From 98cd5108a382cb6cf9fda054bd61ff95ba33bb9c Mon Sep 17 00:00:00 2001 From: divya-mohan0209 Date: Mon, 11 Apr 2022 11:33:37 +0530 Subject: [PATCH 1/8] Amending Encryption Configuration Section --- content/rancher/v2.6/en/backups/examples/_index.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/content/rancher/v2.6/en/backups/examples/_index.md b/content/rancher/v2.6/en/backups/examples/_index.md index 87c607b7780..38aa7964541 100644 --- a/content/rancher/v2.6/en/backups/examples/_index.md +++ b/content/rancher/v2.6/en/backups/examples/_index.md @@ -272,6 +272,13 @@ data: # Example EncryptionConfiguration +The snippet below demonstrates two different types of secrets and their relevance with respect to Backup and Restore of custom resources.s + +The first example is that of a secret that is used to encrypt the backup files. The backup operator, in this case, will not be able to read the secrets encryption file. It only uses the contents of the secret. + +The second example is that of a Kubernetes secrets encryption config file that is used to encrypt secrets when stored in etcd. It is important to note that while backing up your etcd config ensure you also backup your EncryptionConfiguration. Failing to do so might result in you not being able to use the restored data. + + ```yaml apiVersion: apiserver.config.k8s.io/v1 kind: EncryptionConfiguration From b20990affbfe93d03db1c23c93445300c05d8440 Mon Sep 17 00:00:00 2001 From: divya-mohan0209 Date: Tue, 12 Apr 2022 11:46:58 +0530 Subject: [PATCH 2/8] Update content/rancher/v2.6/en/backups/examples/_index.md Co-authored-by: Brad Davidson --- content/rancher/v2.6/en/backups/examples/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/rancher/v2.6/en/backups/examples/_index.md b/content/rancher/v2.6/en/backups/examples/_index.md index 38aa7964541..a6922f9c802 100644 --- a/content/rancher/v2.6/en/backups/examples/_index.md +++ b/content/rancher/v2.6/en/backups/examples/_index.md @@ -272,7 +272,7 @@ data: # Example EncryptionConfiguration -The snippet below demonstrates two different types of secrets and their relevance with respect to Backup and Restore of custom resources.s +The snippet below demonstrates two different types of secrets and their relevance with respect to Backup and Restore of custom resources. The first example is that of a secret that is used to encrypt the backup files. The backup operator, in this case, will not be able to read the secrets encryption file. It only uses the contents of the secret. From 0ab0391f560340fa926b9a7a025eaa06303e38af Mon Sep 17 00:00:00 2001 From: divya-mohan0209 Date: Tue, 19 Apr 2022 10:46:55 +0530 Subject: [PATCH 3/8] Update content/rancher/v2.6/en/backups/examples/_index.md Co-authored-by: Jen Travinski --- content/rancher/v2.6/en/backups/examples/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/rancher/v2.6/en/backups/examples/_index.md b/content/rancher/v2.6/en/backups/examples/_index.md index a6922f9c802..4670c938ef1 100644 --- a/content/rancher/v2.6/en/backups/examples/_index.md +++ b/content/rancher/v2.6/en/backups/examples/_index.md @@ -276,7 +276,7 @@ The snippet below demonstrates two different types of secrets and their relevanc The first example is that of a secret that is used to encrypt the backup files. The backup operator, in this case, will not be able to read the secrets encryption file. It only uses the contents of the secret. -The second example is that of a Kubernetes secrets encryption config file that is used to encrypt secrets when stored in etcd. It is important to note that while backing up your etcd config ensure you also backup your EncryptionConfiguration. Failing to do so might result in you not being able to use the restored data. +The second example is that of a Kubernetes secrets encryption config file that is used to encrypt secrets when stored in etcd. **While backing up your etcd config, be sure to also backup your EncryptionConfiguration.** Failing to do so might result in you not being able to use the restored data. ```yaml From 8defd30bccffbd46c12c8f16462497b73b9432d4 Mon Sep 17 00:00:00 2001 From: divya-mohan0209 Date: Wed, 27 Apr 2022 20:18:18 +0530 Subject: [PATCH 4/8] Update content/rancher/v2.6/en/backups/examples/_index.md Co-authored-by: Brad Davidson --- content/rancher/v2.6/en/backups/examples/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/rancher/v2.6/en/backups/examples/_index.md b/content/rancher/v2.6/en/backups/examples/_index.md index 4670c938ef1..b1282f9c3ca 100644 --- a/content/rancher/v2.6/en/backups/examples/_index.md +++ b/content/rancher/v2.6/en/backups/examples/_index.md @@ -276,7 +276,7 @@ The snippet below demonstrates two different types of secrets and their relevanc The first example is that of a secret that is used to encrypt the backup files. The backup operator, in this case, will not be able to read the secrets encryption file. It only uses the contents of the secret. -The second example is that of a Kubernetes secrets encryption config file that is used to encrypt secrets when stored in etcd. **While backing up your etcd config, be sure to also backup your EncryptionConfiguration.** Failing to do so might result in you not being able to use the restored data. +The second example is that of a Kubernetes secrets encryption config file that is used to encrypt secrets when stored in etcd. **When backing up the etcd datastore, be sure to also back up the EncryptionConfiguration.** Failure to do so will result in an inability to use the restored data if secrets encryption was in use at the time the data was backed up. ```yaml From 9dae2ce00b47564355ebc0fb136cf0050804e1e5 Mon Sep 17 00:00:00 2001 From: Billy Tat Date: Sun, 1 May 2022 20:22:43 -0700 Subject: [PATCH 5/8] Update RHEL 8 installation steps --- content/rke/latest/en/os/_index.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/content/rke/latest/en/os/_index.md b/content/rke/latest/en/os/_index.md index 08855564c8e..f41f8cc7ece 100644 --- a/content/rke/latest/en/os/_index.md +++ b/content/rke/latest/en/os/_index.md @@ -154,6 +154,12 @@ If using Red Hat Enterprise Linux, Oracle Linux or CentOS, you cannot use the `r systemctl disable nm-cloud-setup.service nm-cloud-setup.timer reboot ``` +> +> In addition, the default firewall settings of RHEL 8.4 prevents RKE1 pods from reaching out to Rancher to connect to the cluster agent. To allow Docker containers to reach out to the internet and connect to Rancher, make the following updates to the firewall settings: +> ``` + firewall-cmd --zone=public --add-masquerade --permanent + firewall-cmd --reload + ``` #### Using upstream Docker If you are using upstream Docker, the package name is `docker-ce` or `docker-ee`. You can check the installed package by executing: From a2f8cbf4763d07abb267d049ece60927ebca4dd7 Mon Sep 17 00:00:00 2001 From: Billy Tat Date: Tue, 3 May 2022 15:08:44 -0700 Subject: [PATCH 6/8] Update content/rke/latest/en/os/_index.md Co-authored-by: Jen Travinski --- content/rke/latest/en/os/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/rke/latest/en/os/_index.md b/content/rke/latest/en/os/_index.md index f41f8cc7ece..16d05b3b9c6 100644 --- a/content/rke/latest/en/os/_index.md +++ b/content/rke/latest/en/os/_index.md @@ -155,7 +155,7 @@ If using Red Hat Enterprise Linux, Oracle Linux or CentOS, you cannot use the `r reboot ``` > -> In addition, the default firewall settings of RHEL 8.4 prevents RKE1 pods from reaching out to Rancher to connect to the cluster agent. To allow Docker containers to reach out to the internet and connect to Rancher, make the following updates to the firewall settings: +> In addition, the default firewall settings of RHEL 8.4 prevent RKE1 pods from reaching out to Rancher to connect to the cluster agent. To allow Docker containers to reach out to the internet and connect to Rancher, make the following updates to the firewall settings: > ``` firewall-cmd --zone=public --add-masquerade --permanent firewall-cmd --reload From 0199887ef3f7b0a2ac68aa47dfd5b1b7b45ece62 Mon Sep 17 00:00:00 2001 From: Brad Davidson Date: Wed, 4 May 2022 11:18:10 -0700 Subject: [PATCH 7/8] Update RKE2 HA tutorial for modern versions of RKE2 --- .../resources/k8s-tutorials/ha-rke2/_index.md | 83 ++++++++----------- 1 file changed, 34 insertions(+), 49 deletions(-) diff --git a/content/rancher/v2.6/en/installation/resources/k8s-tutorials/ha-rke2/_index.md b/content/rancher/v2.6/en/installation/resources/k8s-tutorials/ha-rke2/_index.md index f1a1c52bab1..da2ee82468f 100644 --- a/content/rancher/v2.6/en/installation/resources/k8s-tutorials/ha-rke2/_index.md +++ b/content/rancher/v2.6/en/installation/resources/k8s-tutorials/ha-rke2/_index.md @@ -128,55 +128,40 @@ Now that you have set up the `kubeconfig` file, you can use `kubectl` to access Check that all the required pods and containers are healthy are ready to continue: ``` - /var/lib/rancher/rke2/bin/kubectl --kubeconfig /etc/rancher/rke2/rke2.yaml get pods -A -NAMESPACE NAME READY STATUS RESTARTS AGE -kube-system etcd-ip-172-31-18-145 1/1 Running 0 4m37s -kube-system etcd-ip-172-31-25-73 1/1 Running 0 20m -kube-system etcd-ip-172-31-31-210 1/1 Running 0 9m12s -kube-system helm-install-rke2-canal-th9k9 0/1 Completed 0 21m -kube-system helm-install-rke2-coredns-6njr6 0/1 Completed 0 21m -kube-system helm-install-rke2-ingress-nginx-vztsd 0/1 Completed 0 21m -kube-system helm-install-rke2-kube-proxy-6std5 0/1 Completed 0 21m -kube-system helm-install-rke2-metrics-server-9sl7m 0/1 Completed 0 21m -kube-system kube-apiserver-ip-172-31-18-145 1/1 Running 0 4m22s -kube-system kube-apiserver-ip-172-31-25-73 1/1 Running 0 20m -kube-system kube-apiserver-ip-172-31-31-210 1/1 Running 0 9m8s -kube-system kube-controller-manager-ip-172-31-18-145 1/1 Running 0 4m8s -kube-system kube-controller-manager-ip-172-31-25-73 1/1 Running 0 21m -kube-system kube-controller-manager-ip-172-31-31-210 1/1 Running 0 8m55s -kube-system kube-proxy-57twm 1/1 Running 0 10m -kube-system kube-proxy-f7pc6 1/1 Running 0 5m24s -kube-system kube-proxy-rj4t5 1/1 Running 0 21m -kube-system kube-scheduler-ip-172-31-18-145 1/1 Running 0 4m15s -kube-system kube-scheduler-ip-172-31-25-73 1/1 Running 0 21m -kube-system kube-scheduler-ip-172-31-31-210 1/1 Running 0 8m48s -kube-system rke2-canal-4x972 2/2 Running 0 10m -kube-system rke2-canal-flh8m 2/2 Running 0 5m24s -kube-system rke2-canal-zfhkr 2/2 Running 0 21m -kube-system rke2-coredns-rke2-coredns-6cd96645d6-cmstq 1/1 Running 0 21m -kube-system rke2-ingress-nginx-controller-54946dd48f-6mp76 1/1 Running 0 20m -kube-system rke2-ingress-nginx-default-backend-5795954f8-p92xx 1/1 Running 0 20m -kube-system rke2-metrics-server-5f9b5757dc-k5sgh 1/1 Running 0 20m +/var/lib/rancher/rke2/bin/kubectl --kubeconfig /etc/rancher/rke2/rke2.yaml get pods -A +NAMESPACE NAME READY STATUS RESTARTS AGE +kube-system cloud-controller-manager-rke2-server-1 1/1 Running 0 2m28s +kube-system cloud-controller-manager-rke2-server-2 1/1 Running 0 61s +kube-system cloud-controller-manager-rke2-server-3 1/1 Running 0 49s +kube-system etcd-rke2-server-1 1/1 Running 0 2m13s +kube-system etcd-rke2-server-2 1/1 Running 0 87s +kube-system etcd-rke2-server-3 1/1 Running 0 56s +kube-system helm-install-rke2-canal-hs6sx 0/1 Completed 0 2m17s +kube-system helm-install-rke2-coredns-xmzm8 0/1 Completed 0 2m17s +kube-system helm-install-rke2-ingress-nginx-flwnl 0/1 Completed 0 2m17s +kube-system helm-install-rke2-metrics-server-7sggn 0/1 Completed 0 2m17s +kube-system kube-apiserver-rke2-server-1 1/1 Running 0 116s +kube-system kube-apiserver-rke2-server-2 1/1 Running 0 66s +kube-system kube-apiserver-rke2-server-3 1/1 Running 0 48s +kube-system kube-controller-manager-rke2-server-1 1/1 Running 0 2m30s +kube-system kube-controller-manager-rke2-server-2 1/1 Running 0 57s +kube-system kube-controller-manager-rke2-server-3 1/1 Running 0 42s +kube-system kube-proxy-rke2-server-1 1/1 Running 0 2m25s +kube-system kube-proxy-rke2-server-2 1/1 Running 0 59s +kube-system kube-proxy-rke2-server-3 1/1 Running 0 85s +kube-system kube-scheduler-rke2-server-1 1/1 Running 0 2m30s +kube-system kube-scheduler-rke2-server-2 1/1 Running 0 57s +kube-system kube-scheduler-rke2-server-3 1/1 Running 0 42s +kube-system rke2-canal-b9lvm 2/2 Running 0 91s +kube-system rke2-canal-khwp2 2/2 Running 0 2m5s +kube-system rke2-canal-swfmq 2/2 Running 0 105s +kube-system rke2-coredns-rke2-coredns-547d5499cb-6tvwb 1/1 Running 0 92s +kube-system rke2-coredns-rke2-coredns-547d5499cb-rdttj 1/1 Running 0 2m8s +kube-system rke2-coredns-rke2-coredns-autoscaler-65c9bb465d-85sq5 1/1 Running 0 2m8s +kube-system rke2-ingress-nginx-controller-69qxc 1/1 Running 0 52s +kube-system rke2-ingress-nginx-controller-7hprp 1/1 Running 0 52s +kube-system rke2-ingress-nginx-controller-x658h 1/1 Running 0 52s +kube-system rke2-metrics-server-6564db4569-vdfkn 1/1 Running 0 66s ``` **Result:** You have confirmed that you can access the cluster with `kubectl` and the RKE2 cluster is running successfully. Now the Rancher management server can be installed on the cluster. - -### 5. Configure nginx to be a daemonset - -Currently, RKE2 deploys nginx-ingress as a deployment, and that can impact the Rancher deployment so that you cannot use all servers to proxy requests to the Rancher pods. - -To rectify that, place the following file in /var/lib/rancher/rke2/server/manifests on any of the server nodes: - -```yaml -apiVersion: helm.cattle.io/v1 -kind: HelmChartConfig -metadata: - name: rke2-ingress-nginx - namespace: kube-system -spec: - valuesContent: |- - controller: - kind: DaemonSet - daemonset: - useHostPort: true -``` From 5a00fe35df60522210c986c73263ac9029a9d95a Mon Sep 17 00:00:00 2001 From: Brad Davidson Date: Wed, 4 May 2022 11:21:26 -0700 Subject: [PATCH 8/8] Update _index.md --- .../en/installation/resources/k8s-tutorials/ha-rke2/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/rancher/v2.6/en/installation/resources/k8s-tutorials/ha-rke2/_index.md b/content/rancher/v2.6/en/installation/resources/k8s-tutorials/ha-rke2/_index.md index da2ee82468f..f69c494b175 100644 --- a/content/rancher/v2.6/en/installation/resources/k8s-tutorials/ha-rke2/_index.md +++ b/content/rancher/v2.6/en/installation/resources/k8s-tutorials/ha-rke2/_index.md @@ -89,7 +89,7 @@ To use this `kubeconfig` file, 1. Install [kubectl,](https://kubernetes.io/docs/tasks/tools/install-kubectl/#install-kubectl) a Kubernetes command-line tool. 2. Copy the file at `/etc/rancher/rke2/rke2.yaml` and save it to the directory `~/.kube/config` on your local machine. -3. In the kubeconfig file, the `server` directive is defined as localhost. Configure the server as the DNS of your load balancer, referring to port 6443. (The Kubernetes API server will be reached at port 6443, while the Rancher server will be reached at ports 80 and 443.) Here is an example `rke2.yaml`: +3. In the kubeconfig file, the `server` directive is defined as localhost. Configure the server as the DNS of your control-plane load balancer, on port 6443. (The RKE2 Kubernetes API Server uses port 6443, while the Rancher server will be served via the NGINX Ingress on ports 80 and 443.) Here is an example `rke2.yaml`: ```yml apiVersion: v1