Add objects and documentation for certificates in communishift

Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>

files/communishift/objects/README.md

@@ -4,4 +4,17 @@ Instructions
 The files in this directory are the configuration files for communishift to be applied.
 
 For OIDC auth, get the client secret for "communishift" from ansible-private/files/ipsilon/openidc.production.static, and run:
-oc create secret generic fedoraidp-clientsecret --from-literal=clientSecret=<client-secret> -n openshift-config
+> oc create secret generic fedoraidp-clientsecret --from-literal=clientSecret=<client-secret> -n openshift-config
+
+For certificates, first install [cert-manager](), and then create the Issuer object.
+To do this, first create a new access key ID and secret key in AWS for the communishift_acme_dns01 user, and update issuer and create a secret:
+> oc create secret generic route53-access-key-secret --from-literal=access-key=THEACCESSKEY
+This gives it the ability to create a TXT record for acmechallenges.fedorainfracloud.org.
+To allow certificates for other hostnames, those hostnames need a CNAME of "_acme-challenge.<hostname>" pointing to "acmechallenges.fedorainfracloud.org".
+After that, create the two certificate requests for the API server and ingress default cert:
+> oc -n openshift-config create -f cert_api.yml
+> oc -n openshift-ingress create -f cert_apps.yml
+This will start the request of the certificates.
+Then run the following commands to update the ingress router (will take affect after its restart) and API server with their new certs:
+> oc patch apiserver cluster --type=merge -p '{"spec": {"servingCerts": {"defaultServingCertificate": {"name": "api-certificate"}}}}'
+> oc patch ingresscontroller.operator default --type=merge -p '{"spec":{"defaultCertificate": {"name": "apps-certificate"}}}' -n openshift-ingress-operator

files/communishift/objects/cert_api.yml

@@ -0,0 +1,15 @@
+---
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: Certificate
+metadata:
+  name: api-certificate
+  namespace: openshift-config
+spec:
+  secretName: api-certificate
+  renewBefore: 360h # 15d
+  commonName: api.os.fedorainfracloud.org
+  dnsNames:
+  - 'api.os.fedorainfracloud.org'
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer

files/communishift/objects/cert_apps.yml

@@ -0,0 +1,15 @@
+---
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: Certificate
+metadata:
+  name: apps-certificate
+  namespace: openshift-ingress
+spec:
+  secretName: apps-certificate
+  renewBefore: 360h # 15d
+  commonName: apps.os.fedorainfracloud.org
+  dnsNames:
+  - '*.apps.os.fedorainfracloud.org'
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer

files/communishift/objects/issuer.yml

@@ -0,0 +1,22 @@
+---
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-production
+spec:
+  acme:
+    email: admin@fedoraproject.org
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: letsencrypt-production-account-key
+    solvers:
+    - dns01:
+        cnameStrategy: Follow
+        route53:
+          region: us-east-1
+          accessKeyID: THEACCESSKEYID
+          secretAccessKeySecretRef:
+            namespace: cert-manager
+            name: route53-access-key-secret
+            key: access-key
+          hostedZoneID: Z2MFECC8O90CBA