github.com/cilium/cilium@v1.16.2/Documentation/installation/k8s-install-rancher-existing-nodes.rst (about) 1 .. only:: not (epub or latex or html) 2 3 WARNING: You are looking at unreleased Cilium documentation. 4 Please use the official rendered version released here: 5 https://docs.cilium.io 6 7 .. _rancher_managed_rke_clusters: 8 9 ************************** 10 Installation using Rancher 11 ************************** 12 13 Introduction 14 ============ 15 16 If you're not using the Rancher Management Console/UI to install your clusters, head 17 over to the :ref:`installation guides for standalone RKE clusters <rke_install>`. 18 19 Rancher comes with `official support for Cilium <https://ranchermanager.docs.rancher.com/faq/container-network-interface-providers>`__. 20 For most Rancher users, that's the recommended way to use Cilium on Rancher-managed 21 clusters. 22 23 However, as Rancher is using a custom 24 ``rke2-cilium`` `Helm chart <https://github.com/rancher/rke2-charts/tree/main-source/packages/rke2-cilium>`__ 25 with independent release cycles, Cilium power-users might want to use an 26 out-of-band Cilium installation instead, based on the official 27 `Cilium Helm chart <https://github.com/cilium/charts>`__, 28 on top of their Rancher-managed RKE1/RKE2 downstream clusters. 29 This guide explains how to achieve this. 30 31 .. note:: 32 33 This guide only shows a step-by-step guide for Rancher-managed (**non-standalone**) 34 **RKE2** clusters. 35 36 However, for a legacy RKE1 cluster, it's even easier. You also need to edit 37 the cluster YAML and change ``network.cni`` to ``none`` as described in the 38 :ref:`RKE 1 standalone guide<rke1_cni_none>`, but there's no need to copy over 39 a Control Plane node local KubeConfig manually. Luckily, Rancher allows access 40 to RKE1 clusters in ``Updating`` state, which are not ready yet. Hence, there's 41 no chicken-egg issue to resolve. 42 43 Prerequisites 44 ============= 45 46 * Fully functioning `Rancher Version 2.x <https://ranchermanager.docs.rancher.com/>`__ instance 47 * At least one empty Linux VM, to be used as initial downstream "Custom Cluster" (Control Plane) node 48 * DNS record pointing to the Kubernetes API of the downstream "Custom Cluster" Control Plane node(s) or L4 load-balancer 49 50 Create a New Cluster 51 ==================== 52 53 In Rancher UI, navigate to the Cluster Management page. In the top right, click on the 54 ``Create`` button to create a new cluster. 55 56 .. image:: images/rancher_add_cluster.png 57 58 On the Cluster creation page select to create a new ``Custom`` cluster: 59 60 .. image:: images/rancher_existing_nodes.png 61 62 When the ``Create Custom`` page opens, provide at least a name for the cluster. 63 Go through the other configuration options and configure the ones that are 64 relevant for your setup. 65 66 Next to the ``Cluster Options`` section click the box to ``Edit as YAML``. 67 The configuration for the cluster will open up in an editor in the window. 68 69 .. image:: images/rancher_edit_as_yaml.png 70 71 Within the ``Cluster`` CustomResource (``provisioning.cattle.io/v1``), the relevant 72 parts to change are ``spec.rkeConfig.machineGlobalConfig.cni``, 73 ``spec.rkeConfig.machineGlobalConfig.tls-san``, and optionally 74 ``spec.rkeConfig.chartValues.rke2-calico`` and 75 ``spec.rkeConfig.machineGlobalConfig.disable-kube-proxy``: 76 77 .. image:: images/rancher_delete_network_plugin.png 78 79 It's required to add a DNS record, pointing to the Control Plane node IP(s) 80 or an L4 load-balancer in front of them, under 81 ``spec.rkeConfig.machineGlobalConfig.tls-san``, as that's required to resolve 82 a chicken-egg issue further down the line. 83 84 Ensure that ``spec.rkeConfig.machineGlobalConfig.cni`` is set to ``none`` and 85 ``spec.rkeConfig.machineGlobalConfig.tls-san`` lists the mentioned DNS record: 86 87 .. image:: images/rancher_network_plugin_none.png 88 89 Optionally, if ``spec.rkeConfig.chartValues.rke2-calico`` is not empty, remove the 90 full object as you won't deploy Rancher's default CNI. At the same time, change 91 ``spec.rkeConfig.machineGlobalConfig.disable-kube-proxy`` to ``true`` in case you 92 want to run :ref:`Cilium without Kube-Proxy<kubeproxy-free>`. 93 94 Make any additional changes to the configuration that are appropriate for your 95 environment. When you are ready, click ``Create`` and Rancher will create the 96 cluster. 97 98 .. image:: images/rancher_cluster_state_provisioning.png 99 100 The cluster will stay in ``Updating`` state until you add nodes. Click on the cluster. 101 In the ``Registration`` tab you should see the generated ``Registation command`` you 102 need to run on the downstream cluster nodes. 103 104 Do not forget to select the correct node roles. Rancher comes with the default to 105 deploy all three roles (``etcd``, ``Control Plane``, and ``Worker``), which is often 106 not what you want for multi-node clusters. 107 108 .. image:: images/rancher_add_nodes.png 109 110 A few seconds after you added at least a single node, you should see the new node(s) 111 in the ``Machines`` tab. The machine will be stuck in ``Reconciling`` state and 112 won't become ``Active``: 113 114 .. image:: images/rancher_node_not_ready.png 115 116 That's expected as there's no CNI running on this cluster yet. Unfortunately, this also 117 means critical pods like ``rke2-coredns-rke2-coredns-*`` and ``cattle-cluster-agent-*`` 118 are stuck in ``PENDING`` state. Hence, the downstream cluster is not yet able 119 to register itself on Rancher. 120 121 As a next step, you need to resolve this chicken-egg issue by directly accessing 122 the downstream cluster's Kubernetes API, without going via Rancher. Rancher will not allow 123 access to this downstream cluster, as it's still in ``Updating`` state. That's why you 124 can't use the downstream cluster's KubeConfig provided by the Rancher management console/UI. 125 126 Copy ``/etc/rancher/rke2/rke2.yaml`` from the first downstream cluster Control Plane 127 node to your jump/bastion host where you have ``helm`` installed and can access the 128 Cilium Helm charts. 129 130 .. code-block:: shell-session 131 132 scp root@<cp-node-1-ip>:/etc/rancher/rke2/rke2.yaml . 133 134 Search and replace ``127.0.0.1`` (``clusters[0].cluster.server``) with the 135 already mentioned DNS record pointing to the Control Plane / L4 load-balancer IP(s). 136 137 .. code-block:: yaml 138 139 apiVersion: v1 140 clusters: 141 - cluster: 142 certificate-authority-data: LS0...S0K 143 server: https://127.0.0.1:6443 144 name: default 145 contexts: {} 146 147 Check if you can access the Kubernetes API: 148 149 .. code-block:: shell-session 150 151 export KUBECONFIG=$(pwd)/my-cluster-kubeconfig.yaml 152 kubectl get nodes 153 NAME STATUS ROLES AGE VERSION 154 rancher-demo-node NotReady control-plane,etcd,master 44m v1.27.8+rke2r1 155 156 If successful, you can now install Cilium via Helm CLI: 157 158 .. parsed-literal:: 159 160 helm install cilium |CHART_RELEASE| \\ 161 --namespace kube-system \\ 162 -f my-cluster-cilium-values.yaml 163 164 After a few minutes, you should see that the node changed to the ``Ready`` status: 165 166 .. code-block:: shell-session 167 168 kubectl get nodes 169 NAME STATUS ROLES AGE VERSION 170 rancher-demo-node Ready control-plane,etcd,master 48m v1.27.8+rke2r1 171 172 Back in the Rancher UI, you should see that the cluster changed to the healthy 173 ``Active`` status: 174 175 .. image:: images/rancher_my_cluster_active.png 176 177 That's it. You can now normally work with this cluster as if you 178 installed the CNI the default Rancher way. Additional nodes can now be added 179 straightaway and the "local Control Plane RKE2 KubeConfig" workaround 180 is not required anymore. 181 182 Optional: Add Cilium to Rancher Registries 183 ========================================== 184 185 One small, optional convenience item would be to add the Cilium Helm repository 186 to Rancher so that, in the future, Cilium can easily be upgraded via Rancher UI. 187 188 You have two options available: 189 190 **Option 1**: Navigate to ``Cluster Management`` -> ``Advanced`` -> ``Repositories`` and 191 click the ``Create`` button: 192 193 .. image:: images/rancher_add_repository.png 194 195 **Option 2**: Alternatively, you can also just add the Cilium Helm repository 196 on a single cluster by navigating to ``<your-cluster>`` -> ``Apps`` -> ``Repositories``: 197 198 .. image:: images/rancher_add_repository_cluster.png 199 200 For either option, in the window that opens, add the official Cilium Helm chart 201 repository (``https://helm.cilium.io``) to the Rancher repository list: 202 203 .. image:: images/rancher_add_cilium_repository.png 204 205 Once added, you should see the Cilium repository in the repositories list: 206 207 .. image:: images/rancher_repositories_list_success.png 208 209 If you now head to ``<your-cluster>`` -> ``Apps`` -> ``Installed Apps``, you 210 should see the ``cilium`` app. Ensure ``All Namespaces`` or 211 ``Project: System -> kube-system`` is selected at the top of the page. 212 213 .. image:: images/rancher_cluster_cilium_app.png 214 215 Since you added the Cilium repository, you will now see a small hint on this app entry 216 when there's a new Cilium version released. You can then upgrade directly via Rancher UI. 217 218 .. image:: images/rancher_cluster_cilium_app_upgrade.png 219 220 .. image:: images/rancher_cluster_cilium_app_upgrade_version.png