Based on the IT journey of Michael Rickert

Rancher Rio with custom domains

Rio is a micro PaaS developed by Rancher that infuses kubernetes, istio, and a built in ci/cd pipeline to create a fast and easy app deployment platform. One current drawback to Rio is that when you deploy any app using that system it places it in the .on-rio.io domain, which may not be ideal if you have your own custom/pre-purchased domain you would like to use. This is especially true if you use internal dns or plan on using Rio past staging and into UAT/Production. Fortunately there are a few quick configuration changes that can let you swap out the on-rio.io domain for your own:

First step is to install Rio again without the rdns and letsencrypt components, this will stop Rio from using the on-rio domain and cert for said domain so we can then swap in our own. If we don’t do this step we will have rio constantly overwrite our custom domain: 

rio install –disable-features rdns,letsencrypt –http-port 80 –https-port 443

  • Notice: cert-manager will stall on install, this is a known bug. When you have just cert-manager install remaining in the CLI, go ahead and cancel out, you’re good to go.
  • Notice: You should have already installed rio in entirety before running this first step, otherwise important bits of cluster-domain are not pre-configured for you.

Next, we’ll edit the cluster-domain entry so that rio starts to point to our custom dns domain instead of the default. Under status: change domain to your custom domain.

kubectl edit clusterdomain cluster-domain -n rio-system

Also notice the spec: addresses: ip:. This is the ip address you’ll want to point your dns wildcard for your custom domain to, in this case I would point a subdomain with just an A record of * to The full dns A record would read as *.ccnp-pro.com

We can verify our domain was saved successfully by running the following:

kubectl describe clusterdomain cluster-domain -n rio-system

Now that Rio is pointed to our new domain, we’ll need to clean up the certificates for https. First lets dump/backup the current certificate just in case:

kubectl get secret rio-wildcard -n rio-system -o yaml > rio-wildcard.yml

This will save our existing cert to a yaml file for safekeeping. Next we’ll delete the existing certificate so we can then swap in our own custom wildcard certificate:

kubectl delete secret rio-wildcard -n rio-system

Now the tricky(ish) part, we need to inject our new certificate in the exact same place as the old one we just deleted. Make a new copy of your rio-wildcard.yml file, and then edit that file with your certificate and key in place of the old tls entries in the file:

cp rio-wildcard.yml rio-wildcard-v2.yml && vim rio-wildcard-v2.yml

  • Notice: You’ll also want to rip out any metadata: annotations: while you are editing this file, otherwise it may be confusing later on if you ever have to do this again.

The last step is to install this newly edited/created certificate into rio, like so:

kubectl apply -f rio-wildcard-v2.yml

And that’s it! Rio will now auto-generate urls under your new custom domain and also use your wildcard certificate for secure/valid https encryption.

Leave a Reply