# 安裝K3s-Rancher 使用外部的Load Balancer 如果架Rancher的Host本身沒有對外IP,會需要使用外部的Load Balancer轉發,並把憑證掛在外部的Load Balancer ## 安裝Rancher :::info 這裡只包含Rancher的安裝 rollout status 方便看Rancher安裝完了沒 ::: 安裝完後會發現Rancher所使用的Port會是:80 ``` helm repo add rancher-stable https://releases.rancher.com/server-charts/stable helm repo update helm install rancher rancher-stable/rancher \ --namespace cattle-system \ --create-namespace \ --set hostname=<Domain>\ --set bootstrapPassword=admin \ --set tls=external kubectl -n cattle-system rollout status deploy/rancher ``` - 用內部憑證 ``` helm repo add rancher-stable https://releases.rancher.com/server-charts/stable helm repo update helm install rancher rancher-stable/rancher \ --namespace cattle-system \ --create-namespace \ --set hostname=<Domain>\ --set bootstrapPassword=admin \ --set ingress.tls.source=secret kubectl -n cattle-system rollout status deploy/rancher ``` `helm get values rancher -n cattle-system` 可以確認用Helm安裝時使用的參數 ## Nginx設定 參照[external-tls-termination](https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/installation-references/helm-chart-options#external-tls-termination) 憑證的話需要自行修改為正確位置 - rancher.conf ``` map $http_upgrade $connection_upgrade { default upgrade; '' close; } upstream rancher_servers_https { server IP_NODE_1:80; server IP_NODE_2:80; server IP_NODE_3:80; } server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name rancher.aaa.tw; ssl_certificate /etc/letsencrypt/live/rancher/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/rancher/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/rancher/chain.pem; ssl_dhparam /etc/letsencrypt/dhparams/dhparam.pem; location / { client_max_body_size 30M; proxy_pass http://rancher_servers_https; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Port $server_port; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_read_timeout 900s; proxy_buffering off; } } server { listen 80; server_name rancher.aaa.tw; return 301 https://$server_name$request_uri; } ``` ## 會遇到的問題 ### ERR_TOO_MANY_REDIRECTS ![image](https://hackmd.io/_uploads/H1CX8ZwSp.png) <!-- ![image](https://hackmd.io/_uploads/SyFuwp8rp.png) --> 因為Traefik本身不接受外部轉發過來的Header,而Traefik需要透過Header裡的`:scheme:`來確認是不是HTTPS連線 沒有Header,Traefik就會把它認成HTTP再轉到HTTPS而造成多次轉發 ## 解決方法 直接編輯Traefik的Config,讓它可以接受轉發的Header ``` bash kubectl edit deployment traefik -n kube-system ``` 加上`--entryPoints.web.forwardedHeaders.insecure`儲存就可以了 ``` yaml ..... spec: containers: - args: ..... - --entryPoints.web.forwardedHeaders.insecurejavascript:; ```