From 95079daa0cce8846fedd415d4817f3dadf8723cf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Wolfgang=20Hu=C3=9F?= <wolle.huss@pjannto.com>
Date: Mon, 14 Dec 2020 13:53:55 +0100
Subject: [PATCH] Setup a new ClusterIssuer

---
 deployment/digital-ocean/https/README.md      |   2 +-
 .../https/templates/issuer.template.yaml      | 138 +++++++++++++-----
 2 files changed, 105 insertions(+), 35 deletions(-)

diff --git a/deployment/digital-ocean/https/README.md b/deployment/digital-ocean/https/README.md
index 18b177462..c9c407b9f 100644
--- a/deployment/digital-ocean/https/README.md
+++ b/deployment/digital-ocean/https/README.md
@@ -3,7 +3,7 @@
 {% tabs %}
 {% tab title="Helm 3" %}
 
-Follow [this quick start guide](https://cert-manager.io/next-docs/installation/kubernetes/) and install certmanager via Helm 3:
+Follow [this quick start guide](https://cert-manager.io/docs/) and install certmanager via Helm 3:
 
 ## … Via Kubernetes Directly
 
diff --git a/deployment/digital-ocean/https/templates/issuer.template.yaml b/deployment/digital-ocean/https/templates/issuer.template.yaml
index dccccbc1c..805c988c2 100644
--- a/deployment/digital-ocean/https/templates/issuer.template.yaml
+++ b/deployment/digital-ocean/https/templates/issuer.template.yaml
@@ -1,36 +1,106 @@
+# ---
+# # used while installation as first setup for testing purposes, recognize 'server: https://acme-staging-v02…'
+# apiVersion: cert-manager.io/v1
+# kind: Issuer
+# metadata:
+#   name: letsencrypt-staging
+#   namespace: ocelot-social
+# spec:
+#   acme:
+#     # The ACME server URL
+#     server: https://acme-staging-v02.api.letsencrypt.org/directory
+#     # Email address used for ACME registration
+#     email: user@example.com
+#     # Name of a secret used to store the ACME account private key
+#     privateKeySecretRef:
+#       name: letsencrypt-staging
+#     # Enable the HTTP-01 challenge provider
+#     http01: {}
 ---
-  # used while installation as first setup for testing purposes, recognize 'server: https://acme-staging-v02…'
-  apiVersion: certmanager.k8s.io/v1
-  kind: Issuer
-  metadata:
-    name: letsencrypt-staging
-    namespace: ocelot-social
-  spec:
-    acme:
-      # The ACME server URL
-      server: https://acme-staging-v02.api.letsencrypt.org/directory
-      # Email address used for ACME registration
-      email: user@example.com
-      # Name of a secret used to store the ACME account private key
-      privateKeySecretRef:
-        name: letsencrypt-staging
-      # Enable the HTTP-01 challenge provider
-      http01: {}
+# used while installation as first setup for testing purposes, recognize 'server: https://acme-staging-v02…'
+# !!! replace the e-mail for expiring certificates, see below !!!
+# !!! create the used secret, see below !!!
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging
+  namespace: ocelot-social
+spec:
+  acme:
+    # You must replace this email address with your own.
+    # Let's Encrypt will use this to contact you about expiring
+    # certificates, and issues related to your account.
+    email: user@example.com
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      # Secret resource that will be used to store the account's private key.
+      name: letsencrypt-staging-issuer-account-key
+    # Add a single challenge solver, HTTP01 using nginx
+    solvers:
+    - http01:
+        ingress:
+          class: nginx
+# ---
+# # used after installation for production, recognize 'server: https://acme-v02…'
+# apiVersion: cert-manager.io/v1
+# kind: Issuer
+# metadata:
+#   name: letsencrypt-prod
+#   namespace: ocelot-social
+# spec:
+#   acme:
+#     # The ACME server URL
+#     server: https://acme-v02.api.letsencrypt.org/directory
+#     # Email address used for ACME registration
+#     email: user@example.com
+#     # Name of a secret used to store the ACME account private key
+#     privateKeySecretRef:
+#       name: letsencrypt-prod
+#     # Enable the HTTP-01 challenge provider
+#     http01: {}
 ---
-  # used after installation for production, recognize 'server: https://acme-v02…'
-  apiVersion: certmanager.k8s.io/v1
-  kind: Issuer
-  metadata:
-    name: letsencrypt-prod
-    namespace: ocelot-social
-  spec:
-    acme:
-      # The ACME server URL
-      server: https://acme-v02.api.letsencrypt.org/directory
-      # Email address used for ACME registration
-      email: user@example.com
-      # Name of a secret used to store the ACME account private key
-      privateKeySecretRef:
-        name: letsencrypt-prod
-      # Enable the HTTP-01 challenge provider
-      http01: {}
+# used after installation for production, recognize 'server: https://acme-v02…'
+# !!! replace the e-mail for expiring certificates, see below !!!
+# !!! create the used secret, see below !!!
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+  namespace: ocelot-social
+spec:
+  acme:
+    # You must replace this email address with your own.
+    # Let's Encrypt will use this to contact you about expiring
+    # certificates, and issues related to your account.
+    email: user@example.com
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      # Secret resource that will be used to store the account's private key.
+      name: letsencrypt-prod-issuer-account-key
+    # Add a single challenge solver, HTTP01 using nginx
+    solvers:
+    - http01:
+        ingress:
+          class: nginx
+---
+# fill in your letsencrypt-staging-issuer-account-key
+# generate base 64: $ echo -n '<your data>' | base64
+apiVersion: v1
+data:
+  tls.key: <your base 64 data>
+kind: Secret
+metadata:
+  name: letsencrypt-staging-issuer-account-key
+  namespace: ocelot-social
+type: Opaque
+---
+# fill in your letsencrypt-prod-issuer-account-key
+# generate base 64: $ echo -n '<your data>' | base64
+apiVersion: v1
+data:
+  tls.key: <your base 64 data>
+kind: Secret
+metadata:
+  name: letsencrypt-prod-issuer-account-key
+  namespace: ocelot-social
+type: Opaque