docs: Certificate Defaults Tutorial

[hawksight]

Tutorial on setting Certificate Defaults based off of the exploration here from the original cert-manager issue.

Preview: https://deploy-preview-1279--cert-manager-website.netlify.app/docs/tutorials/certificate-defaults/

[netlify]

✅ Deploy Preview for cert-manager-website ready!

Name	Link
🔨 Latest commit	56f3d0c
🔍 Latest deploy log	https://app.netlify.com/sites/cert-manager-website/deploys/64f5f39f4905bd000847b909
😎 Deploy Preview	https://deploy-preview-1279--cert-manager-website.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[netlify]

✅ Deploy Preview for cert-manager-website ready!

Name	Link
🔨 Latest commit	111a387
🔍 Latest deploy log	https://app.netlify.com/sites/cert-manager-website/deploys/65a5246703a99a00080b51fd
😎 Deploy Preview	https://deploy-preview-1279--cert-manager-website.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[hawksight]

/cc @wallrj @maelvls

[hawksight]

@wallrj I added you for review as we started this exploration together so would be great to get your review here.

[hawksight]

/hold

[hawksight]

Had a session with Mael and we went through the demo, I have a list of actions to neated & improve the flow:

• Add tutorial to the overview page
• Clarify using a cluster wide example
• Embed the YAML from the file, not copy it
• Change URLS to be git https links... such as: https://deploy-preview-1279--cert-manager-website.netlify.app/docs/tutorials/certificate-defaults/
• Variables for the links above ^ so they work on any branch, eg on preview branches before merging
• helm repo add commands / the --repo flags on the uprade commands
• most minimal (currently) <- first cert object
• kubectl apply -f mine/issue-1279-certificate.yaml --dry-run=server -o yaml | kubectl neat | diff -u mine/issue-1279-certificate.yaml - # shows differences nicely
• kubectl apply -f mine/issue-1279-certificate-only-dns-name.yaml --dry-run=server -oyaml | diff -u mine/issue-1279-certificate-only-dns-name.yaml -
• Step 8 - default / policy - reword this
• Step 9 - Diff command here instead
• works with ingress-shim - Add a section to showcase this

[wallrj]

Some initial comments. I haven't finished going through the tutorial yet.

[wallrj]

Stopping here.

• All those commands above work well.
• I spotted another typo.
• Perhaps this first part of the content can be merged now and the content below can be added to a separate PR after 1.13 is released with your fix for the mutating webhook.
• Maybe write something about what "sane defaults" are recommended by the cert-manager team and explain why those are not the out-of-the-box defaults....here or in another PR?

[hawksight]

Maybe write something about what "sane defaults" are recommended by the cert-manager team and explain why those are not the out-of-the-box defaults....here or in another PR?

I love that - will add a section. Might need your input after my first draft

Perhaps this first part of the content can be merged now and the content below can be added to a separate PR after 1.13 is released with your fix for the mutating webhook.

I have another section to add with ingress-shim. So I'll see when I complete this, probably after 1.13 so I can clean up that setion, or make reference to.. run 1.13 or read here ..

[hawksight]

In the latest revision I am now able to move the <= v1.13 stuff to an appendix to make the tutorial flow better.
Added v1.14.X as a req for the tutorial.

[hawksight]

Content is now done and ready for a full review!

• ingress-shim section (section 4)
• A note on cert-manager having defaults and why they might not be suitable to you (intro section)
• Commands a re now diffs which highlight the changes, or lack of when appropriate.
• Spelling hopefully all correct now (or correct by US standards 😜 ) and caught all those Richard mentioned.

@maelvls / @wallrj the only thing I have not done is to change the file reference to be GitHub links. Eg.

kubectl apply -f yamls/cert-test-revision.yaml --dry-run=server -o yaml | diff -uZ yamls/cert-test-revision.yaml -
# This could be ..
kubectl apply -f https://raw.githubusercontent.com/cert-manager/website/a6c1ac93ed6b50c4bde8181b2b71f0ec53ee8841/content/docs/tutorials/certificate-defaults/yamls/cert-test-revision.yaml --dry-run=server -o yaml | diff -uZ https://raw.githubusercontent.com/cert-manager/website/a6c1ac93ed6b50c4bde8181b2b71f0ec53ee8841/content/docs/tutorials/certificate-defaults/yamls/cert-test-revision.yaml -

The other concern if to have that URL variablised to point to the "preview" or commit version, and then update to "master" or latest once this is merged. Without another PR. Eg. ${GITHUB_BRANCH} ?

I am happy to not do this, because the command is a bit ugly with URLs.
But it would make it easier to apply the resources and follow along?

Maybe a better idea would be to pull the yamls and patches directories to your machine and add a step for that? Opinions very welcome here.

[hawksight]

/unhold

[wallrj]

A couple of drive by remarks, but I'll do a more thorough review next week if you want.

• I think it might be great to start with a "Use Cases" section E.g.

In this tutorial you will learn how to use Kyverno ClusterPolicy to encourage or to enforce best-practice and policy compliant settings for cert-manager Certificate resources.
Here are a few examples, but you can adapt these to meet your own specific requirements.

You want to avoid or ensure that CertificateRequest resources get cleaned up

Use a ClusterPolicy to set a sane default value for the Certificate.Spec.RevisionHistoryLimit field or to always override that field with 1 or 0.

You want to help your users choose secure default key settings for their Certificate resources.

Use a ClusterPolicy to set policy compliant default values for the Certificate.Spec.PrivateKey fields
or enforce your policy by overriding those settings.

• I still think this document reads too much like a technical exploration, and that it can be made to sound more like a tutorial.

[hawksight]

Thanks @wallrj & @jsoref for all the comments and review 🙌.
I'm going to try and work through them all in the next few days and come back with some revised wording.

[maelvls]

Hey, it looks like we are very close of having your tutorial published! How can I help?

[hawksight]

Based on my Q in the CNCF kyverno slack here,

• I need to make a minor edit around the ingress section to not rely on metadata.annotations anymore.

It seems it was removed in 3.1.1 of kyverno, so I need to reference the logs instead.
Will do that shortly to avoid confusing users of this guide.

[hawksight]

Ok CI is passing, I have made the changes I wanted to. This is now good for a final review from my side.

@wallrj / @jsoref - might you be able to take another look please?.
Most of the steps are the same as before, but the restructure hopefully makes it feel much nicer to follow.

[jsoref]

Suggested change

	Starting at v1.14.X the cert-manager-webhook `MutatingWebhookConfiguration` resource has been scoped back to only affect `CertificateRequest` resource.
	Starting with v1.14.x, the cert-manager-webhook `MutatingWebhookConfiguration` resource has been scoped to only affect `CertificateRequest` resources.

[hawksight]

Agreed with the sentence. Left the .X in the version to keep consistency across the document though.

[jsoref]

I should have called it out earlier, I prefer lowercase .x throughout.

[hawksight]

I just thought, should I not just use v1.14 rather than v1.14.x?

[hawksight]

Todo

• Redo the example outputs to ensure no kyverno annotations are added.
• Address all review comments

[hawksight]

@jsoref thank you for all the time reviewing the changes. I resolved all the "simple" or accepted changes and left a few open where I had comments. Please let me know if there's anything I missed that you consider a show stopper. I think anything left is pretty minor.

[wallrj]

Thanks Peter.

I left a few suggestions below but this tutorial is going to be really nice.

Maybe rebase this on release-next branch and add some of your appendix notes to the release-notes-1.14.md document.

[wallrj]

This makes it sound like a short-coming when in fact it seems like a benefit that the secretName and issuerRef defaulting policy do not interfere with ingress-shim Certificate resources.

I'd be tempted to remove the content from here up to "You can optionally validate that only the "0-mutate-certificate-defaults" ClusterPolicy has been applied".
I don't think it needs mentioning

[hawksight]

I've reworded it. My objective was that despite the Ingress part of this guide being after the defaulting of required fields, the rules for requried fields don't really play a part in the ingress section.

I hope the newer wording does a better job of explaining that.

[wallrj]

I find this a slightly confusing side note too. It doesn't seem relevant.
I suggest removing it.

[hawksight]

Yes, I was thinking that this optional configuration was worth a mention, in that you could reduce a user's knowledge of Issuer and ClusterIssuers further by using just the kubernetes.io/tls-acme: "true" as opposed to the one I used here: cert-manager.io/cluster-issuer: "our-corp-issuer"

But again that's sort of an addendum to the tutorial and not really the core focus here.
Perhaps this is more operational best practice as the access to resources could tie into RBAC and how the platform team manages to Certificate provisioning lifecycle.

[wallrj]

This objective was not declared in the use-cases section above.
I suggest moving or copying it there.

[hawksight]

Just trying to word this as an additional use case:

- **To enable users to request a certificate by providing only a domain name**

    Use a `ClusterPolicy` to set all other required `Certificate.spec` fields.

Would that suggestion cover it. Or should I be specific here and word it as:

- **To enable users to request a certificate by providing only a `Certificate.spec.dnsNames` field**

    Use a `ClusterPolicy` to set all other required `Certificate.spec` fields that cert-manager expects for `CertificateRequest` creation.

[wallrj]

I am also struggling to come up with a good sentence. Maybe something more general, like:

Make application developers lives easier by allowing them to create secure X.509 TLS certificates with the minimum of configuration.

The application developer only needs to supply the field values that are relevant for their application, such as DNS names, extended usages and the target Secret name.
Use ClusterPolicy to set all the other required Certificate.spec fields to sane defaults.

[jsoref]

Make application developers' lives easier by allowing them to create secure X.509 TLS certificates with the minimum of configuration.

[hawksight]

Thanks, I took that title and added some sub-context.

[hawksight]

TY @wallrj - I have run out of steam and time today. I'll look to address those comments on Friday.
Given the tutorial needs 1.14 is that the reason for suggesting this goes into the release-next branch rather than master?

[wallrj]

Given the tutorial needs 1.14 is that the reason for suggesting this goes into the release-next branch rather than master?

Yes, that is my reasoning. Otherwise we will have to delay merging this tutorial until we release 1.14.

[jsoref]

did this line really not change its formatting to match the next line?

[hawksight]

Just fixed a couple minor CI fails and I'll check the latest preview deploy.
I do need to redo the output examples anyway due to the condensing of policies into one file.

[hawksight]

@wallrj - I think that is everything addressed and now rebased too (thank to @aidy for git guidance)

I hope now ready for final review :)

[wallrj]

Thanks @hawksight

All the latest changes look good to me and thanks for rebasing on release-next.

/lgtm
/approve

[jetstack-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: wallrj

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [wallrj]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[wallrj]

Broken link to CertificatePresets issue

@hawksight I just noticed this broken link while reading the live docs.
Sorry I missed it during review.