Unverified documentation of TLS setup

README.md

@@ -120,6 +120,20 @@ And create an ingress service in namespace `human-connection`:
 $ kubectl apply -f human-connection/ingress.yaml
 ```
 
+#### Setup SSL
+
+Follow [this quick start guide](https://docs.cert-manager.io/en/latest/tutorials/acme/quick-start/index.html):
+```
+$ kubectl create serviceaccount tiller --namespace=kube-system
+$ kubectl create clusterrolebinding tiller-admin --serviceaccount=kube-system:tiller --clusterrole=cluster-admin
+$ helm init --service-account=tiller
+$ helm repo update
+$ helm install stable/nginx-ingress --name quickstart
+$ kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.6/deploy/manifests/00-crds.yaml<Paste>
+$ helm install --name cert-manager --namespace cert-manager stable/cert-manager
+$ kubectl apply -f certmanager/
+```
+
 #### Legacy data migration
 
 This setup is completely optional and only required if you have data on a server

certmanager/ingress.yaml

@@ -0,0 +1,22 @@
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: ingress
+  namespace: human-connection
+  annotations:
+    kubernetes.io/ingress.class: "nginx"
+    certmanager.k8s.io/issuer: "letsencrypt-staging"
+    certmanager.k8s.io/acme-challenge-type: http01
+spec:
+  tls:
+  - hosts:
+    - master.nitro.human-connection.org
+    secretName: quickstart-example-tls
+  rules:
+  - host: master.nitro.human-connection.org
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: nitro-web
+          servicePort: 3000

certmanager/issuer-production.yaml

@@ -0,0 +1,16 @@
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: Issuer
+metadata:
+  name: letsencrypt-prod
+  namespace: human-connection
+spec:
+  acme:
+    # The ACME server URL
+    server: https://acme-v02.api.letsencrypt.org/directory
+    # Email address used for ACME registration
+    email: letsencrypt-prod@roschaefer.de
+    # Name of a secret used to store the ACME account private key
+    privateKeySecretRef:
+      name: letsencrypt-prod
+    # Enable the HTTP-01 challenge provider
+    http01: {}

certmanager/issuer-staging.yaml

@@ -0,0 +1,16 @@
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: Issuer
+metadata:
+  name: letsencrypt-staging
+  namespace: human-connection
+spec:
+  acme:
+    # The ACME server URL
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    # Email address used for ACME registration
+    email: letsencrypt-staging@roschaefer.de
+    # Name of a secret used to store the ACME account private key
+    privateKeySecretRef:
+      name: letsencrypt-staging
+    # Enable the HTTP-01 challenge provider
+    http01: {}

human-connection/ingress.yaml

@@ -1,13 +0,0 @@
-apiVersion: extensions/v1beta1
-kind: Ingress
-metadata:
-  name: ingress
-  namespace: human-connection
-spec:
-  rules:
-  - host: master.nitro.human-connection.org
-    http:
-      paths:
-      - backend:
-          serviceName: nitro-web
-          servicePort: 3000