socheatsok78/0-rancher-vsphere-setup.md

## 0-rancher-vsphere-setup.md

      
    Raw
  

              0-rancher-vsphere-setup.md
            
          
    Rancher K8s Cluster on VMware vSphere

Prerequisites

vCenter Configuration


Configure the Network Protocol Profile on the vCenter according to: https://www.virtualthoughts.co.uk/2020/03/29/rancher-vsphere-network-protocol-profiles-and-static-ip-addresses-for-k8s-nodes/
Ensure to create a service user with the regarding global and folder specific permissions: https://rancher.com/docs/rancher/v2.x/en/cluster-provisioning/rke-clusters/node-pools/vsphere/provisioning-vsphere-clusters/creating-credentials/

Beside the vCenter role permissions from the official Rancher documentation, the following ones need to be provided in order to configure the Nodes via vApp options:

Content Library: Read storage
Extension: Register extension
vSphere Tagging: Assign or Unassign vSphere Tag on Object
Profile-driven storage: Profile-driven storage view
vApp: Add virtual machine, Assign resource pool, Import, View OVF environment, vApp application configuration, vApp instance configuration


Rancher vSphere Node Templates

Configure stuff like networking, folder, CPU, memory, etc.
Add the following cloud-init config YAML:
#cloud-config
users:
  - name: master
    shell: /bin/bash
    groups: wheel
    sudo: ['ALL=(ALL) NOPASSWD:ALL']
    ssh-authorized-keys:
      - ssh-rsa AAAABaEQ...PbQ== My Awesome Key
packages:
 - open-vm-tools
write_files:
  - path: /root/configure-netplan.sh
    content: |
        #!/bin/bash
        vmtoolsd --cmd 'info-get guestinfo.ovfEnv' > /tmp/ovfenv
        IPAddress=$(sed -n 's/.*Property oe:key="guestinfo.interface.0.ip.0.address" oe:value="\([^"]*\).*/\1/p' /tmp/ovfenv)
        SubnetMask=$(sed -n 's/.*Property oe:key="guestinfo.interface.0.ip.0.netmask" oe:value="\([^"]*\).*/\1/p' /tmp/ovfenv)
        Gateway=$(sed -n 's/.*Property oe:key="guestinfo.interface.0.route.0.gateway" oe:value="\([^"]*\).*/\1/p' /tmp/ovfenv)
        DNS=$(sed -n 's/.*Property oe:key="guestinfo.dns.servers" oe:value="\([^"]*\).*/\1/p' /tmp/ovfenv)
        
        cat > /etc/netplan/01-netcfg.yaml <<EOF
        network:
          version: 2
          renderer: networkd
          ethernets:
            ens192:
              addresses: 
                - $IPAddress/27
              gateway4: $Gateway
              dhcp6: no
              accept-ra: no
              nameservers:
                addresses : [$DNS]
        EOF
 
        sudo netplan apply
        sleep 30
        sudo systemctl start open-vm-tools
runcmd:
  - bash /root/configure-netplan.sh
bootcmd:
  - [ cloud-init-per, once, rmdefaultnetconf, rm, -f, /etc/netplan/50-cloud-init.yaml ]
  - [ cloud-init-per, once, tempstopvmtools, sudo, systemctl, stop, open-vm-tools ]
Please note: The "hack" with the open-vm-tools service is required since otherwise Rancher will try to connect to the nodes using the temporarily link-local IPv6 or temporarily DHCP IPv4 address. This would prevent Rancher from being able to access the notes in order to install Docker etc..
Check Provide a custom vApp config and set the following values (replace vlan-123 with the actual port group name!):

com.vmware.guestInfo IPv4 fixedAllocated
guestinfo.interface.0.ip.0.address ip:vlan-123
guestinfo.interface.0.ip.0.netmask ${netmask:vlan-123}
guestinfo.interface.0.route.0.gateway ${gateway:vlan-123}
guestinfo.dns.servers ${dns:vlan-123}

Rancher vSphere Cluster Creation


Fisit https://rancher.example.com/g/clusters/add/select and select vSphere
Fill out the regarding options:

Cluster Name: test
Create two type of node groups:

Master nodes:

Name Prefix: test-master-
Count: 3
Template: Ubuntu Bionic Master Test
Auto Replace: 0 minutes (default value)
etcd: checked
Control Plane: checked
Worker: unchecked
Taints: none (default value)


Worker nodes:

Name Prefix: test-worker-
Count: 3
Template: Ubuntu Bionic Worker Test
Auto Replace: 0 minutes (default value)
etcd: unchecked
Control Plane: unchecked
Worker: checked
Taints: none (default value)


Member Roles: Add admins as Owner
For the Kubernetes Options section, just click on Edit as YAML and replace the whole shown YAML with the one from 1-cluster-template.yaml.tmpl (or at least add the cloud_provider section).
Click Create.


vSphere K8s Storage

Apply 2-vsphere-thin-standard.yaml (replace MY-VMWARE-DATA-STORE with your actual datastore name from the vSphere cluster): kubectl apply -f 2-vsphere-thin-standard.yaml

  
## 1-cluster-template.yaml.tmpl
#
# Cluster Config
#
docker_root_dir: /var/lib/docker
enable_cluster_alerting: false
enable_cluster_monitoring: false
enable_network_policy: true
local_cluster_auth_endpoint:
  enabled: true
name: 'test'
#
# Rancher Config
#
rancher_kubernetes_engine_config:
  addon_job_timeout: 30
  cloud_provider:
    name: vsphere
    vsphereCloudProvider:
      global:
        insecure-flag: true
      virtual_center:
        10.10.10.10:
          # Use the "user@domain" syntax to workaround https://github.com/rancher/rancher/issues/16371
          user: svc_user_rancher@vsphere.local
          password: ------secret------
          port: 443
          datacenters: /mydc
      workspace:
        server: 10.10.10.10
        folder: /mydc/vm/Prod/K8s/storage
        default-datastore: /mydc/datastore/MY-VMWARE-DATA-STORE
        datacenter: /mydc
        resourcepool-path: RP-K8s
  authentication:
    strategy: x509
  dns:
    nodelocal:
      ip_address: ''
      node_selector: null
      update_strategy: {}
  ignore_docker_version: true
#
# # Currently only nginx ingress provider is supported.
# # To disable ingress controller, set `provider: none`
# # To enable ingress on specific nodes, use the node_selector, eg:
#    provider: nginx
#    node_selector:
#      app: ingress
#
  ingress:
    provider: none
  kubernetes_version: v1.17.6-rancher2-1
  monitoring:
    provider: metrics-server
    replicas: 1
#
#   If you are using calico on AWS
#
#    network:
#      plugin: calico
#      calico_network_provider:
#        cloud_provider: aws
#
# # To specify flannel interface
#
#    network:
#      plugin: flannel
#      flannel_network_provider:
#      iface: eth1
#
# # To specify flannel interface for canal plugin
#
#    network:
#      plugin: canal
#      canal_network_provider:
#        iface: eth1
#
  network:
    mtu: 0
    options:
      flannel_backend_type: vxlan
    plugin: canal
#
#    services:
#      kube-api:
#        service_cluster_ip_range: 10.43.0.0/16
#      kube-controller:
#        cluster_cidr: 10.42.0.0/16
#        service_cluster_ip_range: 10.43.0.0/16
#      kubelet:
#        cluster_domain: cluster.local
#        cluster_dns_server: 10.43.0.10
#
  services:
    etcd:
      backup_config:
        enabled: true
        interval_hours: 12
        retention: '20'
        s3_backup_config:
          access_key: ------secret------
          bucket_name: backup-etcd-test
          endpoint: minio.example.com
          secret_key: ------secret------
        safe_timestamp: false
      creation: 12h
      extra_args:
        election-timeout: 5000
        heartbeat-interval: 500
      gid: 0
      retention: 72h
      snapshot: false
      uid: 0
    kube_api:
      always_pull_images: false
      pod_security_policy: false
      service_node_port_range: 30000-32767
  ssh_agent_auth: false
  upgrade_strategy:
    drain: true
    max_unavailable_controlplane: '1'
    max_unavailable_worker: '1'
    node_drain_input:
      delete_local_data: 'true'
      force: false
      grace_period: 60
      ignore_daemon_sets: true
      timeout: 120
scheduled_cluster_scan:
  enabled: true
  scan_config:
    cis_scan_config:
      debug_master: false
      debug_worker: false
      override_benchmark_version: rke-cis-1.4
      profile: permissive
  schedule_config:
    cron_schedule: 0 0 * * *
    retention: 24
windows_prefered_cluster: false

## 2-vsphere-thin-standard.yaml
apiVersion: v1
items:
- allowVolumeExpansion: false
  apiVersion: storage.k8s.io/v1
  kind: StorageClass
  metadata:
    annotations:
      storageclass.beta.kubernetes.io/is-default-class: "true"
      storageclass.kubernetes.io/is-default-class: "true"
    labels:
      cattle.io/creator: norman
    name: vsphere-thin-standard
    selfLink: /apis/storage.k8s.io/v1/storageclasses/vsphere-thin-standard
  parameters:
    datastore: MY-VMWARE-DATA-STORE
    diskformat: thin
    fstype: ext4
  provisioner: kubernetes.io/vsphere-volume
  reclaimPolicy: Delete
  volumeBindingMode: Immediate
kind: List
metadata:
  resourceVersion: ""
  selfLink: ""
	#
	# Cluster Config
	#
	docker_root_dir: /var/lib/docker
	enable_cluster_alerting: false
	enable_cluster_monitoring: false
	enable_network_policy: true
	local_cluster_auth_endpoint:
	enabled: true
	name: 'test'
	#
	# Rancher Config
	#
	rancher_kubernetes_engine_config:
	addon_job_timeout: 30
	cloud_provider:
	name: vsphere
	vsphereCloudProvider:
	global:
	insecure-flag: true
	virtual_center:
	10.10.10.10:
	# Use the "user@domain" syntax to workaround https://github.com/rancher/rancher/issues/16371
	user: svc_user_rancher@vsphere.local
	password: ------secret------
	port: 443
	datacenters: /mydc
	workspace:
	server: 10.10.10.10
	folder: /mydc/vm/Prod/K8s/storage
	default-datastore: /mydc/datastore/MY-VMWARE-DATA-STORE
	datacenter: /mydc
	resourcepool-path: RP-K8s
	authentication:
	strategy: x509
	dns:
	nodelocal:
	ip_address: ''
	node_selector: null
	update_strategy: {}
	ignore_docker_version: true
	#
	# # Currently only nginx ingress provider is supported.
	# # To disable ingress controller, set `provider: none`
	# # To enable ingress on specific nodes, use the node_selector, eg:
	# provider: nginx
	# node_selector:
	# app: ingress
	#
	ingress:
	provider: none
	kubernetes_version: v1.17.6-rancher2-1
	monitoring:
	provider: metrics-server
	replicas: 1
	#
	# If you are using calico on AWS
	#
	# network:
	# plugin: calico
	# calico_network_provider:
	# cloud_provider: aws
	#
	# # To specify flannel interface
	#
	# network:
	# plugin: flannel
	# flannel_network_provider:
	# iface: eth1
	#
	# # To specify flannel interface for canal plugin
	#
	# network:
	# plugin: canal
	# canal_network_provider:
	# iface: eth1
	#
	network:
	mtu: 0
	options:
	flannel_backend_type: vxlan
	plugin: canal
	#
	# services:
	# kube-api:
	# service_cluster_ip_range: 10.43.0.0/16
	# kube-controller:
	# cluster_cidr: 10.42.0.0/16
	# service_cluster_ip_range: 10.43.0.0/16
	# kubelet:
	# cluster_domain: cluster.local
	# cluster_dns_server: 10.43.0.10
	#
	services:
	etcd:
	backup_config:
	enabled: true
	interval_hours: 12
	retention: '20'
	s3_backup_config:
	access_key: ------secret------
	bucket_name: backup-etcd-test
	endpoint: minio.example.com
	secret_key: ------secret------
	safe_timestamp: false
	creation: 12h
	extra_args:
	election-timeout: 5000
	heartbeat-interval: 500
	gid: 0
	retention: 72h
	snapshot: false
	uid: 0
	kube_api:
	always_pull_images: false
	pod_security_policy: false
	service_node_port_range: 30000-32767
	ssh_agent_auth: false
	upgrade_strategy:
	drain: true
	max_unavailable_controlplane: '1'
	max_unavailable_worker: '1'
	node_drain_input:
	delete_local_data: 'true'
	force: false
	grace_period: 60
	ignore_daemon_sets: true
	timeout: 120
	scheduled_cluster_scan:
	enabled: true
	scan_config:
	cis_scan_config:
	debug_master: false
	debug_worker: false
	override_benchmark_version: rke-cis-1.4
	profile: permissive
	schedule_config:
	cron_schedule: 0 0 * * *
	retention: 24
	windows_prefered_cluster: false
	apiVersion: v1
	items:
	- allowVolumeExpansion: false
	apiVersion: storage.k8s.io/v1
	kind: StorageClass
	metadata:
	annotations:
	storageclass.beta.kubernetes.io/is-default-class: "true"
	storageclass.kubernetes.io/is-default-class: "true"
	labels:
	cattle.io/creator: norman
	name: vsphere-thin-standard
	selfLink: /apis/storage.k8s.io/v1/storageclasses/vsphere-thin-standard
	parameters:
	datastore: MY-VMWARE-DATA-STORE
	diskformat: thin
	fstype: ext4
	provisioner: kubernetes.io/vsphere-volume
	reclaimPolicy: Delete
	volumeBindingMode: Immediate
	kind: List
	metadata:
	resourceVersion: ""
	selfLink: ""