Added self signed steps and directory

README.md

@@ -1,6 +1,4 @@
-# Hands-on-with-Kubernetes-on-Azure-managing-certificates-with-Helm
-
-## Introduction 
+# Introduction 
 Ever wonder how certificates and HTTPS actually work ? I know I did for a long time...
 
 For years I pretended that I understood, as it seemed to either be expected as prior knowledge or simply glossed over in many tutorials.
@@ -9,7 +7,7 @@ Nowadays, simply knowing how certificates work is not enough. We need to know ho
 
 This hands on session aims to explain what certificates are, how they are used for secure communication and also how we can leverage Kubernetes to deploy HTTPS applications with relative ease. 
 
-## Tutorial
+# Hands-on Certificates on Kubernetes
 This tutorial covers the steps required to deploy a HTTPS application on a pre-existing Kubernetes cluster built on on Azure Kubernetes Service (AKS).
 
 In order to deploy our HTTPS application we will utilise the **Ingress** resource, available by default in Kubernetes. 
@@ -28,6 +26,51 @@ Clone down this repoistory
     git clone <this_repo>
     cd <repo_name>
 
+## Self-Signed Certificates 
+
+Add the ingress-nginx repository
+
+    helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
+
+Use Helm to deploy an NGINX ingress controller
+
+    helm install nginx-ingress ingress-nginx/ingress-nginx \
+        --set controller.replicaCount=2 \
+        --set controller.nodeSelector."beta\.kubernetes\.io/os"=linux \
+        --set defaultBackend.nodeSelector."beta\.kubernetes\.io/os"=linux
+
+Generate TLS certificates using openssl self-signed (or alternatively use Vault as CA, see `vault-ca` dir).
+
+    openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
+        -out /tmp/tls.crt \
+        -keyout /tmp/tls.key \
+        -subj "/CN=dpg.com"
+
+Create Kubernetes secret for the TLS certificate
+
+    kubectl create secret tls tls-secret \
+        --key /tmp/tls.key \
+        --cert /tmp/tls.crt
+
+Run the two demo applications using `kubectl apply`
+
+    kubectl apply -f self-signed/self-signed-app.yaml
+
+Create the ingress resource (remember to modify the host to be the CN, Common Name, you have configured)
+
+    kubectl apply -f self-signed/self-signed-app.yaml
+
+Test the ingress configuration (self-signed)
+
+    curl -v -k --resolve example.com:443:$(kubectl get services nginx-ingress-ingress-nginx-controller | awk 'NR==2 {print $4}') https://example.com # Trusts any certificates
+
+    curl -v --cacert tls.crt --resolve example.com:443:$(kubectl get services nginx-ingress-ingress-nginx-controller | awk 'NR==2 {print $4}') https://example.com # Trusts on certificate specified in command
+
+Alternatively on your own machie (not workstation) modify hosts file and view in browser.
+
+
+## Automated Certificates signed by LetsEncypt
+
 Login to Azure using service principal 
 
     az login --service-principal -u $APP_ID -p $APP_PW --tenant $TENANT_ID

self-signed/self-signed-app.yaml

@@ -0,0 +1,33 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: self-signed-app
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: self-signed-app
+  template:
+    metadata:
+      labels:
+        app: self-signed-app
+    spec:
+      containers:
+      - name: aks-helloworld
+        image: mcr.microsoft.com/azuredocs/aks-helloworld:v1
+        ports:
+        - containerPort: 80
+        env:
+        - name: TITLE
+          value: "Welcome to your app secured with self-signed keys"
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: self-signed-app
+spec:
+  type: ClusterIP
+  ports:
+  - port: 80
+  selector:
+    app: self-signed-app

self-signed/self-signed-ingress.yaml

@@ -0,0 +1,21 @@
+apiVersion: networking.k8s.io/v1beta1
+kind: Ingress
+metadata:
+  name: self-signed-ingress
+  annotations:
+    nginx.ingress.kubernetes.io/rewrite-target: /$1
+    nginx.ingress.kubernetes.io/use-regex: "true"
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - dpg.com
+    secretName: self-signed-secret
+  rules:
+  - host: dpg.com
+    http:
+      paths:
+      - backend:
+          serviceName: self-signed-app
+          servicePort: 80
+        path: /(.*)