [controlplane,etcd]
  - address: 10.182.220.242
    hostname_override: uat-rancher-node02
    internal_address:
    user: rancher
    role: [controlplane,etcd]
  - address: 10.182.220.243
    hostname_override: uat-rancher-node03
    internal_address:
    user: rancher
    role: [controlplane,etcd]
  - address: 10.182.220.244
    hostname_override: uat-rancher-node04
    internal_address:
    user: rancher
    role: [worker]
  - address: 10.182.220.245
    hostname_override: uat-rancher-node05
    internal_address:
    user: rancher
    role: [worker]
# 定义kubernetes版本
kubernetes_version: v1.18.6-rancher1-2
# 如果要使用私有仓库中的镜像，配置以下参数来指定默认私有仓库地址需要启用证书。
private_registries:
    - url: 10.182.220.240
      user: liwm
      password: !Q2w3e4r
      is_default: true
services:
  etcd:
    # 扩展参数
    extra_args:
      # 240个小时后自动清理磁盘碎片,通过auto-compaction-retention对历史数据压缩后，后端数据库可能会出现内部碎片。内部碎片是指空闲状态的，能被后端使用但是仍然消耗存储空间，碎片整理过程将此存储空间释放回文>件系统
      auto-compaction-retention: 240 #(单位小时)
      # 修改空间配额为6442450944，默认2G,最大8G
      quota-backend-bytes: '6442450944'
    # 自动备份
    snapshot: true
    creation: 5m0s
    retention: 24h
  kubelet:
    extra_args:
      # 支持静态Pod。在主机/etc/kubernetes/目录下创建manifest目录，Pod YAML文件放在/etc/kubernetes/manifest/目录下
      pod-manifest-path: "/etc/kubernetes/manifest/"
# 有几个网络插件可以选择：flannel、canal、calico，Rancher2默认canal
network:
  plugin: canal
  options:
    flannel_backend_type: "vxlan"
# 可以设置provider: none来禁用ingress controller
ingress:
  provider: nginx
  node_selector:
    app: ingress
[rancher@uat-rancher-node01 ~]$

helm 部署 rancher

helm证书配置

[rancher@uat-rancher-node01 ~]$ cat helm.sh 
#!/bin/bash -e
# * 为必改项
# * 服务器FQDN或颁发者名(更换为你自己的域名)
CN='rancher'
# 扩展信任IP或域名
## 一般ssl证书只信任域名的访问请求，有时候需要使用ip去访问server，那么需要给ssl证书添加扩展IP，用逗号隔开。配置节点ip和lb的ip。
SSL_IP='10.182.220.241,10.182.220.242,10.182.220.243,10.182.220.244,10.182.220.245,10.182.220.246'
SSL_DNS=''
# 国家名(2个字母的代号)
C=CN
# 证书加密位数
SSL_SIZE=2048
# 证书有效期
DATE=${DATE:-3650}
# 配置文件
SSL_CONFIG='openssl.cnf'
if [[ -z $SILENT ]]; then
echo "----------------------------"
echo "| SSL Cert Generator |"
echo "----------------------------"
echo
fi
export CA_KEY=${CA_KEY-"cakey.pem"}
export CA_CERT=${CA_CERT-"cacerts.pem"}
export CA_SUBJECT=ca-$CN
export CA_EXPIRE=${DATE}
export SSL_CONFIG=${SSL_CONFIG}
export SSL_KEY=$CN.key
export SSL_CSR=$CN.csr
export SSL_CERT=$CN.crt
export SSL_EXPIRE=${DATE}
export SSL_SUBJECT=${CN}
export SSL_DNS=${SSL_DNS}
export SSL_IP=${SSL_IP}
export K8S_SECRET_COMBINE_CA=${K8S_SECRET_COMBINE_CA:-'true'}
[[ -z $SILENT ]] && echo "--> Certificate Authority"
if [[ -e ./${CA_KEY} ]]; then
    [[ -z $SILENT ]] && echo "====> Using existing CA Key ${CA_KEY}"
else
    [[ -z $SILENT ]] && echo "====> Generating new CA key ${CA_KEY}"
    openssl genrsa -out ${CA_KEY} ${SSL_SIZE} > /dev/null
fi
if [[ -e ./${CA_CERT} ]]; then
    [[ -z $SILENT ]] && echo "====> Using existing CA Certificate ${CA_CERT}"
else
    [[ -z $SILENT ]] && echo "====> Generating new CA Certificate ${CA_CERT}"
    openssl req -x509 -sha256 -new -nodes -key ${CA_KEY} -days ${CA_EXPIRE} -out ${CA_CERT} -subj "/CN=${CA_SUBJECT}" > /dev/null || exit 1
fi
echo "====> Generating new config file ${SSL_CONFIG}"
cat > ${SSL_CONFIG} <<EOM
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, serverAuth
EOM
if [[ -n ${SSL_DNS} || -n ${SSL_IP} ]]; then
    cat >> ${SSL_CONFIG} <<EOM
subjectAltName = @alt_names
[alt_names]
EOM
    IFS=","
    dns=(${SSL_DNS})
    dns+=(${SSL_SUBJECT})
    for i in "${!dns[@]}"; do
      echo DNS.$((i+1)) = ${dns[$i]} >> ${SSL_CONFIG}
    done
    if [[ -n ${SSL_IP} ]]; then
        ip=(${SSL_IP})
        for i in "${!ip[@]}"; do
          echo IP.$((i+1)) = ${ip[$i]} >> ${SSL_CONFIG}
        done
    fi
fi
[[ -z $SILENT ]] && echo "====> Generating new SSL KEY ${SSL_KEY}"
openssl genrsa -out ${SSL_KEY} ${SSL_SIZE} > /dev/null || exit 1
[[ -z $SILENT ]] && echo "====> Generating new SSL CSR ${SSL_CSR}"
openssl req -sha256 -new -key ${SSL_KEY} -out ${SSL_CSR} -subj "/CN=${SSL_SUBJECT}" -config ${SSL_CONFIG} > /dev/null || exit 1
[[ -z $SILENT ]] && echo "====> Generating new SSL CERT ${SSL_CERT}"
openssl x509 -sha256 -req -in ${SSL_CSR} -CA ${CA_CERT} -CAkey ${CA_KEY} -CAcreateserial -out ${SSL_CERT} \
    -days ${SSL_EXPIRE} -extensions v3_req -extfile ${SSL_CONFIG} > /dev/null || exit 1
if [[ -z $SILENT ]]; then
echo "====> Complete"
echo "keys can be found in volume mapped to $(pwd)"
echo
echo "====> Output results as YAML"
echo "---"
echo "ca_key: |"
cat $CA_KEY | sed 's/^/  /'
echo
echo "ca_cert: |"
cat $CA_CERT | sed 's/^/  /'
echo
echo "ssl_key: |"
cat $SSL_KEY | sed 's/^/  /'
echo
echo "ssl_csr: |"
cat $SSL_CSR | sed 's/^/  /'
echo
echo "ssl_cert: |"
cat $SSL_CERT | sed 's/^/  /'
echo
fi
if [[ -n $K8S_SECRET_NAME ]]; then
  if [[ -n $K8S_SECRET_COMBINE_CA ]]; then
    [[ -z $SILENT ]] && echo "====> Adding CA to Cert file"
    cat ${CA_CERT} >> ${SSL_CERT}
  fi
  [[ -z $SILENT ]] && echo "====> Creating Kubernetes secret: $K8S_SECRET_NAME"
  kubectl delete secret $K8S_SECRET_NAME --ignore-not-found
  if [[ -n $K8S_SECRET_SEPARATE_CA ]]; then
    kubectl create secret generic \
    $K8S_SECRET_NAME \
    --from-file="tls.crt=${SSL_CERT}" \
    --from-file="tls.key=${SSL_KEY}" \
    --from-file="ca.crt=${CA_CERT}"
  else
    kubectl create secret tls \
    $K8S_SECRET_NAME \
    --cert=${SSL_CERT} \
    --key=${SSL_KEY}
  fi
  if [[ -n $K8S_SECRET_LABELS ]]; then
    [[ -z $SILENT ]] && echo "====> Labeling Kubernetes secret"
    IFS=$' \n\t' # We have to reset IFS or label secret will misbehave on some systems
    kubectl label secret \
      $K8S_SECRET_NAME \
      $K8S_SECRET_LABELS
  fi
fi
echo "4. 重命名服务证书"
mv ${CN}.key tls.key
mv ${CN}.crt tls.crt
# 把生成的证书作为密文导入K8S
## * 指定K8S配置文件路径
kubeconfig=/home/rancher/.kube/config
kubectl --kubeconfig=$kubeconfig create namespace cattle-system
kubectl --kubeconfig=$kubeconfig -n cattle-system create secret tls tls-rancher-ingress --cert=./tls.crt --key=./tls.key
kubectl --kubeconfig=$kubeconfig -n cattle-system create secret generic tls-ca --from-file=cacerts.pem

配置仓库地址

[rancher@uat-rancher-node01 rancher]$ cat values.yaml 
# Additional Trusted CAs.
# Enable this flag and add your CA certs as a secret named tls-ca-additional in the namespace.
# See README.md for details.
additionalTrustedCAs: false
antiAffinity: preferred
# Audit Logs https://rancher.com/docs/rancher/v2.x/en/installation/api-auditing/
# The audit log is piped to the console of the rancher-audit-log container in the rancher pod.
# https://rancher.com/docs/rancher/v2.x/en/installation/api-auditing/
# destination stream to sidecar container console or hostPath volume
# level: Verbosity of logs, 0 to 3. 0 is off 3 is a lot.
auditLog:
  destination: sidecar
  hostPath: /var/log/rancher/audit/
  level: 0
  maxAge: 1
  maxBackup: 1
  maxSize: 100
  fluentbitImage: 10.182.220.240/cnrancher/rancher-auditlog-fluentbit
  fluentbitImageTag: v1.0.0
# The Mysql should be deployed manually and create the user and database schema for auditlog server.
# You should use nonadministrative account and a high strength password to connect to the Mysql.
auditLogServer:
  image: 10.182.220.240/cnrancher/rancher-auditlog-server
  imageTag: v1.0.0
  replicas: 1
  antiAffinity: preferred
  serverPort: 9000
  DBHost: localhost
  DBPort: 3306
  DBUser: root
  DBPassword: password
  DBName: rancher
# Have Rancher detect and import the "local" Rancher server cluster
# Adding the "local" cluster available in the GUI can be convenient, but any user with access to this cluster has "root" on any of the clusters that Rancher manages.
# options; "auto", "false". (auto pretty much means true)
addLocal: "auto"
# Image for collecting rancher audit logs.
# Important: update pkg/image/export/main.go when this default image is changed, so that it's reflected accordingly in rancher-images.txt generated for air-gapped setups.
busyboxImage: 10.182.220.240/dev/busybox
# Add debug flag to Rancher server
debug: false
# Extra environment variables passed to the rancher pods.
# extraEnv:
# - name: CATTLE_TLS_MIN_VERSION
#   value: "1.0"
# Fully qualified name to reach your Rancher server
# hostname: rancher.my.org
## Optional array of imagePullSecrets containing private registry credentials
## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
imagePullSecrets: []
# - name: secretName
### ingress ###
# Readme for details and instruction on adding tls secrets.
ingress:
  extraAnnotations:
    nginx.ingress.kubernetes.io/proxy-connect-timeout: "30"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "1800"
    nginx.ingress.kubernetes.io/proxy-send-timeout: "1800"
  # configurationSnippet - Add additional Nginx configuration. This example statically sets a header on the ingress.
  # configurationSnippet: |
  #   more_set_input_headers "X-Forwarded-Host: {{ .Values.hostname }}";
  configurationSnippet: |
    more_clear_headers Server;
  tls:
    # options: rancher, letsEncrypt, secret
    source: rancher
### LetsEncrypt config ###
# ProTip: The production environment only allows you to register a name 5 times a week.
#         Use staging until you have your config right.
letsEncrypt:
  # email: none@example.com
  environment: production
# If you are using certs signed by a private CA set to 'true' and set the 'tls-ca'
# in the 'rancher-system' namespace. See the README.md for details
privateCA: false
# http[s] proxy server passed into rancher server.
# proxy: http://<username>@<password>:<url>:<port>
# comma separated list of domains or ip addresses that will not use the proxy
noProxy: 127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
# Override rancher image location for Air Gap installs
rancherImage: 10.182.220.240/cnrancher/rancher
## set Air Gap registry for rancher
# rancherRegistry: harbor.cnrancher.com
systemDefaultRegistry: ""
# rancher/rancher image tag. https://hub.docker.com/r/rancher/rancher/tags/
# Defaults to .Chart.appVersion
# rancherImageTag: v2.0.7
# Override imagePullPolicy for rancher server images
# options: Always, Never, IfNotPresent
# Defaults to IfNotPresent
# rancherImagePullPolicy: <pullPolicy>
# Number of Rancher server replicas.
replicas: 3
# Set pod resource requests/limits for Rancher.
resources: {}
#
# tls
#   Where to offload the TLS/SSL encryption
# - ingress (default)
# - external
tls: ingress
# Set to use the packaged system charts
useBundledSystemChart: false
service:
  type: ClusterIP
  ports:
    nodePort: 30443
# Certmanager version compatibility
certmanager:
  version: ""
[rancher@uat-rancher-node01 rancher]$

helm install rancher rancher/   --namespace cattle-system --set rancherImage=cnrancher/rancher --set service.type=NodePort --set service.ports.nodePort=30001 --set tls=internal --set privateCA=true