Migrating Rancher to a New Cluster
If you are migrating Rancher to a new Kubernetes cluster, you don't need to install Rancher on the new cluster first. If Rancher is restored to a new cluster with Rancher already installed, it can cause problems.
Prerequisites
These instructions assume that you have created a backup and already installed a new Kubernetes cluster where Rancher will be deployed. The backup is specific to the Rancher application and can only migrate the Rancher application.
You must use the same hostname that was set as the server URL in the original cluster. If you don't, downstream clusters will show as unavailable in the cluster management page of the UI, and you won't be able to click inside the cluster or on the cluster's Explore button.
Rancher version must be v2.5.0 and up
Rancher can be installed on any Kubernetes cluster, including hosted Kubernetes clusters such as Amazon EKS clusters. For help installing Kubernetes, refer to the documentation of the Kubernetes distribution. A Rancher-created Kubernetes distributions such as, but not limited to, RKE or K3s may also be used.
Since Rancher can be installed on any Kubernetes cluster, you can use this backup and restore method to migrate Rancher from one Kubernetes cluster to any other Kubernetes cluster. This method only migrates Rancher-related resources and won't affect other applications on the cluster. Refer to the support matrix to identify which Kubernetes cluster types and versions are supported for your Rancher version.
1. Install the rancher-backup Helm chart
Install the rancher-backup chart:
- Add the Helm repository: - helm repo add rancher-charts https://charts.rancher.io
 helm repo update
- Set a - CHART_VERSIONvariable, selecting a- rancher-backupchart version compatible with your version of Rancher. See the support matrix, within the Rancher Apps / Cluster Tools section, to see which- rancher-backupversions are supported:- CHART_VERSION=<chart-version>
- Install the charts: - helm install rancher-backup-crd rancher-charts/rancher-backup-crd -n cattle-resources-system --create-namespace --version $CHART_VERSION
 helm install rancher-backup rancher-charts/rancher-backup -n cattle-resources-system --version $CHART_VERSIONnote- The above assumes an environment with outbound connectivity to Docker Hub. - For an air-gapped environment, use the following Helm values to pull the - backup-restore-operatorand- kubectlimages from your private registry when you install the rancher-backup Helm chart.- --set image.repository <registry>/rancher/backup-restore-operator --set global.kubectl.repository=<registry>/rancher/kubectl
2. Restore from backup using a Restore custom resource
- When using S3 object storage as the backup source for a restore that requires credentials, create a - Secretobject in this cluster to add the S3 credentials. The secret data must have two keys -- accessKey, and- secretKey, that contain the S3 credentials.- The secret can be created in any namespace, this example uses the default namespace. - kubectl create secret generic s3-creds \
 --from-literal=accessKey=<access key> \
 --from-literal=secretKey=<secret key>note- Add your access key and secret key as values for - accessKeyand- secretKeyin the command above.
- Create a - Restoreobject:- During a migration, - prunemust be set to- false. See the example below:- # restore-migration.yaml
 apiVersion: resources.cattle.io/v1
 kind: Restore
 metadata:
 name: restore-migration
 spec:
 backupFilename: backup-b0450532-cee1-4aa1-a881-f5f48a007b1c-2020-09-15T07-27-09Z.tar.gz
 prune: false
 encryptionConfigSecretName: encryptionconfig
 storageLocation:
 s3:
 credentialSecretName: s3-creds
 credentialSecretNamespace: default
 bucketName: backup-test
 folder: ecm1
 region: us-west-2
 endpoint: s3.us-west-2.amazonaws.comImportant- The field - encryptionConfigSecretNameshould be used only if your backup was created with encryption enabled.- If this applies, provide the name of the - Secretobject containing the encryption config file. If you only have the encryption config file, but don't have the secret created in this cluster, use the following steps to create the secret:- Create an encryption configuration file 
- The command below uses a file named - encryption-provider-config.yaml, with the- --from-fileflag. Run the below once the- EncryptionConfigurationis saved in a file called- encryption-provider-config.yaml:- kubectl create secret generic encryptionconfig \
 --from-file=./encryption-provider-config.yaml \
 -n cattle-resources-system
 
- Apply the manifest, and monitor the Restore status: - Apply the - Restoreobject resource:- kubectl apply -f restore-migration.yaml
- Watch the Restore status: - kubectl get restore
- Watch the restoration logs: - kubectl logs -n cattle-resources-system --tail 100 -f -l app.kubernetes.io/instance=rancher-backup
- Once the Restore resource has the status - Completed, you can continue the cert-manager and Rancher installation.
 
When migrating Rancher between any two different Kubernetes distributions (e.g. from K3s to RKE2), the object representing the local cluster has to be modified to allow Rancher to detect the new distribution. After the restoration is completed, and before bringing up Rancher on the new cluster, edit the local cluster object:
kubectl edit clusters.management.cattle.io local
- Change the value of status.drivertoimported.
- Remove status.provider.
- Remove the entire status.versionmap.
- Remove the label with the key provider.cattle.ioinmetadata.labels.
- Remove the annotation with the key management.cattle.io/current-cluster-controllers-versioninmetadata.annotations.
- Remove the entire spec.rke2Configorspec.k3sConfigmap, if present.
- Save the changes.
Note that removing spec.rke2Config or spec.k3sConfig will erase your distribution-specific upgrade configuration for the local cluster. It can be reconfigured if the new distribution is configurable for the local cluster.
3. Install cert-manager
Follow the steps to install cert-manager in the documentation about installing cert-manager on Kubernetes.
4. Bring up Rancher with Helm
Use the same version of Helm to install Rancher, that was used on the first cluster.
helm install rancher rancher-latest/rancher \
  --namespace cattle-system \
  --set hostname=<same hostname as the server URL from the first Rancher server> \
  --version x.y.z
If the original Rancher environment is running, you can collect the current values with a kubeconfig for the original environment:
helm get values rancher -n cattle-system -o yaml > rancher-values.yaml
These values can be reused using the rancher-values.yaml file. Be sure to switch the kubeconfig to the new Rancher environment.
helm install rancher rancher-latest/rancher -n cattle-system -f rancher-values.yaml --version x.y.z
5. Redirect Traffic to the New Cluster
After migration completes, update your DNS records and any load balancers, so that traffic is routed correctly to the migrated cluster. Remember that you must use the same hostname that was set as the server URL in the original cluster.
Full instructions on how to redirect traffic to the migrated cluster differ based on your specific environment. Refer to your hosting provider's documentation for more details.