Open rancher-max opened 4 years ago
Need to sync with Darren on this.
This might not be directly related, so apologies if it's off-topic. Why do the docs and the example you mention here refer to already existing SSL certs? Is the default case not to just use Rio's existing cert-manager to mange the certs? Sure it's nice to be able to provide certs from somewhere else, but that's not ideal right, because then you have to remember to keep coming back to update the certs. I think I must be missing something?
Particularly I'm curious as to why creating a ClusterDomain without existing certs automatically uses Rio's RDNS dns01 challenge? Can the challenge type be changed? Would it not be better to default to the http01 challenge for custom domains without existing certs?
Again I just think I'm missing some crucial insight. Or is this area still just work in progress?
http01 can't be used for wildcards, and requires that it be reachable from the internet (and on port 80).
dns01 on a custom domain requires actual DNS credentials and a supported provider, it cannot be done automatically through our domain anymore.
The CLI does not support configuring those 20 different DNS providers for dns01, so what's left is providing a cert. Which is still what lots of people want anyway, PKI infrastructure didn't disappear overnight when Let'sEncrypt came along.
Perfect answer, thank you.
Are you tracking this particular use-case somewhere? Namely automated wildcard cert renewal for custom domains? I have some follow up questions and I'm not sure they're relevant to this issue.
Questions in case it is relevant:
So I see 2 approaches to automating cert renewal. First is to patch Rio's cert-manager stack YAML, I've no idea how feasible that is. And second is to have my own cert-manager, say through Helm, that maintains a TLS secret that I can reference from Rio's ClusterDomain
YAML, as long as the secret is in the same namespace that should work?
Edit: I'm currently solving this with rio install --disable-features letsencrypt,rdns
and using my own cert-manager and nginx-ingress packages from Helm. I'm then able to manage my own certs and forward all Rio's traffic to the gateway-proxy
service. I just need to apply this YAML:
apiVersion: admin.rio.cattle.io/v1
kind: ClusterDomain
metadata:
name: example.com
spec:
httpPort: 80
Note how I don't even need Rio to support SSL and port 443 as my nginx ingress is already taking care of that.
+1 for bulit-in support.
If a user installs using this command rio install --cluster-domain mydomain.com
it would be good to auto deploy nginx-ingress
and cert-manager
instead of using rdns
. Would be good to also auto redirect http to https.
I would prefer to have full control without hitting on-rio
domains.
Something like:
rio install --cluster-domain my.production.domain --cert /path/to/cert --key /path/to/key
This would be much nicer for those who want to use their own domain instead of the rio provided domain. Currently there are multiple steps users need to take to add their own cluster domain.
Reference: rancher/rio#700