Rio is a micro PaaS developed by Rancher that infuses kubernetes, istio, and a built in ci/cd pipeline to create a fast and easy app deployment platform. One current drawback to Rio is that when you deploy any app using that system it places it in the .on-rio.io domain, which may not be ideal if you have your own custom/pre-purchased domain you would like to use. This is especially true if you use internal dns or plan on using Rio past staging and into UAT/Production. Fortunately there are a few quick configuration changes that can let you swap out the on-rio.io domain for your own:
First step is to install Rio again without the rdns and letsencrypt components, this will stop Rio from using the on-rio domain and cert for said domain so we can then swap in our own. If we don’t do this step we will have rio constantly overwrite our custom domain:
rio install –disable-features rdns,letsencrypt –http-port 80 –https-port 443
- Notice: cert-manager will stall on install, this is a known bug. When you have just cert-manager install remaining in the CLI, go ahead and cancel out, you’re good to go.
- Notice: You should have already installed rio in entirety before running this first step, otherwise important bits of cluster-domain are not pre-configured for you.
Next, we’ll edit the cluster-domain entry so that rio starts to point to our custom dns domain instead of the default. Under status: change domain to your custom domain.
kubectl edit clusterdomain cluster-domain -n rio-system
Also notice the spec: addresses: ip:. This is the ip address you’ll want to point your dns wildcard for your custom domain to, in this case I would point a subdomain with just an A record of * to 10.10.114.10. The full dns A record would read as *.mrickert.com
We can verify our domain was saved successfully by running the following:
kubectl describe clusterdomain cluster-domain -n rio-system
Now that Rio is pointed to our new domain, we’ll need to clean up the certificates for https. First lets dump/backup the current certificate just in case:
kubectl get secret rio-wildcard -n rio-system -o yaml > rio-wildcard.yml
This will save our existing cert to a yaml file for safekeeping. Next we’ll delete the existing certificate so we can then swap in our own custom wildcard certificate:
kubectl delete secret rio-wildcard -n rio-system
Now the tricky(ish) part, we need to inject our new certificate in the exact same place as the old one we just deleted. Make a new copy of your rio-wildcard.yml file, and then edit that file with your certificate and key in place of the old tls entries in the file:
cp rio-wildcard.yml rio-wildcard-v2.yml && vim rio-wildcard-v2.yml
- Notice: You’ll also want to rip out any metadata: annotations: while you are editing this file, otherwise it may be confusing later on if you ever have to do this again.
The last step is to install this newly edited/created certificate into rio, like so:
kubectl apply -f rio-wildcard-v2.yml
And that’s it! Rio will now auto-generate urls under your new custom domain and also use your wildcard certificate for secure/valid https encryption.