This section is about how to deploy Rancher for your air gapped environment. An air gapped environment could be where Rancher server will be installed offline, behind a firewall, or behind a proxy. There are tabs for either a high availability (recommended) or a Docker installation.

Privileged Access for Rancher v2.5+

When the Rancher server is deployed in the Docker container, a local Kubernetes cluster is installed within the container for Rancher to use. Because many features of Rancher run as deployments, and privileged mode is required to run containers within containers, you will need to install Rancher with the --privileged option.

Rancher recommends installing Rancher on a Kubernetes cluster. A highly available Kubernetes install is comprised of three nodes running the Rancher server components on a Kubernetes cluster. The persistence layer (etcd) is also replicated on these three nodes, providing redundancy and data duplication in case one of the nodes fails.

This section describes installing Rancher in five parts:

1. Add the Helm Chart Repository

From a system that has access to the internet, fetch the latest Helm chart and copy the resulting manifests to a system that has access to the Rancher server cluster.

  1. If you haven’t already, install helm locally on a workstation that has internet access. Note: Refer to the Helm version requirements to choose a version of Helm to install Rancher.

  2. Use helm repo add command to add the Helm chart repository that contains charts to install Rancher. For more information about the repository choices and which is best for your use case, see Choosing a Version of Rancher.

    Latest: Recommended for trying out the newest features

    Stable: Recommended for production environments

    Alpha: Experimental preview of upcoming releases.
    Note: Upgrades are not supported to, from, or between Alphas.

    1. helm repo add rancher-<CHART_REPO> https://releases.rancher.com/server-charts/<CHART_REPO>
  3. Fetch the latest Rancher chart. This will pull down the chart and save it in the current directory as a .tgz file.

    1. helm fetch rancher-<CHART_REPO>/rancher

    If you require a specific version of Rancher, you can fetch this with the Helm --version parameter like in the following example:

    1. helm fetch rancher-stable/rancher --version=v2.4.8

2. Choose your SSL Configuration

Rancher Server is designed to be secure by default and requires SSL/TLS configuration.

When Rancher is installed on an air gapped Kubernetes cluster, there are two recommended options for the source of the certificate.

Note: If you want terminate SSL/TLS externally, see TLS termination on an External Load Balancer.

ConfigurationChart optionDescriptionRequires cert-manager
Rancher Generated Self-Signed Certificatesingress.tls.source=rancherUse certificates issued by Rancher’s generated CA (self signed)
This is the default and does not need to be added when rendering the Helm template.
yes
Certificates from Filesingress.tls.source=secretUse your own certificate files by creating Kubernetes Secret(s).
This option must be passed when rendering the Rancher Helm template.
no

3. Render the Rancher Helm Template

When setting up the Rancher Helm template, there are several options in the Helm chart that are designed specifically for air gap installations.

Chart OptionChart ValueDescription
certmanager.versionConfigure proper Rancher TLS issuer depending of running cert-manager version.
systemDefaultRegistry<REGISTRY.YOURDOMAIN.COM:PORT>Configure Rancher server to always pull from your private registry when provisioning clusters.
useBundledSystemCharttrueConfigure Rancher server to use the packaged copy of Helm system charts. The system charts repository contains all the catalog items required for features such as monitoring, logging, alerting and global DNS. These Helm charts are located in GitHub, but since you are in an air gapped environment, using the charts that are bundled within Rancher is much easier than setting up a Git mirror. Available as of v2.3.0

Based on the choice your made in B. Choose your SSL Configuration, complete one of the procedures below.

Option A: Default Self-Signed Certificate

Click to expand

By default, Rancher generates a CA and uses cert-manager to issue the certificate for access to the Rancher server interface.

Note: Recent changes to cert-manager require an upgrade. If you are upgrading Rancher and using a version of cert-manager older than v0.11.0, please see our upgrade cert-manager documentation.

  1. From a system connected to the internet, add the cert-manager repo to Helm.

    1. helm repo add jetstack https://charts.jetstack.io
    2. helm repo update
  2. Fetch the latest cert-manager chart available from the Helm chart repository.

    1. helm fetch jetstack/cert-manager --version v1.0.4
  3. Render the cert manager template with the options you would like to use to install the chart. Remember to set the image.repository option to pull the image from your private registry. This will create a cert-manager directory with the Kubernetes manifest files.

    1. helm template cert-manager ./cert-manager-v1.0.4.tgz --output-dir . \
    2. --namespace cert-manager \
    3. --set image.repository=<REGISTRY.YOURDOMAIN.COM:PORT>/quay.io/jetstack/cert-manager-controller \
    4. --set webhook.image.repository=<REGISTRY.YOURDOMAIN.COM:PORT>/quay.io/jetstack/cert-manager-webhook \
    5. --set cainjector.image.repository=<REGISTRY.YOURDOMAIN.COM:PORT>/quay.io/jetstack/cert-manager-cainjector
  4. Download the required CRD file for cert-manager

    1. curl -L -o cert-manager/cert-manager-crd.yaml https://github.com/jetstack/cert-manager/releases/download/v1.0.4/cert-manager.crds.yaml
  5. Render the Rancher template, declaring your chosen options. Use the reference table below to replace each placeholder. Rancher needs to be configured to use the private registry in order to provision any Rancher launched Kubernetes clusters or Rancher tools.

    PlaceholderDescription
    <VERSION>The version number of the output tarball.
    <RANCHER.YOURDOMAIN.COM>The DNS name you pointed at your load balancer.
    <REGISTRY.YOURDOMAIN.COM:PORT>The DNS name for your private registry.
    <CERTMANAGER_VERSION>Cert-manager version running on k8s cluster.
    1. helm template rancher ./rancher-<VERSION>.tgz --output-dir . \
    2. --namespace cattle-system \
    3. --set hostname=<RANCHER.YOURDOMAIN.COM> \
    4. --set certmanager.version=<CERTMANAGER_VERSION> \
    5. --set rancherImage=<REGISTRY.YOURDOMAIN.COM:PORT>/rancher/rancher \
    6. --set systemDefaultRegistry=<REGISTRY.YOURDOMAIN.COM:PORT> \ # Available as of v2.2.0, set a default private registry to be used in Rancher
    7. --set useBundledSystemChart=true # Available as of v2.3.0, use the packaged Rancher system charts

Optional: To install a specific Rancher version, set the rancherImageTag value, example: --set rancherImageTag=v2.3.6

Option B: Certificates From Files using Kubernetes Secrets

Click to expand

Create Kubernetes secrets from your own certificates for Rancher to use. The common name for the cert will need to match the hostname option in the command below, or the ingress controller will fail to provision the site for Rancher.

Render the Rancher template, declaring your chosen options. Use the reference table below to replace each placeholder. Rancher needs to be configured to use the private registry in order to provision any Rancher launched Kubernetes clusters or Rancher tools.

PlaceholderDescription
<VERSION>The version number of the output tarball.
<RANCHER.YOURDOMAIN.COM>The DNS name you pointed at your load balancer.
<REGISTRY.YOURDOMAIN.COM:PORT>The DNS name for your private registry.
  1. helm template rancher ./rancher-<VERSION>.tgz --output-dir . \
  2. --namespace cattle-system \
  3. --set hostname=<RANCHER.YOURDOMAIN.COM> \
  4. --set rancherImage=<REGISTRY.YOURDOMAIN.COM:PORT>/rancher/rancher \
  5. --set ingress.tls.source=secret \
  6. --set systemDefaultRegistry=<REGISTRY.YOURDOMAIN.COM:PORT> \ # Available as of v2.2.0, set a default private registry to be used in Rancher
  7. --set useBundledSystemChart=true # Available as of v2.3.0, use the packaged Rancher system charts

If you are using a Private CA signed cert, add --set privateCA=true following --set ingress.tls.source=secret:

  1. helm template rancher ./rancher-<VERSION>.tgz --output-dir . \
  2. --namespace cattle-system \
  3. --set hostname=<RANCHER.YOURDOMAIN.COM> \
  4. --set rancherImage=<REGISTRY.YOURDOMAIN.COM:PORT>/rancher/rancher \
  5. --set ingress.tls.source=secret \
  6. --set privateCA=true \
  7. --set systemDefaultRegistry=<REGISTRY.YOURDOMAIN.COM:PORT> \ # Available as of v2.2.0, set a default private registry to be used in Rancher
  8. --set useBundledSystemChart=true # Available as of v2.3.0, use the packaged Rancher system charts

Optional: To install a specific Rancher version, set the rancherImageTag value, example: --set rancherImageTag=v2.3.6

Then refer to Adding TLS Secrets to publish the certificate files so Rancher and the ingress controller can use them.

4. Install Rancher

Copy the rendered manifest directories to a system that has access to the Rancher server cluster to complete installation.

Use kubectl to create namespaces and apply the rendered manifests.

If you choose to use self-signed certificates in B. Choose your SSL Configuration, install cert-manager.

For Self-Signed Certificate Installs, Install Cert-manager

Click to expand

If you are using self-signed certificates, install cert-manager:

  1. Create the namespace for cert-manager.

    1. kubectl create namespace cert-manager
  2. Create the cert-manager CustomResourceDefinitions (CRDs).

    1. kubectl apply -f cert-manager/cert-manager-crd.yaml

    Note: If you are running Kubernetes v1.15 or below, you will need to add the --validate=false flag to your kubectl apply command above, or else you will receive a validation error relating to the x-kubernetes-preserve-unknown-fields field in cert-manager’s CustomResourceDefinition resources. This is a benign error and occurs due to the way kubectl performs resource validation.

  3. Launch cert-manager.

    1. kubectl apply -R -f ./cert-manager

Install Rancher with kubectl

  1. kubectl create namespace cattle-system
  2. kubectl -n cattle-system apply -R -f ./rancher

Step Result: If you are installing Rancher v2.3.0+, the installation is complete.

Note: If you don’t intend to send telemetry data, opt out telemetry during the initial login. Leaving this active in an air-gapped environment can cause issues if the sockets cannot be opened successfully.

5. For Rancher versions before v2.3.0, Configure System Charts

If you are installing Rancher versions before v2.3.0, you will not be able to use the packaged system charts. Since the Rancher system charts are hosted in Github, an air gapped installation will not be able to access these charts. Therefore, you must configure the Rancher system charts.

Additional Resources

These resources could be helpful when installing Rancher:

The Docker installation is for Rancher users who want to test out Rancher.

Instead of running on a Kubernetes cluster, you install the Rancher server component on a single node using a docker run command. Since there is only one node and a single Docker container, if the node goes down, there is no copy of the etcd data available on other nodes and you will lose all the data of your Rancher server.

Important: For Rancher v2.0-v2.4, there is no upgrade path to transition your Docker installation to a Kubernetes Installation.** Instead of running the single node installation, you have the option to follow the Kubernetes Install guide, but only use one node to install Rancher. Afterwards, you can scale up the etcd nodes in your Kubernetes cluster to make it a Kubernetes Installation.

For Rancher v2.5+, the backup application can be used to migrate the Rancher server from a Docker install to a Kubernetes install using these steps.

For security purposes, SSL (Secure Sockets Layer) is required when using Rancher. SSL secures all Rancher network communication, like when you login or interact with a cluster.

Environment Variable KeyEnvironment Variable ValueDescription
CATTLE_SYSTEM_DEFAULT_REGISTRY<REGISTRY.YOURDOMAIN.COM:PORT>Configure Rancher server to always pull from your private registry when provisioning clusters.
CATTLE_SYSTEM_CATALOGbundledConfigure Rancher server to use the packaged copy of Helm system charts. The system charts repository contains all the catalog items required for features such as monitoring, logging, alerting and global DNS. These Helm charts are located in GitHub, but since you are in an air gapped environment, using the charts that are bundled within Rancher is much easier than setting up a Git mirror. Available as of v2.3.0

Do you want to…

  • For Rancher before v2.3.0, you will need to mirror the system-charts repository to a location in your network that Rancher can reach. Then, after Rancher is installed, you will need to configure Rancher to use that repository. For details, refer to the documentation on setting up the system charts for Rancher before v2.3.0.

Choose from the following options:

Option A: Default Self-Signed Certificate

Click to expand

If you are installing Rancher in a development or testing environment where identity verification isn’t a concern, install Rancher using the self-signed certificate that it generates. This installation option omits the hassle of generating a certificate yourself.

Log into your Linux host, and then run the installation command below. When entering the command, use the table below to replace each placeholder.

PlaceholderDescription
<REGISTRY.YOURDOMAIN.COM:PORT>Your private registry URL and port.
<RANCHER_VERSION_TAG>The release tag of the Rancher version that you want to install.

As of Rancher v2.5, privileged access is required.

  1. docker run -d --restart=unless-stopped \
  2. -p 80:80 -p 443:443 \
  3. -e CATTLE_SYSTEM_DEFAULT_REGISTRY=<REGISTRY.YOURDOMAIN.COM:PORT> \ # Set a default private registry to be used in Rancher
  4. -e CATTLE_SYSTEM_CATALOG=bundled \ #Available as of v2.3.0, use the packaged Rancher system charts
  5. --privileged \
  6. <REGISTRY.YOURDOMAIN.COM:PORT>/rancher/rancher:<RANCHER_VERSION_TAG>

Option B: Bring Your Own Certificate: Self-Signed

Click to expand

In development or testing environments where your team will access your Rancher server, create a self-signed certificate for use with your install so that your team can verify they’re connecting to your instance of Rancher.

Prerequisites: From a computer with an internet connection, create a self-signed certificate using OpenSSL or another method of your choice.

  • The certificate files must be in PEM format.
  • In your certificate file, include all intermediate certificates in the chain. Order your certificates with your certificate first, followed by the intermediates. For an example, see Certificate Troubleshooting.

After creating your certificate, log into your Linux host, and then run the installation command below. When entering the command, use the table below to replace each placeholder. Use the -v flag and provide the path to your certificates to mount them in your container.

PlaceholderDescription
<CERT_DIRECTORY>The path to the directory containing your certificate files.
<FULL_CHAIN.pem>The path to your full certificate chain.
<PRIVATE_KEY.pem>The path to the private key for your certificate.
<CA_CERTS.pem>The path to the certificate authority’s certificate.
<REGISTRY.YOURDOMAIN.COM:PORT>Your private registry URL and port.
<RANCHER_VERSION_TAG>The release tag of the Rancher version that you want to install.

As of Rancher v2.5, privileged access is required.

  1. docker run -d --restart=unless-stopped \
  2. -p 80:80 -p 443:443 \
  3. -v /<CERT_DIRECTORY>/<FULL_CHAIN.pem>:/etc/rancher/ssl/cert.pem \
  4. -v /<CERT_DIRECTORY>/<PRIVATE_KEY.pem>:/etc/rancher/ssl/key.pem \
  5. -v /<CERT_DIRECTORY>/<CA_CERTS.pem>:/etc/rancher/ssl/cacerts.pem \
  6. -e CATTLE_SYSTEM_DEFAULT_REGISTRY=<REGISTRY.YOURDOMAIN.COM:PORT> \ # Set a default private registry to be used in Rancher
  7. -e CATTLE_SYSTEM_CATALOG=bundled \ #Available as of v2.3.0, use the packaged Rancher system charts
  8. --privileged \
  9. <REGISTRY.YOURDOMAIN.COM:PORT>/rancher/rancher:<RANCHER_VERSION_TAG>

Option C: Bring Your Own Certificate: Signed by Recognized CA

Click to expand

In development or testing environments where you’re exposing an app publicly, use a certificate signed by a recognized CA so that your user base doesn’t encounter security warnings.

Prerequisite: The certificate files must be in PEM format.

After obtaining your certificate, log into your Linux host, and then run the installation command below. When entering the command, use the table below to replace each placeholder. Because your certificate is signed by a recognized CA, mounting an additional CA certificate file is unnecessary.

PlaceholderDescription
<CERT_DIRECTORY>The path to the directory containing your certificate files.
<FULL_CHAIN.pem>The path to your full certificate chain.
<PRIVATE_KEY.pem>The path to the private key for your certificate.
<REGISTRY.YOURDOMAIN.COM:PORT>Your private registry URL and port.
<RANCHER_VERSION_TAG>The release tag of the Rancher version that you want to install.

Note: Use the --no-cacerts as argument to the container to disable the default CA certificate generated by Rancher.

As of Rancher v2.5, privileged access is required.

  1. docker run -d --restart=unless-stopped \
  2. -p 80:80 -p 443:443 \
  3. --no-cacerts \
  4. -v /<CERT_DIRECTORY>/<FULL_CHAIN.pem>:/etc/rancher/ssl/cert.pem \
  5. -v /<CERT_DIRECTORY>/<PRIVATE_KEY.pem>:/etc/rancher/ssl/key.pem \
  6. -e CATTLE_SYSTEM_DEFAULT_REGISTRY=<REGISTRY.YOURDOMAIN.COM:PORT> \ # Set a default private registry to be used in Rancher
  7. -e CATTLE_SYSTEM_CATALOG=bundled \ #Available as of v2.3.0, use the packaged Rancher system charts
  8. --privileged
  9. <REGISTRY.YOURDOMAIN.COM:PORT>/rancher/rancher:<RANCHER_VERSION_TAG>

If you are installing Rancher v2.3.0+, the installation is complete.

Note: If you don’t intend to send telemetry data, opt out telemetry during the initial login.

If you are installing Rancher versions before v2.3.0, you will not be able to use the packaged system charts. Since the Rancher system charts are hosted in Github, an air gapped installation will not be able to access these charts. Therefore, you must configure the Rancher system charts.