Post

Install K3S with Rancher UI

Step-by-step guide to deploying K3S with Rancher UI, including Nginx Ingress, TLS certificate generation, and Longhorn storage setup.

Posted Updated
Preview Image
By Jan Toth
3 min read
Install K3S with Rancher UI

Adjust your /etc/hosts file

Add a hostname entry for your local machine so that the Rancher UI can be accessed by name instead of IP address.

1
2
3
4
5
6

# Adjust your /etc/hosts file
cat /etc/hosts
...
192.168.1.45    archlinux
...
:wq!

Deploy K3S cluster to your local machine

Install K3S with etcd as the datastore and without the default Traefik ingress controller, since we will deploy Nginx Ingress separately.

1
2
3
4
5

# Deploy K3S cluster to your local machine
curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC="--datastore-endpoint etcd --no-deploy traefik" sh -s -

sudo chmod  755 /etc/rancher/k3s/k3s.yaml
kubectl get pods -A

Deploy Nginx Ingress Controller

Install the Nginx Ingress Controller via Helm with NodePort service type. The HTTPS NodePort is set to 30111, which will be used to access Rancher.

1
2
3
4
5
6
7

# Deploy Nginx Ingress Controller
helm repo add stable https://kubernetes-charts.storage.googleapis.com/
helm repo update

helm install nginx stable/nginx-ingress  \
--set controller.service.type=NodePort \
--set controller.service.nodePorts.https=30111

Rancher with certificates generation

Generate a self-signed CA and a server certificate for the Rancher hostname. The script creates the CA key and certificate, then generates a server key and certificate signed by that CA. Finally, the certificates are stored as Kubernetes secrets in the cattle-system namespace.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42

mkdir -p /home/jantoth/etc/pki/tls/private
mkdir -p /home/jantoth/etc/pki/tls/certs

NAME="archlinux"
RANCHER_URL="https://$NAME:30111"
PRIVATE="/home/jantoth/etc/pki/tls/private"   # *.key
CERTS="/home/jantoth/etc/pki/tls/certs"       # *.crt

if [ ! -f "${PRIVATE}/${NAME}.key" ]; then

    echo "INFO: generating CA for Rancher"
    openssl genrsa -out "${PRIVATE}/${NAME}-ca.key" 4096

    openssl req -key "${PRIVATE}/${NAME}-ca.key" \
    -subj "/C=EU/ST=SD/L=AM/O=${NAME}/CN=Authority" \
    -new -x509 -days 7300 -sha256 \
    -out "${CERTS}/${NAME}-ca.crt" -extensions v3_ca

    echo "INFO: generating private key and certificate for Rancher"
    openssl genrsa -out "${PRIVATE}/${NAME}.key" 4096

    openssl req -key "${PRIVATE}/${NAME}.key" \
    -new -sha256 -out "${CERTS}/${NAME}.csr" \
     -subj "/C=EU/ST=SD/L=AM/O=${NAME}/CN=${NAME}"

    openssl x509 -req -CA "${CERTS}/${NAME}-ca.crt" -CAkey "${PRIVATE}/${NAME}-ca.key" \
    -CAcreateserial -in "${CERTS}/${NAME}.csr" \
    -out "${CERTS}/${NAME}.crt" -days 7300

    cp "${CERTS}/${NAME}-ca.crt" "${CERTS}/cacerts.pem"

fi

kubectl create namespace cattle-system

kubectl -n cattle-system get secret tls-rancher-ingress &>/dev/null ||
    kubectl -n cattle-system create secret tls tls-rancher-ingress \
        --cert="${CERTS}/${NAME}.crt" --key="${PRIVATE}/${NAME}.key"

kubectl -n cattle-system get secret tls-ca &>/dev/null ||
    kubectl -n cattle-system create secret generic tls-ca \
        --from-file="${CERTS}/cacerts.pem"

Deploy Rancher to K3S/K8S

1
2
3
4
5
6
7
8
9
10
11
12

helm repo add rancher-stable https://releases.rancher.com/server-charts/stable
helm repo update

kubectl create namespace cattle-system
helm install \
rancher rancher-stable/rancher \
--namespace cattle-system \
--set hostname=archlinux \
--set replicas=1 \
--set tls=ingress  \
--set ingress.tls.source=secret \
--set privateCA=true

Longhorn setup

1
2

sudo pacman -S community/open-iscsi
sudo systemctl enable --now iscsid

Using cert-manager to provide SSL certificates for Rancher (overkill)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

# Install the CustomResourceDefinition resources separately
kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.15.0/cert-manager.crds.yaml

kubectl create namespace cert-manager

helm repo add jetstack https://charts.jetstack.io

# Update your local Helm chart repository cache
helm repo update

# Install the cert-manager Helm chart
helm install \
  cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --version v0.15.0

kubectl get pods --namespace cert-manager


helm repo add rancher-stable https://releases.rancher.com/server-charts/stable
helm repo update

kubectl create namespace cattle-system


helm install \
rancher rancher-stable/rancher \
--namespace cattle-system \
--set hostname=archlinux \
--set replicas=1

# Setup Coredns pod

# kubectl rollout restart -n kube-system deployment/coredns

Login to Rancher via rancher cli

1
2
3
4
5
6
7
8

NAME="archlinux"
RANCHER_URL="https://$NAME:30111"

APITOKEN=$(curl -sk "${RANCHER_URL}/v3-public/localProviders/local?action=login" \
-H "content-type: application/json" \
--data-binary "{\"username\":\"admin\",\"password\":\"admin\"}" 2>/dev/null | jq -r .token 2>/dev/null)

rancher login -t "${APITOKEN}" "${RANCHER_URL}/v3"
Kubernetes
kubernetes rancher ui k3s
This post is licensed under CC BY 4.0 by the author.