From 0f482761104e8973f7a97a367c24a473be2de11e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?=
 <charles.edouard@nirmata.com>
Date: Mon, 6 Jan 2025 12:09:20 +0100
Subject: [PATCH] docs: update tutorials docs with cert manager instructions
 (#294)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
---
 website/docs/tutorials/envoy-gateway/index.md | 42 +++++++++++++++++--
 website/docs/tutorials/istio/index.md         | 39 +++++++++++++++--
 2 files changed, 75 insertions(+), 6 deletions(-)

diff --git a/website/docs/tutorials/envoy-gateway/index.md b/website/docs/tutorials/envoy-gateway/index.md
index 8c539a3..ced5591 100644
--- a/website/docs/tutorials/envoy-gateway/index.md
+++ b/website/docs/tutorials/envoy-gateway/index.md
@@ -30,7 +30,10 @@ First we need to install Envoy Gateway in the cluster.
 
 ```bash
 # install envoy gateway
-helm install envoy-gateway -n envoy-gateway-system --create-namespace --wait --version v1.2.2 oci://docker.io/envoyproxy/gateway-helm
+helm install envoy-gateway \
+  --namespace envoy-gateway-system --create-namespace \
+  --wait \
+  --version v1.2.2 oci://docker.io/envoyproxy/gateway-helm
 ```
 
 ### Deploy a sample application
@@ -42,7 +45,9 @@ Httpbin is a well-known application that can be used to test HTTP requests and h
 kubectl create ns demo
 
 # deploy the httpbin application
-kubectl apply -n demo -f https://raw.githubusercontent.com/istio/istio/master/samples/httpbin/httpbin.yaml
+kubectl apply \
+  -n demo \
+  -f https://raw.githubusercontent.com/istio/istio/master/samples/httpbin/httpbin.yaml
 ```
 
 ### Create a GatewayClass and a Gateway
@@ -119,13 +124,44 @@ spec:
 EOF
 ```
 
+### Deploy cert-manager
+
+The Kyverno Authz Server comes with a validation webhook and needs a certificate to let the api server call into it.
+
+Let's deploy `cert-manager` to manage the certificate we need.
+
+```bash
+# install cert-manager
+helm install cert-manager \
+  --namespace cert-manager --create-namespace \
+  --wait \
+  --repo https://charts.jetstack.io cert-manager \
+  --set crds.enabled=true
+
+# create a self-signed cluster issuer
+kubectl apply -f - <<EOF
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: selfsigned-issuer
+spec:
+  selfSigned: {}
+EOF
+```
+
 ### Deploy the Kyverno Authz Server
 
 Now deploy the Kyverno Authz Server.
 
 ```bash
 # deploy the kyverno authz server
-helm install kyverno-authz-server --namespace kyverno --create-namespace --wait --repo https://kyverno.github.io/kyverno-envoy-plugin kyverno-authz-server
+helm install kyverno-authz-server \
+  --namespace kyverno --create-namespace \
+  --wait \
+  --repo https://kyverno.github.io/kyverno-envoy-plugin kyverno-authz-server \
+  --set certificates.certManager.issuerRef.group=cert-manager.io \
+  --set certificates.certManager.issuerRef.kind=ClusterIssuer \
+  --set certificates.certManager.issuerRef.name=selfsigned-issuer
 ```
 
 ## Create a Kyverno AuthorizationPolicy
diff --git a/website/docs/tutorials/istio/index.md b/website/docs/tutorials/istio/index.md
index 4e36032..2d219b9 100644
--- a/website/docs/tutorials/istio/index.md
+++ b/website/docs/tutorials/istio/index.md
@@ -56,9 +56,34 @@ Notice that in the configuration, we define an `extensionProviders` section that
 [...]
 ```
 
+### Deploy cert-manager
+
+The Kyverno Authz Server comes with a validation webhook and needs a certificate to let the api server call into it.
+
+Let's deploy `cert-manager` to manage the certificate we need.
+
+```bash
+# install cert-manager
+helm install cert-manager \
+  --namespace cert-manager --create-namespace \
+  --wait \
+  --repo https://charts.jetstack.io cert-manager \
+  --set crds.enabled=true
+
+# create a self-signed cluster issuer
+kubectl apply -f - <<EOF
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: selfsigned-issuer
+spec:
+  selfSigned: {}
+EOF
+```
+
 ### Deploy the Kyverno Authz Server
 
-The first step is to deploy the Kyverno Authz Server.
+Now we can deploy the Kyverno Authz Server.
 
 ```bash
 # create the kyverno namespace
@@ -68,7 +93,13 @@ kubectl create ns kyverno
 kubectl label namespace kyverno istio-injection=enabled
 
 # deploy the kyverno authz server
-helm install kyverno-authz-server --namespace kyverno --wait --repo https://kyverno.github.io/kyverno-envoy-plugin kyverno-authz-server
+helm install kyverno-authz-server \
+  --namespace kyverno \
+  --wait \
+  --repo https://kyverno.github.io/kyverno-envoy-plugin kyverno-authz-server \
+  --set certificates.certManager.issuerRef.group=cert-manager.io \
+  --set certificates.certManager.issuerRef.kind=ClusterIssuer \
+  --set certificates.certManager.issuerRef.name=selfsigned-issuer
 ```
 
 ### Deploy a sample application
@@ -83,7 +114,9 @@ kubectl create ns demo
 kubectl label namespace demo istio-injection=enabled
 
 # deploy the httpbin application
-kubectl apply -f https://raw.githubusercontent.com/istio/istio/master/samples/httpbin/httpbin.yaml -n demo
+kubectl apply \
+   -n demo \
+   -f https://raw.githubusercontent.com/istio/istio/master/samples/httpbin/httpbin.yaml
 ```
 
 ### Deploy an Istio AuthorizationPolicy