Public domain has certs from cert-manager.local instead of LetsEncrypt..

robeastham commented 5 years ago

This appears to happen with:

rio install --mesh-mode istio

..on v0.5.0-rc1 & v0.5.0-rc2.

I can access my service on

https://myservice-01-default.xxxxx.on-rio.io:9443

..and it work as expected (demo app that grabs json from github) and the cert for the domain above is from LetsEncrypt.

I then added a public domain, i.e. like this:

rio domain register www.mydomain.com myservice-01-default

I could then access my service on that public domain after adding a CNAME record to point my www subdomain to xxxxx.on-rio.io, so I can access like this:

https://www.mydomain.com:9443

But when accessing the service using my public domain my browser complains about the cert because it seems to be issued by cert-manager.local

This was not the case when I was using the default install for 0.4.0, LetEncrypt certs were assigned corectly for my own domain and not cert-manager.local. If it makes any difference I'm using:

rio up

...and a Riofile to create the service.

Not sure if this is related but I also get this when doing an install check:

rio install --check

rio controller version v0.5.0-rc2 (303f3652) installed into namespace rio-system
Detecting if clusterDomain is accessible...
Warning: ClusterDomain is not accessible. Error: Get http://xxxxx.on-rio.io:9080: dial tcp myipaddress:9080: i/o timeout
Controller logs are available from riosystemlogs

.. the output from my most recent logs is as follows:

rio-controller | time="2019-09-27T18:10:42Z" level=info msg="Starting rio-controller, version: v0.5.0-rc2, git commit: 303f3652"
rio-controller | time="2019-09-27T18:10:42Z" level=info msg="Creating CRD clusterissuers.certmanager.k8s.io"
rio-controller | time="2019-09-27T18:10:42Z" level=info msg="Creating CRD rioinfos.admin.rio.cattle.io"
rio-controller | time="2019-09-27T18:10:42Z" level=info msg="Creating CRD apps.rio.cattle.io"
rio-controller | time="2019-09-27T18:10:42Z" level=info msg="Creating CRD externalservices.rio.cattle.io"
rio-controller | time="2019-09-27T18:10:42Z" level=info msg="Creating CRD routers.rio.cattle.io"
rio-controller | time="2019-09-27T18:10:42Z" level=info msg="Creating CRD services.rio.cattle.io"
rio-controller | time="2019-09-27T18:10:42Z" level=info msg="Creating CRD stacks.rio.cattle.io"
rio-controller | time="2019-09-27T18:10:42Z" level=info msg="Creating CRD clusterdomains.admin.rio.cattle.io"
rio-controller | time="2019-09-27T18:10:42Z" level=info msg="Creating CRD features.admin.rio.cattle.io"
rio-controller | time="2019-09-27T18:10:42Z" level=info msg="Creating CRD publicdomains.admin.rio.cattle.io"
rio-controller | time="2019-09-27T18:10:42Z" level=info msg="Creating CRD gitcommits.gitwatcher.cattle.io"
rio-controller | time="2019-09-27T18:10:42Z" level=info msg="Creating CRD gitwatchers.gitwatcher.cattle.io"
rio-controller | time="2019-09-27T18:10:42Z" level=info msg="Creating CRD servicescalerecommendations.autoscale.rio.cattle.io"
rio-controller | time="2019-09-27T18:10:42Z" level=info msg="Creating CRD certificates.certmanager.k8s.io"
rio-controller | time="2019-09-27T18:10:43Z" level=info msg="Creating CRD challenges.certmanager.k8s.io"
rio-controller | time="2019-09-27T18:10:43Z" level=info msg="Creating CRD issuers.certmanager.k8s.io"
rio-controller | time="2019-09-27T18:10:43Z" level=info msg="Creating CRD orders.certmanager.k8s.io"
rio-controller | time="2019-09-27T18:10:44Z" level=info msg="Starting admin.rio.cattle.io/v1, Kind=Feature controller"
rio-controller | time="2019-09-27T18:10:44Z" level=info msg="Starting feature stack"
rio-controller | time="2019-09-27T18:10:45Z" level=info msg="Starting apps/v1, Kind=Deployment controller"
rio-controller | time="2019-09-27T18:10:45Z" level=info msg="Starting apps/v1, Kind=DaemonSet controller"
rio-controller | time="2019-09-27T18:10:46Z" level=info msg="Starting /v1, Kind=ConfigMap controller"
rio-controller | time="2019-09-27T18:10:46Z" level=info msg="Starting /v1, Kind=Service controller"
rio-controller | time="2019-09-27T18:10:47Z" level=info msg="Starting rio.cattle.io/v1, Kind=Service controller"
rio-controller | time="2019-09-27T18:10:47Z" level=info msg="Starting rio.cattle.io/v1, Kind=ExternalService controller"
rio-controller | time="2019-09-27T18:10:47Z" level=info msg="Starting rio.cattle.io/v1, Kind=Router controller"
rio-controller | time="2019-09-27T18:10:47Z" level=info msg="Starting rio.cattle.io/v1, Kind=App controller"
rio-controller | time="2019-09-27T18:10:47Z" level=info msg="Starting rio.cattle.io/v1, Kind=Stack controller"
rio-controller | time="2019-09-27T18:10:48Z" level=info msg="Starting admin.rio.cattle.io/v1, Kind=PublicDomain controller"
rio-controller | time="2019-09-27T18:10:48Z" level=info msg="Starting admin.rio.cattle.io/v1, Kind=ClusterDomain controller"
rio-controller | time="2019-09-27T18:10:48Z" level=info msg="Starting feature autoscaling"
rio-controller | time="2019-09-27T18:10:48Z" level=info msg="Starting autoscale.rio.cattle.io/v1, Kind=ServiceScaleRecommendation controller"
rio-controller | time="2019-09-27T18:10:48Z" level=info msg="Starting feature build"
rio-controller | time="2019-09-27T18:10:50Z" level=info msg="Starting tekton.dev/v1alpha1, Kind=TaskRun controller"
rio-controller | time="2019-09-27T18:10:51Z" level=info msg="Starting /v1, Kind=Pod controller"
rio-controller | time="2019-09-27T18:10:52Z" level=info msg="Starting gitwatcher.cattle.io/v1, Kind=GitCommit controller"
rio-controller | time="2019-09-27T18:10:52Z" level=info msg="Starting feature gateway"
rio-controller | time="2019-09-27T18:10:53Z" level=info msg="Starting feature istio"
rio-controller | time="2019-09-27T18:10:57Z" level=info msg="Starting feature letsencrypt"
rio-controller | time="2019-09-27T18:10:58Z" level=info msg="Starting certmanager.k8s.io/v1alpha1, Kind=Certificate controller"
rio-controller | time="2019-09-27T18:10:58Z" level=info msg="Starting feature rdns"
rio-controller | time="2019-09-27T18:12:27Z" level=info msg="Updating cluster domain to address  [myipadress]"

All was working fine when I was using 0.4.0 on the same cluster. I did use:

rio uninstall

...before installed v0.5.0-rc2

Keep up the great work with Rio, it looks like it's going to be a killer product.

P.S. I'm doing all of this on a Rancher Custom RKE cluster.

StrongMonkey commented 5 years ago

@robeastham You have to install Rio on standard ports starting from v0.5.0 if you want to provision letsencrypts certs for your public domain. We are dropping ingress install mode due to a limitation https://github.com/rancher/rio/releases/tag/v0.5.0-rc1. Use `rio install ${args} --http-port 80 --https-port 443).

robeastham commented 5 years ago

Thanks @StrongMonkey, so that's what I'm missing :-). Thanks for the super quick reply.

I should do an upgrade by just running:

rio install ${args} --http-port 80 --https-port 443

I tried the above and am now on standard ports, but I still seem to have certs being issued by cert-manager.local

Perhaps since I have nothing important I should uninstall rio and then reinstall with the above command instead?

StrongMonkey commented 5 years ago

@robeastham I think if you are using RKE(RKE doesn't support service loadbalancer by default), the install options would be

rio install --mesh-mode istio --mode hostport --http-port 80 --https-port 443

Then run rio info to check if you have IP addresses assigned as public IP of your worker nodes. if not then try

rio install --mesh-mode istio --mode hostport --http-port 80 --https-port 443 ----ip-address ${worker_ip_1},${worker_ip_2},${worker_ip_3_}

don't have to uninstall and install. If you just change the parameter it should apply to rio controller runtime.

rancher / rio

Public domain has certs from cert-manager.local instead of LetsEncrypt.. #531