Based on the IT journey of Michael Rickert

Rancher Rio with custom domains

Rio is a micro PaaS developed by Rancher that infuses kubernetes, istio, and a built in ci/cd pipeline to create a fast and easy app deployment platform. One current drawback to Rio is that when you deploy any app using that system it places it in the domain, which may not be ideal if you have your own custom/pre-purchased domain you would like to use. This is especially true if you use internal dns or plan on using Rio past staging and into UAT/Production. Fortunately there are a few quick configuration changes that can let you swap out the domain for your own:

First step is to install Rio again without the rdns and letsencrypt components, this will stop Rio from using the on-rio domain and cert for said domain so we can then swap in our own. If we don’t do this step we will have rio constantly overwrite our custom domain: 

rio install –disable-features rdns,letsencrypt –http-port 80 –https-port 443

  • Notice: cert-manager will stall on install, this is a known bug. When you have just cert-manager install remaining in the CLI, go ahead and cancel out, you’re good to go.
  • Notice: You should have already installed rio in entirety before running this first step, otherwise important bits of cluster-domain are not pre-configured for you.

Next, we’ll edit the cluster-domain entry so that rio starts to point to our custom dns domain instead of the default. Under status: change domain to your custom domain.

kubectl edit clusterdomain cluster-domain -n rio-system

Also notice the spec: addresses: ip:. This is the ip address you’ll want to point your dns wildcard for your custom domain to, in this case I would point a subdomain with just an A record of * to The full dns A record would read as *

We can verify our domain was saved successfully by running the following:

kubectl describe clusterdomain cluster-domain -n rio-system

Now that Rio is pointed to our new domain, we’ll need to clean up the certificates for https. First lets dump/backup the current certificate just in case:

kubectl get secret rio-wildcard -n rio-system -o yaml > rio-wildcard.yml

This will save our existing cert to a yaml file for safekeeping. Next we’ll delete the existing certificate so we can then swap in our own custom wildcard certificate:

kubectl delete secret rio-wildcard -n rio-system

Now the tricky(ish) part, we need to inject our new certificate in the exact same place as the old one we just deleted. Make a new copy of your rio-wildcard.yml file, and then edit that file with your certificate and key in place of the old tls entries in the file:

cp rio-wildcard.yml rio-wildcard-v2.yml && vim rio-wildcard-v2.yml

  • Notice: You’ll also want to rip out any metadata: annotations: while you are editing this file, otherwise it may be confusing later on if you ever have to do this again.

The last step is to install this newly edited/created certificate into rio, like so:

kubectl apply -f rio-wildcard-v2.yml

And that’s it! Rio will now auto-generate urls under your new custom domain and also use your wildcard certificate for secure/valid https encryption.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

%d bloggers like this: