Channels
academy
amazon
arm
azure
cabpr
chinese
ci-cd
danish
deutsch
developer
elemental
epinio
espanol
events
extensions
fleet
français
gcp
general
harvester
harvester-dev
hobbyfarm
hypper
japanese
k3d
k3os
k3s
k3s-contributor
kim
kubernetes
kubewarden
lima
logging
longhorn-dev
longhorn-storage
masterclass
mesos
mexico
nederlands
neuvector-security
office-hours
one-point-x
onlinemeetup
onlinetraining
opni
os
ozt
phillydotnet
portugues
rancher-desktop
rancher-extensions
rancher-setup
rancher-wrangler
random
rfed_ara
rio
rke
rke2
russian
s3gw
service-mesh
storage
submariner
supermicro-sixsq
swarm
terraform-controller
terraform-provider-rancher2
terraform-provider-rke
theranchcast
training-0110
training-0124
training-0131
training-0207
training-0214
training-1220
ukranian
v16-v21-migration
vsphere
windows
Title
w
witty-honey-18052
06/16/2022, 7:46 PMhey y'all, having a little bit of trouble understanding the helm install options when installing into a downstream Rancher cluster, and have a few questions
API Username: Are we creating this? Or is this an existing username?
API Password: Are we creating this? Or is this an existing password?
Access control allow origin: Is this the global rancher cluster dashboard or the cluster explorer link?
(for example, https://cluster.krum.io/?, https://cluster.krum.io/dashboard/?, https://cluster.krum.io/dashboard/c/c-123456/?)
b
broad-dream-81849
06/16/2022, 7:50 PMBy default a couple of users are created (
adminepiniopasswordThe output at the end of the install should help you
w
witty-honey-18052
06/16/2022, 7:53 PMah, ok, so they are being created at install time then. The way it reads makes it seem like they might be established accounts.
I see now that in the Rancher apps UI, it looks like only domain is required. Do you have some pointers on that part?
oh, nvm
I also see that the origin is not reqd. I'll give this a quick shot
b
broad-dream-81849
06/16/2022, 7:55 PMIf you follow the steps in the epinio.io site you can see that the only required value is the domain 🙂
w
witty-honey-18052
06/16/2022, 7:57 PMI followed the steps but the UI portion threw me off. So used to vanilla helm. Which I could have done, but I'm documenting this for my suse partner stuff 🙂
Alright so I already have a letsencrypt-production clusterissuer, and cert-manager already installed (into namespace cert-manager)
Here are my errors:
Error: INSTALLATION FAILED: rendered manifests contain a resource that already exists. Unable to continue with install: ClusterIssuer "letsencrypt-production" in namespace "" exists and cannot be imported into the current release: invalid ownership metadata; label validation error: missing key "<http://app.kubernetes.io/managed-by|app.kubernetes.io/managed-by>": must be set to "Helm"; annotation validation error: missing key "<http://meta.helm.sh/release-name|meta.helm.sh/release-name>": must be set to "epinio"; annotation validation error: missing key "<http://meta.helm.sh/release-namespace|meta.helm.sh/release-namespace>": must be set to "epinio"I deleted the existing clusterissuer and it looks like it's installing, will report
c
cuddly-holiday-9089
06/17/2022, 5:41 AMhm yes it seems that we create the "letsencrypt-production" cluster issuer unconditionally with this rather "default" name (https://github.com/epinio/helm-charts/blob/201555878a8fd29b17a44100490950d311dbd147/chart/epinio/templates/cluster-issuers.yaml#L10) . I'm wondering if this deserves a boolean flag to control its creation.
w
witty-honey-18052
06/17/2022, 7:35 AMIt seemed like the questions (Rancher UI) were leaning in that direction when asking the user if they wanted to use a custom issuer or predefined. I wasn't sure if it meant if it was for public or private, but the letsencrypt-production being a predefined in the drop-down made it seem like it was intended for this purpose https://github.com/epinio/helm-charts/blob/main/chart/epinio/questions.yml#L30
c
cuddly-holiday-9089
06/17/2022, 7:37 AMkeep in mind, for letsencrypt to work, your system domain should be accessible from the outside, otherwise the challenge won't be solvable: https://letsencrypt.org/docs/challenge-types/ (we do the http one)
w
witty-honey-18052
06/17/2022, 7:38 AMYea I use http01 certs as well
I would have preferred if I could have installed it using the staging issuer first then done an upgrade to switch it to production
In this case I'm currently having a problem with external-dns for some reason, so I need to uninstall epinio until I can get that fixed so it doesn't kill my failed cert quota 😬
c
cuddly-holiday-9089
06/17/2022, 7:52 AMif this is not meant to be a "production" installation, maybe you can start with the private-ca issuer first (or self-signed)
w
witty-honey-18052
06/17/2022, 7:56 AMI'll do that, I just remembered to go uninstall it as I was typing lol
As a user that already has cert manager installed with issuers configured, I would have tried to specify my existing letsencrypt-staging clusterissuer by providing that in the install, or a specifically named predefined option (parity with the letsencrypt-production issuer)
c
cuddly-holiday-9089
06/17/2022, 10:27 AMyes that makes sense. Let me create an issue to fix this
Here you are: https://github.com/epinio/helm-charts/issues/234
feel free to comment 🙂