diff --git a/content/rancher/v2.x/en/installation/air-gap-high-availability/install-rancher/_index.md b/content/rancher/v2.x/en/installation/air-gap-high-availability/install-rancher/_index.md index 68c4e941e20..c5e14f7e6b7 100644 --- a/content/rancher/v2.x/en/installation/air-gap-high-availability/install-rancher/_index.md +++ b/content/rancher/v2.x/en/installation/air-gap-high-availability/install-rancher/_index.md @@ -27,6 +27,61 @@ helm template ./rancher-.tgz --output-dir . \ --set rancherImage=/rancher/rancher ``` +Rancher server is designed to be secure by default and requires SSL/TLS configuration. There are three options for the source of the certificate: + +{{% accordion id="self-signed" label="Rancher-Generated Certificates (Default)" %}} +The default is for Rancher to generate a CA and use the `cert-manager` to issue the certificate for access to the Rancher server interface. + +- Replace `` with the repository that you configured in [Add the Helm Chart Repository](#add-the-helm-chart-repository) (i.e. `latest` or `stable`). +- Set the `hostname` to the DNS name you pointed at your load balancer. + +```plain +helm template ./rancher-.tgz --output-dir . \ + --name rancher \ + --namespace cattle-system \ + --set hostname= \ + --set rancherImage=/rancher/rancher +``` + +{{% /accordion %}} +{{% accordion id="lets-encrypt" label="Let's Encrypt" %}} +Use [LetsEncrypt](https://letsencrypt.org/)'s free service to issue trusted SSL certs. This configuration uses http validation so the Load Balancer must have a Public DNS record and be accessible from the internet. + +- Replace `` with the repository that you configured in [Add the Helm Chart Repository](#add-the-helm-chart-repository) (i.e. `latest` or `stable`). +- Set `hostname`, `ingress.tls.source=letsEncrypt` and LetsEncrypt options. + +``` +helm template ./rancher-.tgz --output-dir . \ + --name rancher \ + --namespace cattle-system \ + --set hostname= \ + --set rancherImage=/rancher/rancher + --set ingress.tls.source=letsEncrypt \ + --set letsEncrypt.email=me@example.org +``` +{{% /accordion %}} +{{% accordion id="secret" label="Certificates for Files (Kubernetes Secret)" %}} +Create Kubernetes secrets from your own certificates for Rancher to use. + +> **Note:** The common name for the cert will need to match the `hostname` option or the ingress controller will fail to provision the site for Rancher. + +- Replace `` with the repository that you configured in [Add the Helm Chart Repository](#add-the-helm-chart-repository) (i.e. `latest` or `stable`). +- Set `hostname` and `ingress.tls.source=secret`. + +> **Note:** If you are using a Private CA signed cert, add `--set privateCA=true` + +``` +helm install rancher-/rancher \ + --name rancher \ + --namespace cattle-system \ + --set hostname= \ + --set rancherImage=/rancher/rancher + --set ingress.tls.source=letsEncrypt \ +``` + +Now that Rancher is running, see [Adding TLS Secrets]({{< baseurl >}}/rancher/v2.x/en/installation/ha/helm-rancher/tls-secrets/) to publish the certificate files so Rancher and the ingress controller can use them. +{{% /accordion %}} + ## B. Copy and Apply Manifests Copy the rendered manifest directories to a system that has access to the Rancher server cluster. @@ -38,6 +93,4 @@ kubectl -n kube-system apply -R -f ./cert-manager kubectl create namespace cattle-system kubectl -n cattle-system apply -R -f ./rancher -``` - -Make sure you follow any additional instructions required by SSL install options. See [Choose your SSL Configuration]({{< baseurl >}}/rancher/v2.x/en/installation/ha/helm-rancher/#choose-your-ssl-configuration) for details. \ No newline at end of file +``` \ No newline at end of file diff --git a/content/rancher/v2.x/en/installation/air-gap-single-node/_index.md b/content/rancher/v2.x/en/installation/air-gap-single-node/_index.md index c59e02d933c..92c8bcd57ca 100644 --- a/content/rancher/v2.x/en/installation/air-gap-single-node/_index.md +++ b/content/rancher/v2.x/en/installation/air-gap-single-node/_index.md @@ -16,11 +16,11 @@ As of v2.1.0, registries with authentication work for installing Rancher as well ## Installation Outline -- [1. Provision Linux Host]({{< baseurl >}}/rancher/v2.x/en/installation/air-gap-install/air-gap-single-node/provision-host/) -- [2. Prepare Private Registry]({{< baseurl >}}/rancher/v2.x/en/installation/air-gap-install/air-gap-single-node/prepare-private-registry/) -- [3. Choose an SSL Option and Install Rancher]({{< baseurl >}}/rancher/v2.x/en/installation/air-gap-install/air-gap-single-node/install-rancher/) -- [4. Configure Rancher for Private Registry]({{< baseurl >}}/rancher/v2.x/en/installation/air-gap-install/air-gap-single-node/config-rancher-for-private-reg/) +- [1. Provision Linux Host]({{< baseurl >}}/rancher/v2.x/en/installation/air-gap-single-node/provision-host/) +- [2. Prepare Private Registry]({{< baseurl >}}/rancher/v2.x/en/installation/air-gap-single-node/prepare-private-registry/) +- [3. Choose an SSL Option and Install Rancher]({{< baseurl >}}/rancher/v2.x/en/installation/air-gap-single-node/install-rancher/) +- [4. Configure Rancher for Private Registry]({{< baseurl >}}/rancher/v2.x/en/installation/air-gap-single-node/config-rancher-for-private-reg/) -### [Next: Provision Linux Host]({{< baseurl >}}/rancher/v2.x/en/installation/air-gap-install/air-gap-single-node/provision-host/) +### [Next: Provision Linux Host]({{< baseurl >}}/rancher/v2.x/en/installation/air-gap-single-node/provision-host/) diff --git a/content/rancher/v2.x/en/installation/air-gap-single-node/install-rancher/_index.md b/content/rancher/v2.x/en/installation/air-gap-single-node/install-rancher/_index.md index b890c6eef11..b31a74d4a80 100644 --- a/content/rancher/v2.x/en/installation/air-gap-single-node/install-rancher/_index.md +++ b/content/rancher/v2.x/en/installation/air-gap-single-node/install-rancher/_index.md @@ -87,4 +87,4 @@ Placeholder | Description {{% /accordion %}} -### [Next: Configure Rancher for the Private Registry]({{< baseurl >}}/rancher/v2.x/en/installation/air-gap-install/air-gap-single-node/config-rancher-for-private-reg/) \ No newline at end of file +### [Next: Configure Rancher for the Private Registry]({{< baseurl >}}/rancher/v2.x/en/installation/air-gap-single-node/config-rancher-for-private-reg/) \ No newline at end of file diff --git a/content/rancher/v2.x/en/installation/air-gap-single-node/prepare-private-registry/_index.md b/content/rancher/v2.x/en/installation/air-gap-single-node/prepare-private-registry/_index.md index 708cd336c6d..ead48d1fc7e 100644 --- a/content/rancher/v2.x/en/installation/air-gap-single-node/prepare-private-registry/_index.md +++ b/content/rancher/v2.x/en/installation/air-gap-single-node/prepare-private-registry/_index.md @@ -42,4 +42,4 @@ After downloading the release files, publish the images from `rancher-images.txt ./rancher-load-images.sh --image-list ./rancher-images.txt --registry ``` -### [Next: Choose an SSL Option and Install Rancher]({{< baseurl >}}/rancher/v2.x/en/installation/air-gap-install/air-gap-single-node/install-rancher/) \ No newline at end of file +### [Next: Choose an SSL Option and Install Rancher]({{< baseurl >}}/rancher/v2.x/en/installation/air-gap-single-node/install-rancher/) \ No newline at end of file diff --git a/content/rancher/v2.x/en/installation/air-gap-single-node/provision-host/_index.md b/content/rancher/v2.x/en/installation/air-gap-single-node/provision-host/_index.md index 37d931f70d8..567cf6d0074 100644 --- a/content/rancher/v2.x/en/installation/air-gap-single-node/provision-host/_index.md +++ b/content/rancher/v2.x/en/installation/air-gap-single-node/provision-host/_index.md @@ -8,4 +8,4 @@ Provision a single, air gapped Linux host according to our [Requirements]({{< ba This host should be disconnected from the internet, but should have connectivity with your private registry. -### [Next: Prepare Private Registry]({{< baseurl >}}/rancher/v2.x/en/installation/air-gap-install/air-gap-single-node/prepare-private-registry/) +### [Next: Prepare Private Registry]({{< baseurl >}}/rancher/v2.x/en/installation/air-gap-single-node/prepare-private-registry/)