3. Install SUSE Rancher Prime

Now that you have a running RKE2/K3s cluster, you can install Rancher in it. For security reasons all traffic to Rancher must be encrypted with TLS. For this tutorial you are going to automatically issue a self-signed certificate through cert-manager. In a real-world use-case you will likely use Let’s Encrypt or provide your own certificate.

Install the Helm CLI

Install the Helm CLI on a host where you have a kubeconfig to access your Kubernetes cluster:

curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
chmod +x get_helm.sh
sudo ./get_helm.sh

Install cert-manager

Using SUSE Application Collection

SUSE Application Collection provides a cert-manager chart that is compatible with Rancher. If you are using SUSE Application Collection, we recommend installing cert-manager using this option.

  1. Log in to the secure SUSE Application Collection registry:

    Before installing, authenticate your Helm CLI against the Application Collection OCI registry using your enterprise credentials:

    helm registry login dp.apps.rancher.io -u <username-or-service-account-username> -p <access-token-or-service-account-token>

  2. Create the target namespace cert-manager:

    kubectl create namespace cert-manager

  3. Create the Image Pull Secret:

    Because the Application Collection is a private registry, your cluster’s nodes need a secret to pull the images. Generate this secret in the cert-manager namespace:

    kubectl create secret docker-registry application-collection \
  --namespace cert-manager \
  --docker-server=dp.apps.rancher.io \
  --docker-username=<YOUR_APPCO_USERNAME> \
  --docker-password=<YOUR_APPCO_TOKEN>

  4. Install cert-manager via the OCI chart path:

    Deploy the chart directly from the OCI registry path. Ensure you pass the global.imagePullSecrets flag so the pods can authenticate:

    helm install <cert-manager-release-version> oci://dp.apps.rancher.io/charts/cert-manager \
    --namespace cert-manager \
    --set global.imagePullSecrets={application-collection} \
    --set crds.enabled=true

    If you are deploying in a cluster that requires FIPS cryptography compliance, you can substitute the chart path with oci://dp.apps.rancher.io/charts/cert-manager-fips.

  5. Verify the Installation.

    Once you’ve installed cert-manager, you can verify it is deployed correctly by checking the cert-manager namespace for running pods:

    kubectl get pods --namespace cert-manager
    NAME                                       READY   STATUS    RESTARTS   AGE
cert-manager-56cc584bd4-nhjx7              1/1     Running   0          3m
cert-manager-cainjector-7cfc74b84b-kg7m2   1/1     Running   0          3m
cert-manager-webhook-784f6dd68-69dvn       1/1     Running   0          3m

Using Upstream Jetstack Helm Repository

Add the cert-manager Helm repository:

helm repo add jetstack https://charts.jetstack.io

Create a namespace for cert-manager:

kubectl create namespace cert-manager

Install the CustomResourceDefinitions of cert-manager:

kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/<VERSION>/cert-manager.crds.yaml

And install it with Helm. Note that cert-manager also needs your proxy configured in case it needs to communicate with Let’s Encrypt or other external certificate issuers:

To see options on how to customize the cert-manager install (including for cases where your cluster uses PodSecurityPolicies), see the cert-manager docs.

 
helm upgrade --install cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --set http_proxy=http://${proxy_host} \
  --set https_proxy=http://${proxy_host} \
  --set no_proxy=127.0.0.0/8\\,10.0.0.0/8\\,cattle-system.svc\\,172.16.0.0/12\\,192.168.0.0/16\\,.svc\\,.cluster.local

Now you should wait until cert-manager is finished starting up:

kubectl rollout status deployment -n cert-manager cert-manager
kubectl rollout status deployment -n cert-manager cert-manager-webhook

Install SUSE Rancher Prime

Next you can install SUSE Rancher Prime itself. First, add the Helm repository:

helm repo add rancher-prime <helm-chart-repo-url>

To learn more about the Rancher Prime Helm chart repository URL, see our Prime-only documentation. Authentication is required. Use your SUSE Customer Center (SCC) credentials to log in.

Create a namespace:

kubectl create namespace cattle-system

And install Rancher with Helm. Rancher also needs a proxy configuration so that it can communicate with external application catalogs or retrieve Kubernetes version update metadata:

Rancher Prime v2.13.2 reverts the chart name change introduced in Rancher Prime v2.13.1. The chart name changed from rancher-prime back to rancher.

 
helm upgrade --install rancher rancher-prime/rancher \
   --namespace cattle-system \
   --set hostname=rancher.example.com \
   --set proxy=http://${proxy_host} \
   --set noProxy=127.0.0.0/8\\,10.0.0.0/8\\,cattle-system.svc\\,172.16.0.0/12\\,192.168.0.0/16\\,.svc\\,.cluster.local

After waiting for the deployment to finish:

kubectl rollout status deployment -n cattle-system rancher

You can now navigate to https://rancher.example.com and start using Rancher.

Additional Resources

These resources could be helpful when installing Rancher: