From 14422d361dfd842bd0f0a494beca07542e526445 Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <patrick@puiterwijk.org>
Date: Sun, 30 Jun 2019 22:31:42 +0200
Subject: [PATCH] Add objects and documentation for certificates in
 communishift

Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
---
 files/communishift/objects/README.md     | 15 ++++++++++++++-
 files/communishift/objects/cert_api.yml  | 15 +++++++++++++++
 files/communishift/objects/cert_apps.yml | 15 +++++++++++++++
 files/communishift/objects/issuer.yml    | 22 ++++++++++++++++++++++
 4 files changed, 66 insertions(+), 1 deletion(-)
 create mode 100644 files/communishift/objects/cert_api.yml
 create mode 100644 files/communishift/objects/cert_apps.yml
 create mode 100644 files/communishift/objects/issuer.yml

diff --git a/files/communishift/objects/README.md b/files/communishift/objects/README.md
index 18a53cae6b..51b7d90bbb 100644
--- a/files/communishift/objects/README.md
+++ b/files/communishift/objects/README.md
@@ -4,4 +4,17 @@ Instructions
 The files in this directory are the configuration files for communishift to be applied.
 
 For OIDC auth, get the client secret for "communishift" from ansible-private/files/ipsilon/openidc.production.static, and run:
-oc create secret generic fedoraidp-clientsecret --from-literal=clientSecret=<client-secret> -n openshift-config
+> oc create secret generic fedoraidp-clientsecret --from-literal=clientSecret=<client-secret> -n openshift-config
+
+For certificates, first install [cert-manager](), and then create the Issuer object.
+To do this, first create a new access key ID and secret key in AWS for the communishift_acme_dns01 user, and update issuer and create a secret:
+> oc create secret generic route53-access-key-secret --from-literal=access-key=THEACCESSKEY
+This gives it the ability to create a TXT record for acmechallenges.fedorainfracloud.org.
+To allow certificates for other hostnames, those hostnames need a CNAME of "_acme-challenge.<hostname>" pointing to "acmechallenges.fedorainfracloud.org".
+After that, create the two certificate requests for the API server and ingress default cert:
+> oc -n openshift-config create -f cert_api.yml
+> oc -n openshift-ingress create -f cert_apps.yml
+This will start the request of the certificates.
+Then run the following commands to update the ingress router (will take affect after its restart) and API server with their new certs:
+> oc patch apiserver cluster --type=merge -p '{"spec": {"servingCerts": {"defaultServingCertificate": {"name": "api-certificate"}}}}'
+> oc patch ingresscontroller.operator default --type=merge -p '{"spec":{"defaultCertificate": {"name": "apps-certificate"}}}' -n openshift-ingress-operator
diff --git a/files/communishift/objects/cert_api.yml b/files/communishift/objects/cert_api.yml
new file mode 100644
index 0000000000..44d6ff6ed0
--- /dev/null
+++ b/files/communishift/objects/cert_api.yml
@@ -0,0 +1,15 @@
+---
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: Certificate
+metadata:
+  name: api-certificate
+  namespace: openshift-config
+spec:
+  secretName: api-certificate
+  renewBefore: 360h # 15d
+  commonName: api.os.fedorainfracloud.org
+  dnsNames:
+  - 'api.os.fedorainfracloud.org'
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
diff --git a/files/communishift/objects/cert_apps.yml b/files/communishift/objects/cert_apps.yml
new file mode 100644
index 0000000000..a449378e9e
--- /dev/null
+++ b/files/communishift/objects/cert_apps.yml
@@ -0,0 +1,15 @@
+---
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: Certificate
+metadata:
+  name: apps-certificate
+  namespace: openshift-ingress
+spec:
+  secretName: apps-certificate
+  renewBefore: 360h # 15d
+  commonName: apps.os.fedorainfracloud.org
+  dnsNames:
+  - '*.apps.os.fedorainfracloud.org'
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
diff --git a/files/communishift/objects/issuer.yml b/files/communishift/objects/issuer.yml
new file mode 100644
index 0000000000..df3870916a
--- /dev/null
+++ b/files/communishift/objects/issuer.yml
@@ -0,0 +1,22 @@
+---
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-production
+spec:
+  acme:
+    email: admin@fedoraproject.org
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: letsencrypt-production-account-key
+    solvers:
+    - dns01:
+        cnameStrategy: Follow
+        route53:
+          region: us-east-1
+          accessKeyID: THEACCESSKEYID
+          secretAccessKeySecretRef:
+            namespace: cert-manager
+            name: route53-access-key-secret
+            key: access-key
+          hostedZoneID: Z2MFECC8O90CBA