Installing Rancher 2 HA Cluster with Let’s Encrypt

Kirill Garbar
Jun 20, 2018 · 6 min read

All you need to create HA cluster with Rancher 2 on Debian/Ubuntu or anything else (I’m using Debian 9 as an example). You’ll need basic understanding of Kubernetes.

Rancher is Open Source enterprise cluster management software, more information on rancher.com

Installing Rancher now as easy as possible, there’s official manual how to do that. It’s very detailed, except how to actually use Let’s Encrypt certificates.

Getting ready with TLS

Rancher 2 now requires SSL certificate in place in order to operate. I want to use cert-manager to manage Let’s Encrypt certificate for my cluster. This will require temp self-signed SSL certificate.

  1. Generate core ca and key:

2. Generate ingress key

3. Sign new ingress key with ca certificate:

4. Encode new certificates into Base64

Now you’ve got everything you need to start building your cluster.

Standing cluster

I’m using Hetzner with Debian 9 instances. I’ve decided to build 3 node cluster.

Upgrading Debian nodes (always use latest packages) and installing curl:

We’ll need a docker 17.03. I’ve tried everything up to 18.03. I’ve managed to install kubernetes on them and it was working fine. 18.03 is a bit bugged. Officially it’s fully tested on 17.03.

Once all 3 nodes patched and have docker running, it’s time to use RKE. It’s like any other tool is good to stand Kubernetes cluster, supports HA options and described in yaml file.

After adding base64 encoded certificates and keys into cluster.yaml file, it’ll look something like this:

The only things left todo, is to start process (assuming you’ve installed rke tools):

Process will take couple minutes, once it’s finished, you’ll have running cluster with rancher 2 installed in it.

I’m not using Load Balancer node (nginx proxy). This will introduce single failure point. I’m using Cloudflare as DNS provider:

Works really well.

Cluster is ready and waiting you to login: https://rancher.example.com

It’s running on self-signed certificate, now it’s the time to fix that problem. We need to enable Helm stable package repository and wait a bit (5–10 mins packages to download)

Syncing packages will take some time, once it’s finished, you should be able to find cert-manager. You can do this without using Rancher Catalog, but I think Catalog is what makes Rancher so attractive.

Once it’s installed. not is the time to remove self-signed certificate.

I’m using DNS flow to validate domain name, feel free to use HTTP. More documentation here. You’ll need CloudFlare API key base64 encoded in Kubernetes secret

During installation, RKE created kube config file kube_config_cluster.yaml, we need it in order to connect to our cluster

Just to confirm that cluster is ready to go and we have access:

We should be able to see that it’s READY to go:

Once this is done, we can request certificate from Let’sencrypt

It will take some time to get certificate issued, you can monitor process:

Please make sure you’ve tested process in sandbox, before requesting certificates in production. Let’s Encrypt limit to 5 duplicated requests a week, you can get banned and have to wait a week. More information here

Good result:

The only things what’s left todo, is to link this certificate to ingress facing outside and update ranchers deployment

Apply configuration change

Your cluster is now using Let’s Encrypt certificates running on 3 node HA setup

Thanks

Kirill Garbar

Written by

I follow No DevOps required best practice