https://rancher.com/ logo
Title
w

witty-honey-18052

06/16/2022, 7:46 PM
hey y'all, having a little bit of trouble understanding the helm install options when installing into a downstream Rancher cluster, and have a few questions API Username: Are we creating this? Or is this an existing username? API Password: Are we creating this? Or is this an existing password? Access control allow origin: Is this the global rancher cluster dashboard or the cluster explorer link? (for example, https://cluster.krum.io/?, https://cluster.krum.io/dashboard/?, https://cluster.krum.io/dashboard/c/c-123456/?)
b

broad-dream-81849

06/16/2022, 7:50 PM
By default a couple of users are created (
admin
and
epinio
, both with password
password
) but you can override this settings in the helm values
The output at the end of the install should help you
w

witty-honey-18052

06/16/2022, 7:53 PM
ah, ok, so they are being created at install time then. The way it reads makes it seem like they might be established accounts. I see now that in the Rancher apps UI, it looks like only domain is required. Do you have some pointers on that part?
oh, nvm
I also see that the origin is not reqd. I'll give this a quick shot
b

broad-dream-81849

06/16/2022, 7:55 PM
If you follow the steps in the epinio.io site you can see that the only required value is the domain 🙂
w

witty-honey-18052

06/16/2022, 7:57 PM
I followed the steps but the UI portion threw me off. So used to vanilla helm. Which I could have done, but I'm documenting this for my suse partner stuff 🙂
Alright so I already have a letsencrypt-production clusterissuer, and cert-manager already installed (into namespace cert-manager) Here are my errors:
Error: INSTALLATION FAILED: rendered manifests contain a resource that already exists. Unable to continue with install: ClusterIssuer "letsencrypt-production" in namespace "" exists and cannot be imported into the current release: invalid ownership metadata; label validation error: missing key "<http://app.kubernetes.io/managed-by|app.kubernetes.io/managed-by>": must be set to "Helm"; annotation validation error: missing key "<http://meta.helm.sh/release-name|meta.helm.sh/release-name>": must be set to "epinio"; annotation validation error: missing key "<http://meta.helm.sh/release-namespace|meta.helm.sh/release-namespace>": must be set to "epinio"
I deleted the existing clusterissuer and it looks like it's installing, will report
c

cuddly-holiday-9089

06/17/2022, 5:41 AM
hm yes it seems that we create the "letsencrypt-production" cluster issuer unconditionally with this rather "default" name (https://github.com/epinio/helm-charts/blob/201555878a8fd29b17a44100490950d311dbd147/chart/epinio/templates/cluster-issuers.yaml#L10) . I'm wondering if this deserves a boolean flag to control its creation.
w

witty-honey-18052

06/17/2022, 7:35 AM
It seemed like the questions (Rancher UI) were leaning in that direction when asking the user if they wanted to use a custom issuer or predefined. I wasn't sure if it meant if it was for public or private, but the letsencrypt-production being a predefined in the drop-down made it seem like it was intended for this purpose https://github.com/epinio/helm-charts/blob/main/chart/epinio/questions.yml#L30
c

cuddly-holiday-9089

06/17/2022, 7:37 AM
keep in mind, for letsencrypt to work, your system domain should be accessible from the outside, otherwise the challenge won't be solvable: https://letsencrypt.org/docs/challenge-types/ (we do the http one)
w

witty-honey-18052

06/17/2022, 7:38 AM
Yea I use http01 certs as well
I would have preferred if I could have installed it using the staging issuer first then done an upgrade to switch it to production
In this case I'm currently having a problem with external-dns for some reason, so I need to uninstall epinio until I can get that fixed so it doesn't kill my failed cert quota 😬
c

cuddly-holiday-9089

06/17/2022, 7:52 AM
if this is not meant to be a "production" installation, maybe you can start with the private-ca issuer first (or self-signed)
w

witty-honey-18052

06/17/2022, 7:56 AM
I'll do that, I just remembered to go uninstall it as I was typing lol
As a user that already has cert manager installed with issuers configured, I would have tried to specify my existing letsencrypt-staging clusterissuer by providing that in the install, or a specifically named predefined option (parity with the letsencrypt-production issuer)
c

cuddly-holiday-9089

06/17/2022, 10:27 AM
yes that makes sense. Let me create an issue to fix this
Here you are: https://github.com/epinio/helm-charts/issues/234 feel free to comment 🙂