-
Depending on the options chosen for the deployment, there may be the need for the AWS API access key and secret key for the AWS account used for the deployment
-
Deploy three instances based on the following considerations:
-
Identify the required instancy type according to CPU and RAM capacity guidance in the "RKE Install Requirements" tab of https://rancher.com/docs/rancher/v2.x/en/installation/requirements/#hardware-requirements
-
The Rancher server must be accessible from the Internet, thus the VPC to be used must have a configured Internet Gateway and all RKE nodes must have a publicly routable IP address
-
SLES nodes need to be an instance type of t2.medium or larger to get built-in subscriptions
-
Completing this deployment without a SLES subscription has not yet been attempted
-
-
For the SLES registation process to complete correctly, attach a public IP address to the primary NIC when creating the instances
-
After the nodes are booted up and ready, remove the public IP adresses, then allocate and attach Elastic IP addresses to them
-
-
-
Create two IAM policies for the control-plane RKE role and another for both etcd and worker RKE roles: https://rancher.com/docs/rke/latest/en/config-options/cloud-providers/aws/#iam-requirements
-
(Optional) Create an IAM policy to allow the RKE nodes to store etcd snapshots in S3: https://rancher.com/docs/rke/latest/en/etcd-snapshots/recurring-snapshots/
|
Note
|
This design maintains all three RKE roles (control-plane, etcd, and worker) on all three RKE node |
-
Create one IAM role and attach the policies to it
-
If splitting out RKE roles to different nodes is desired, i.e. creating a separate etcd cluster; it is more secure to create additional IAM roles that serve only the required RKE roles
-
-
Attach the IAM role to the nodes
-
Tag the resources: https://rancher.com/docs/rke/latest/en/config-options/cloud-providers/aws/#tagging-aws-resources
-
Tag the VPC, subnet, and security group as "shared"
-
-
Create a security group based on: https://rancher.com/docs/rancher/v2.x/en/installation/requirements/ports/
-
The exact security group settings can be difficult to get right. An alternative is to deploy a docker container Rancher server, enter the API credentials and deploy a single node RKE cluster in EC2
-
Can later destroy the RKE cluster and the node with the Rancher server, but preserve the Security Group
-
-
-
Create an NLB: https://rancher.com/docs/rancher/v2.x/en/installation/resources/advanced/helm2/create-nodes-lb/nlb/
-
All nodes must have sshd_config configured with “AllowTcpForwarding yes”
-
Restart sshd after making the change
-
-
Make sure the primary user account on the nodes (which will be specified in the cluster.yml file) is in the docker group
-
The ssh key from the user and node that will run "rke up" need to be in the authorized_keys file
-
Fairly simple overview of creating the cluster: https://rancher.com/docs/rancher/v2.x/en/installation/resources/k8s-tutorials/ha-rke/
-
Basic cluster.yaml file. Useful to show how to turn on basic etcd snapshots: https://rancher.com/docs/rancher/v2.x/en/installation/resources/advanced/helm2/kubernetes-rke/
-
Better to run
rke configand go through the steps-
Later have to add the NLB URL to network.authentication.sans: [rancher.mycompany.com] to have it included in the Let’s Encrypt certificate
-
After "rke up", set the clusters.cluster.server in the kube_config_cluster.yml file to the same name to access the K8s API through the NLP
-
-
Note: Setting the "cloud_provider.name" field to AWS suppressed the K8s hostnames (hostname_override in the cluster.yml file) and inserted the AWS hostnames
-
-
//// A very interesting quickstart guide using TF: https://rancher.com/docs/rancher/v2.x/en/quick-start-guide/deployment/amazon-aws-qs/ ////
-
Overview: https://rancher.com/docs/rancher/v2.x/en/installation/install-rancher-on-k8s/
-
Used Let’s Encrypt and it works well
-