From 6c83324912daa68fae0bdb0911725b0c3460b339 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Charles-Edouard=20Br=C3=A9t=C3=A9ch=C3=A9?=
 <charles.edouard@nirmata.com>
Date: Mon, 6 Jan 2025 12:18:03 +0100
Subject: [PATCH] docs: update quick start docs with cert manager instructions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
---
 website/docs/quick-start/authz-server.md | 42 ++++++++++++++++++++----
 1 file changed, 36 insertions(+), 6 deletions(-)

diff --git a/website/docs/quick-start/authz-server.md b/website/docs/quick-start/authz-server.md
index e6a044a..5382917 100644
--- a/website/docs/quick-start/authz-server.md
+++ b/website/docs/quick-start/authz-server.md
@@ -56,9 +56,34 @@ Notice that in the configuration, we define an `extensionProviders` section that
 [...]
 ```
 
+### Deploy cert-manager
+
+The Kyverno Authz Server comes with a validation webhook and needs a certificate to let the api server call into it.
+
+Let's deploy `cert-manager` to manage the certificate we need.
+
+```bash
+# install cert-manager
+helm install cert-manager \
+  --namespace cert-manager --create-namespace \
+  --wait \
+  --repo https://charts.jetstack.io cert-manager \
+  --set crds.enabled=true
+
+# create a self-signed cluster issuer
+kubectl apply -f - <<EOF
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: selfsigned-issuer
+spec:
+  selfSigned: {}
+EOF
+```
+
 ### Deploy the Kyverno Authz Server
 
-The first step is to deploy the Kyverno Authz Server.
+Now we can deploy the Kyverno Authz Server.
 
 ```bash
 # create the kyverno namespace
@@ -68,9 +93,13 @@ kubectl create ns kyverno
 kubectl label namespace kyverno istio-injection=enabled
 
 # deploy the kyverno authz server
-helm install kyverno-authz-server --namespace kyverno --wait  \
-  --repo https://kyverno.github.io/kyverno-envoy-plugin       \
-  kyverno-authz-server
+helm install kyverno-authz-server \
+  --namespace kyverno \
+  --wait  \
+  --repo https://kyverno.github.io/kyverno-envoy-plugin kyverno-authz-server \
+  --set certificates.certManager.issuerRef.group=cert-manager.io \
+  --set certificates.certManager.issuerRef.kind=ClusterIssuer \
+  --set certificates.certManager.issuerRef.name=selfsigned-issuer
 ```
 
 ### Deploy a sample application
@@ -85,8 +114,9 @@ kubectl create ns demo
 kubectl label namespace demo istio-injection=enabled
 
 # deploy the httpbin application
-kubectl apply -n demo -f \
-  https://raw.githubusercontent.com/istio/istio/master/samples/httpbin/httpbin.yaml
+kubectl apply \
+  -n demo \
+  -f https://raw.githubusercontent.com/istio/istio/master/samples/httpbin/httpbin.yaml
 ```
 
 ### Deploy an Istio AuthorizationPolicy