From 9bb2361b18079761427693124fb1c98254a55bfb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Robert=20Sch=C3=A4fer?= <git@roschaefer.de>
Date: Fri, 8 Feb 2019 02:23:24 +0100
Subject: [PATCH] Unverified documentation of TLS setup

---
 README.md                          | 14 ++++++++++++++
 certmanager/ingress.yaml           | 22 ++++++++++++++++++++++
 certmanager/issuer-production.yaml | 16 ++++++++++++++++
 certmanager/issuer-staging.yaml    | 16 ++++++++++++++++
 human-connection/ingress.yaml      | 13 -------------
 5 files changed, 68 insertions(+), 13 deletions(-)
 create mode 100644 certmanager/ingress.yaml
 create mode 100644 certmanager/issuer-production.yaml
 create mode 100644 certmanager/issuer-staging.yaml
 delete mode 100644 human-connection/ingress.yaml

diff --git a/README.md b/README.md
index e339d90d5..70438c754 100644
--- a/README.md
+++ b/README.md
@@ -120,6 +120,20 @@ And create an ingress service in namespace `human-connection`:
 $ kubectl apply -f human-connection/ingress.yaml
 ```
 
+#### Setup SSL
+
+Follow [this quick start guide](https://docs.cert-manager.io/en/latest/tutorials/acme/quick-start/index.html):
+```
+$ kubectl create serviceaccount tiller --namespace=kube-system
+$ kubectl create clusterrolebinding tiller-admin --serviceaccount=kube-system:tiller --clusterrole=cluster-admin
+$ helm init --service-account=tiller
+$ helm repo update
+$ helm install stable/nginx-ingress --name quickstart
+$ kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.6/deploy/manifests/00-crds.yaml<Paste>
+$ helm install --name cert-manager --namespace cert-manager stable/cert-manager
+$ kubectl apply -f certmanager/
+```
+
 #### Legacy data migration
 
 This setup is completely optional and only required if you have data on a server
diff --git a/certmanager/ingress.yaml b/certmanager/ingress.yaml
new file mode 100644
index 000000000..d0ef9a2af
--- /dev/null
+++ b/certmanager/ingress.yaml
@@ -0,0 +1,22 @@
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: ingress
+  namespace: human-connection
+  annotations:
+    kubernetes.io/ingress.class: "nginx"
+    certmanager.k8s.io/issuer: "letsencrypt-staging"
+    certmanager.k8s.io/acme-challenge-type: http01
+spec:
+  tls:
+  - hosts:
+    - master.nitro.human-connection.org
+    secretName: quickstart-example-tls
+  rules:
+  - host: master.nitro.human-connection.org
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: nitro-web
+          servicePort: 3000
diff --git a/certmanager/issuer-production.yaml b/certmanager/issuer-production.yaml
new file mode 100644
index 000000000..6977a2178
--- /dev/null
+++ b/certmanager/issuer-production.yaml
@@ -0,0 +1,16 @@
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: Issuer
+metadata:
+  name: letsencrypt-prod
+  namespace: human-connection
+spec:
+  acme:
+    # The ACME server URL
+    server: https://acme-v02.api.letsencrypt.org/directory
+    # Email address used for ACME registration
+    email: letsencrypt-prod@roschaefer.de
+    # Name of a secret used to store the ACME account private key
+    privateKeySecretRef:
+      name: letsencrypt-prod
+    # Enable the HTTP-01 challenge provider
+    http01: {}
diff --git a/certmanager/issuer-staging.yaml b/certmanager/issuer-staging.yaml
new file mode 100644
index 000000000..ef0f40faa
--- /dev/null
+++ b/certmanager/issuer-staging.yaml
@@ -0,0 +1,16 @@
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: Issuer
+metadata:
+  name: letsencrypt-staging
+  namespace: human-connection
+spec:
+  acme:
+    # The ACME server URL
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    # Email address used for ACME registration
+    email: letsencrypt-staging@roschaefer.de
+    # Name of a secret used to store the ACME account private key
+    privateKeySecretRef:
+      name: letsencrypt-staging
+    # Enable the HTTP-01 challenge provider
+    http01: {}
diff --git a/human-connection/ingress.yaml b/human-connection/ingress.yaml
deleted file mode 100644
index b6028b9aa..000000000
--- a/human-connection/ingress.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-apiVersion: extensions/v1beta1
-kind: Ingress
-metadata:
-  name: ingress
-  namespace: human-connection
-spec:
-  rules:
-  - host: master.nitro.human-connection.org
-    http:
-      paths:
-      - backend:
-          serviceName: nitro-web
-          servicePort: 3000