Rancher Desktop support and integration in epinio docker extension

[thehejik]

Notes about how to make epinio docker extension to work with RD from Jan Dubois follows:

Traefik

No straightforward way to redirect to https · Issue #8444 · traefik/traefik

Epinio Redirect 80 → 443

Copy the websecure ingress to web ingress and add redirectscheme middleware:

kubectl get -n epinio ingress/epinio -o json |
    jq '.metadata.name="epinio-http"' |
    jq '.metadata.annotations["traefik.ingress.kubernetes.io/router.entrypoints"] = "web"' |
    jq '.metadata.annotations["traefik.ingress.kubernetes.io/router.middlewares"] = "epinio-redirectscheme@kubernetescrd"' |
    jq 'del(.metadata.annotations["traefik.ingress.kubernetes.io/router.tls"])' |
    jq 'del(.spec.tls)' |
    kubectl -n epinio apply -f -

The redirectscheme middleware must be installed in the same namespace:

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: redirectscheme
spec:
  redirectScheme:
    scheme: https
    permanent: true

Epinio Add router for port 80

Copy websecure ingress for web ingress and remove TLS settings:

#!/bin/bash

kubectl get -n epinio ingress/epinio -o json |
    jq '.metadata.name="epinio-http"' |
    jq '.metadata.annotations["traefik.ingress.kubernetes.io/router.entrypoints"] = "web"' |
    jq '.metadata.annotations["traefik.ingress.kubernetes.io/router.tls"] = "false"' |
    jq '.metadata.annotations["app.kubernetes.io/name"] = "epinio-http"' |
    jq 'del(.spec.tls)' |
    kubectl -n epinio apply -f -

---

More info from Slack by Jan Dubois:

Note Nr.1
The jq '.metadata.annotations["app.kubernetes.io/name"] = "epinio-http"' part was necessary because Epinio had an explicit check (in 2 places) to fail if there is more than one ingress defined.

I don't know why this change is missing in the section about the 80 → 443 redirect; I think it would be necessary there as well. Maybe I fixed it in the script after copying it into my notes?

The notes already assume that you deployed Epinio with Traefik, it just makes additional changes to support both http and https.

Note Nr.2
The options to either redirect port 80 to 443, or to add an additional ingress for 80 are of course mutually exclusive. There is an option in the helm chart to configure this for nginx, but not for traefik.

The setting I was looking for was nginxSSLRedirect: "true" in your values.yaml. There is no corresponding setting for Traefik, and it requires a bit more work, as I've shown above, to achieve the same effect.

Note. Nr.3
One more thing that feels weird at first: In jq '.metadata.annotations["traefik.ingress.kubernetes.io/router.middlewares"] = "epinio-redirectscheme@kubernetescrd"' | the epinio part is not just a random part of the name, but must match the k8s namespace where the middleware called redirectscheme is installed.

I've just looked at https://github.com/epinio/extension-docker-desktop/blob/main/ui/src/KubernetesCheck.js and you no longer seem to be checking the node name to match docker-desktop, so that should no longer be an issue.