search

rancher / rio

Application Deployment Engine for Kubernetes
https://rio.io
Apache License 2.0
2.27k stars 228 forks source link

Add install options for custom cluster domains #851

Open rancher-max opened 4 years ago

rancher-max commented 4 years ago

Something like: rio install --cluster-domain my.production.domain --cert /path/to/cert --key /path/to/key

This would be much nicer for those who want to use their own domain instead of the rio provided domain. Currently there are multiple steps users need to take to add their own cluster domain.

Reference: rancher/rio#700

davidnuzik commented 4 years ago

Need to sync with Darren on this.

tombh commented 4 years ago

This might not be directly related, so apologies if it's off-topic. Why do the docs and the example you mention here refer to already existing SSL certs? Is the default case not to just use Rio's existing cert-manager to mange the certs? Sure it's nice to be able to provide certs from somewhere else, but that's not ideal right, because then you have to remember to keep coming back to update the certs. I think I must be missing something?

Particularly I'm curious as to why creating a ClusterDomain without existing certs automatically uses Rio's RDNS dns01 challenge? Can the challenge type be changed? Would it not be better to default to the http01 challenge for custom domains without existing certs?

Again I just think I'm missing some crucial insight. Or is this area still just work in progress?

vincent99 commented 4 years ago

http01 can't be used for wildcards, and requires that it be reachable from the internet (and on port 80).

dns01 on a custom domain requires actual DNS credentials and a supported provider, it cannot be done automatically through our domain anymore.

The CLI does not support configuring those 20 different DNS providers for dns01, so what's left is providing a cert. Which is still what lots of people want anyway, PKI infrastructure didn't disappear overnight when Let'sEncrypt came along.

tombh commented 4 years ago

Perfect answer, thank you.

Are you tracking this particular use-case somewhere? Namely automated wildcard cert renewal for custom domains? I have some follow up questions and I'm not sure they're relevant to this issue.

Questions in case it is relevant: So I see 2 approaches to automating cert renewal. First is to patch Rio's cert-manager stack YAML, I've no idea how feasible that is. And second is to have my own cert-manager, say through Helm, that maintains a TLS secret that I can reference from Rio's ClusterDomain YAML, as long as the secret is in the same namespace that should work?

Edit: I'm currently solving this with rio install --disable-features letsencrypt,rdns and using my own cert-manager and nginx-ingress packages from Helm. I'm then able to manage my own certs and forward all Rio's traffic to the gateway-proxy service. I just need to apply this YAML:

apiVersion: admin.rio.cattle.io/v1
kind: ClusterDomain
metadata:
  name: example.com
spec:
  httpPort: 80

Note how I don't even need Rio to support SSL and port 443 as my nginx ingress is already taking care of that.

prabirshrestha commented 4 years ago

+1 for bulit-in support.

If a user installs using this command rio install --cluster-domain mydomain.com it would be good to auto deploy nginx-ingress and cert-manager instead of using rdns. Would be good to also auto redirect http to https.

I would prefer to have full control without hitting on-rio domains.