一、背景

Rancher HA有多种部署方式：

1. Helm HA安装，将Rancher部署在已有的Kubernetes集群中，Rancher将使用集群的etcd存储数据，并利用Kubernetes调度实现高可用性。
2. RKE HA安装，使用RKE工具安装独立的Kubernetes集群，专门用于Rancher HA部署运行，RKE HA安装仅支持Rancher v2.0.8以及之前的版本，Rancher v2.0.8之后的版本使用helm安装Rancher。
   本方案将基于已有的Kubernetes集群，利用Helm安装Rancher HA，并采用四层负载均衡方式。
   

   二、添加Chart仓库地址

   使用helm repo add命令添加Rancher chart仓库地址
   Rancher tag和Chart版本选择参考：https://www.cnrancher.com/docs/rancher/v2.x/cn/installation/server-tags/

   #替换为您要使用的Helm仓库分支(即latest或stable）。
   helm repo add rancher-stable https://releases.rancher.com/server-charts/stable

   三、使用自签名证书安装Rancher server

   Rancher server设计默认需要开启SSL/TLS配置来保证安全，将ssl证书以Kubernetes Secret卷的形式传递给rancher server或Ingress Controller。首先创建证书密文，以便Rancher和Ingress Controller可以使用。

   1、 生成自签名证书

   #脚本
   一键生成自签名证书脚本
   #执行脚本生成证书
   sh create_self-signed-cert.sh --ssl-domain=rancher.sumapay.com --ssl-trusted-ip=172.16.1.21,172.16.1.22 --ssl-size=2048 --ssl-date=3650

2、使用kubectl创建tls类型的secrets

#创建命名空间

[root@k8s-master03 ~]# kubectl create namespace cattle-system
namespace/rancher-system created

#服务证书和私钥密文

[root@k8s-master03 self_CA]# kubectl -n cattle-system create secret tls tls-rancher-ingress --cert=./tls.crt --key=./tls.key 
secret/tls-rancher-ingress created

#ca证书密文

[root@k8s-master03 self_CA]# kubectl -n cattle-system create secret generic tls-ca --from-file=cacerts.pem 
secret/tls-ca created

3、安装rancher server

#使用helm安装rancher HA

[root@k8s-master03 ~]# helm install rancher-stable/rancher --name rancher2 --namespace cattle-system --set hostname=rancher.sumapay.com --set ingress.tls.source=secret --set privateCA=true
NAME:   rancher2
LAST DEPLOYED: Fri Apr 26 14:03:51 2019
NAMESPACE: cattle-system
STATUS: DEPLOYED

RESOURCES:
==> v1/ClusterRoleBinding
NAME     AGE
rancher2  0s

==> v1/Deployment
NAME     READY  UP-TO-DATE  AVAILABLE  AGE
rancher2  0/3    3           0          0s

==> v1/Pod(related)
NAME                      READY  STATUS             RESTARTS  AGE
rancher-55c884bbf7-2xqpl  0/1    ContainerCreating  0         0s
rancher-55c884bbf7-bqvjh  0/1    ContainerCreating  0         0s
rancher-55c884bbf7-hhlvh  0/1    ContainerCreating  0         0s

==> v1/Service
NAME     TYPE       CLUSTER-IP      EXTERNAL-IP  PORT(S)  AGE
rancher2  ClusterIP  10.110.148.105         80/TCP   0s

==> v1/ServiceAccount
NAME     SECRETS  AGE
rancher2  1        0s

==> v1beta1/Ingress
NAME     HOSTS                ADDRESS  PORTS  AGE
rancher2  rancher.sumapay.com  80, 443  0s

NOTES:
Rancher Server has been installed.

NOTE: Rancher may take several minutes to fully initialize. Please standby while Certificates are being issued and Ingress comes up.

Check out our docs at https://rancher.com/docs/rancher/v2.x/en/

Browse to https://rancher.sumapay.com

Happy Containering!

#查看创建

[root@k8s-master03 ~]# kubectl get ns
NAME                         STATUS   AGE
cattle-global-data           Active   2d5h
cattle-system                Active   2d5h

[root@k8s-master03 ~]# kubectl get ingress -n cattle-system           
NAME       HOSTS                 ADDRESS   PORTS     AGE
rancher2   rancher.sumapay.com             80, 443   57m

[root@k8s-master03 ~]# kubectl get service -n cattle-system        
NAME       TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)   AGE
rancher2   ClusterIP   10.111.16.80           80/TCP    54m

[root@k8s-master03 ~]# kubectl get serviceaccount -n cattle-system           
NAME       TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)   AGE
rancher2   ClusterIP   10.111.16.80           80/TCP    51m

[root@k8s-master03 ~]# kubectl get ClusterRoleBinding -n cattle-system -l app=rancher2 -o wide
NAME       AGE   ROLE                        USERS   GROUPS   SERVICEACCOUNTS
rancher2   58m   ClusterRole/cluster-admin                    cattle-system/rancher2

[root@k8s-master03 ~]# kubectl get pods -n cattle-system 
NAME                                    READY   STATUS    RESTARTS   AGE
cattle-cluster-agent-594b8f79bb-pgmdt   1/1     Running   5          2d2h
cattle-node-agent-lg44f                 1/1     Running   0          2d2h
cattle-node-agent-zgdms                 1/1     Running   5          2d2h
rancher2-9774897c-622sc                 1/1     Running   0          50m
rancher2-9774897c-czxxx                 1/1     Running   0          50m
rancher2-9774897c-sm2n5                 1/1     Running   0          50m

[root@k8s-master03 ~]# kubectl get deployment -n cattle-system 
NAME                   READY   UP-TO-DATE   AVAILABLE   AGE
cattle-cluster-agent   1/1     1            1           2d4h
rancher2               3/3     3            3           55m

4、为Agent Pod添加主机别名(/etc/hosts)

如果你没有内部DNS服务器而是通过添加/etc/hosts主机别名的方式指定的Rancher server域名，那么不管通过哪种方式(自定义、导入、Host驱动等)创建K8S集群，K8S集群运行起来之后，因为cattle-cluster-agent Pod和cattle-node-agent无法通过DNS记录找到Rancher server,最终导致无法通信。

解决方法

可以通过给cattle-cluster-agent Pod和cattle-node-agent添加主机别名(/etc/hosts)，让其可以正常通信(前提是IP地址可以互通)。

#cattle-cluster-agent pod
kubectl -n cattle-system \
patch deployments cattle-cluster-agent --patch '{
    "spec": {
        "template": {
            "spec": {
                "hostAliases": [
                    {
                        "hostnames":
                        [
                            "rancher.sumapay.com"
                        ],
                            "ip": "四层负载均衡地址"
                    }
                ]
            }
        }
    }
}'

#cattle-node-agent pod
kubectl -n cattle-system \
patch  daemonsets cattle-node-agent --patch '{
    "spec": {
        "template": {
            "spec": {
                "hostAliases": [
                    {
                        "hostnames":
                        [
                            "rancher.sumapay.com"
                        ],
                            "ip": "四层负载均衡地址"
                    }
                ]
            }
        }
    }
}'

至此，rancher HA已部署完毕，由于不是NodePort形式，在没有部署ingress-controller情况下，我们还不能直接去访问rancher服务。
ingress-controller部署请参考traefik部署与使用。

参考：
https://www.cnrancher.com/docs/rancher/v2.x/cn/installation/ha-install/helm-rancher/tcp-l4/rancher-install/