A. Add the Helm Chart Repository

From a system that has access to the internet, render the installs and copy the resulting manifests to a system that has access to the Rancher server cluster.

  1. If you haven’t already, initialize helm locally on a system that has internet access.

    helm init -c
  2. Use helm repo add command to add the Helm chart repository that contains charts to install Rancher. For more information about the repository choices and which is best for your use case, see Choosing a Version of Rancher.

    Replace both occurences of <CHART_REPO> with the Helm chart repository that you want to use (i.e. latest or stable).

    helm repo add rancher-<CHART_REPO> https://releases.rancher.com/server-charts/<CHART_REPO>
    
  3. Fetch the latest Rancher chart. This will pull down the chart and save it in the current directory as a .tgz file. Replace <CHART_REPO> with the repo you’re using (latest or stable).

    helm fetch rancher-<CHART_REPO>/rancher

Want additional options? Need help troubleshooting? See High Availability Install: Advanced Options.

B. Choose your SSL Configuration

Rancher Server is designed to be secure by default and requires SSL/TLS configuration.

For HA air gap configurations, there are two recommended options for the source of the certificate.

Note: If you want terminate SSL/TLS externally, see TLS termination on an External Load Balancer.

Configuration Chart option Description Requires cert-manager
Rancher Generated Self-Signed Certificates ingress.tls.source=rancher Use certificates issued by Rancher’s generated CA (self signed)
This is the default
yes
Certificates from Files ingress.tls.source=secret Use your own certificate files by creating Kubernetes Secret(s) no

C. Install Rancher

Based on the choice your made in B. Choose your SSL Coniguration, complete one of the procedures below.

By default, Rancher generates a CA and uses cert manger to issue the certificate for access to the Rancher server interface.

  1. From a system connected to the internet, fetch the latest cert-manager chart available from the official Helm chart repository.

    helm fetch stable/cert-manager
  2. Render the cert manager template with the options you would like to use to install the chart. Remember to set the image.repository option to pull the image from your private registry. This will create a cert-manager directory with the Kubernetes manifest files.

    helm template ./cert-manager-<version>.tgz --output-dir . \
    --name cert-manager --namespace kube-system \
    --set image.repository=<REGISTRY.YOURDOMAIN.COM:PORT>/quay.io/jetstack/cert-manager-controller
  3. Render the Rancher template, declaring your chosen options. Use the reference table below to replace each placeholder.

    Placeholder Description
    <VERSION> The version number of the output tarball.
    <RANCHER.YOURDOMAIN.COM> The DNS name you pointed at your load balancer.
    <REGISTRY.YOURDOMAIN.COM:PORT> The DNS name for your private registry.).
    helm template ./rancher-<VERSION>.tgz --output-dir . \
     --name rancher \
     --namespace cattle-system \
     --set hostname=<RANCHER.YOURDOMAIN.COM> \
     --set rancherImage=<REGISTRY.YOURDOMAIN.COM:PORT>/rancher/rancher
  1. Create Kubernetes secrets from your own certificates for Rancher to use.

    Note: The common name for the cert will need to match the hostname option or the ingress controller will fail to provision the site for Rancher.

  2. Render the Rancher template, declaring your chosen options. Use the reference table below to replace each placeholder.

    Placeholder Description
    <VERSION> The version number of the output tarball.
    <RANCHER.YOURDOMAIN.COM> The DNS name you pointed at your load balancer.
    <REGISTRY.YOURDOMAIN.COM:PORT> The DNS name for your private registry.

    Note: If you are using a Private CA signed cert, add --set privateCA=true following --set ingress.tls.source=secret

    helm template ./rancher-<VERSION>.tgz --output-dir . \
      --name rancher \
      --namespace cattle-system \
      --set hostname=<RANCHER.YOURDOMAIN.COM> \
      --set rancherImage=<REGISTRY.YOURDOMAIN.COM:PORT>/rancher/rancher
      --set ingress.tls.source=secret \
    
  3. See Adding TLS Secrets to publish the certificate files so Rancher and the ingress controller can use them.

D. Install Rancher

Copy the rendered manifest directories to a system that has access to the Rancher server cluster to complete installation.

Use kubectl to create namespaces and apply the rendered manifests.

kubectl -n kube-system apply -R -f ./cert-manager

kubectl create namespace cattle-system
kubectl -n cattle-system apply -R -f ./rancher

Next: Configure Rancher for the Private Registry