From 2d046d6cdc29e8f756518c4b1b7be9e6cdcd0c5a Mon Sep 17 00:00:00 2001
From: Yifei Zhang <t-yifzha@microsoft.com>
Date: Thu, 13 Sep 2018 11:46:02 -0700
Subject: [PATCH] add guestbook tls example

---
 demo/ing-guestbook.yaml                       | 18 ++++
 .../guestbook/ing-guestbook-tls-sni.yaml      | 18 ++++
 docs/example/guestbook/ing-guestbook-tls.yaml | 15 +++
 docs/guestbook.md                             | 92 +++++++++++++++++--
 4 files changed, 133 insertions(+), 10 deletions(-)
 create mode 100644 demo/ing-guestbook.yaml
 create mode 100644 docs/example/guestbook/ing-guestbook-tls-sni.yaml
 create mode 100644 docs/example/guestbook/ing-guestbook-tls.yaml

diff --git a/demo/ing-guestbook.yaml b/demo/ing-guestbook.yaml
new file mode 100644
index 000000000..585275baa
--- /dev/null
+++ b/demo/ing-guestbook.yaml
@@ -0,0 +1,18 @@
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: guestbook
+  annotations:
+    kubernetes.io/ingress.class: azure/application-gateway
+spec:
+  rules:
+  - http:
+      paths:
+      - path: /test/*
+        backend:
+          serviceName: nginx-hello
+          servicePort: 80
+      - path: /*
+        backend:
+          serviceName: frontend
+          servicePort: 80
\ No newline at end of file
diff --git a/docs/example/guestbook/ing-guestbook-tls-sni.yaml b/docs/example/guestbook/ing-guestbook-tls-sni.yaml
new file mode 100644
index 000000000..ada00a4eb
--- /dev/null
+++ b/docs/example/guestbook/ing-guestbook-tls-sni.yaml
@@ -0,0 +1,18 @@
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: guestbook
+  annotations:
+    kubernetes.io/ingress.class: azure/application-gateway
+spec:
+  tls:
+    - hosts:
+      - <guestbook.contoso.com>
+      secretName: <guestbook-secret-name>
+  rules:
+  - host: <guestbook.contoso.com>
+    http:
+      paths:
+      - backend:
+          serviceName: frontend
+          servicePort: 80
\ No newline at end of file
diff --git a/docs/example/guestbook/ing-guestbook-tls.yaml b/docs/example/guestbook/ing-guestbook-tls.yaml
new file mode 100644
index 000000000..913eaf302
--- /dev/null
+++ b/docs/example/guestbook/ing-guestbook-tls.yaml
@@ -0,0 +1,15 @@
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: guestbook
+  annotations:
+    kubernetes.io/ingress.class: azure/application-gateway
+spec:
+  tls:
+    - secretName: <guestbook-secret-name>
+  rules:
+  - http:
+      paths:
+      - backend:
+          serviceName: frontend
+          servicePort: 80
\ No newline at end of file
diff --git a/docs/guestbook.md b/docs/guestbook.md
index 9509f05b3..ccbf4b658 100644
--- a/docs/guestbook.md
+++ b/docs/guestbook.md
@@ -1,13 +1,14 @@
 # Example: Guestbook
 
-This example will show you how to deploy a multi-tier web application and use a
-simple ingress to configure the application gateway
+This example will show you how to deploy a multi-tier web application and use a simple ingress to configure the application gateway. 
+This example will also demonstrate how to set up TLS on the same service.
 
 ## Prerequisite
 
 - Installed `application-gateway-kubernetes-ingress` helm chart (see [here](install))
+- If you want to use HTTPS on this application, you will need a x509 certificate and its private key.
 
-## Deploy `guestbook`
+## Deploy `guestbook` application
 
 1. Download `guestbook-all-in-one.yaml` from [here](https://github.com/kubernetes/examples/blob/master/guestbook/all-in-one/guestbook-all-in-one.yaml)
 2. Deploy `guestbook-all-in-one.yaml` into your AKS cluster by running
@@ -16,21 +17,21 @@ simple ingress to configure the application gateway
     kubectl apply -f guestbook-all-in-one.yaml
     ```
 
-## Deploy ingress
-
 Now, the `guestbook` application has been deployed.
 
-By default, it exposes its frontend through a service with name `frontend` on port `80`.
+By default, `guestbook` exposes its application through a service with name `frontend` on port `80`.
+
+## Deploy Ingress without HTTPS
 
-We will be using [ing-frontend.yaml](example/guestbook/ing-guestbook.yaml) as the ingress.
+We will be using [ing-guestbook.yaml](example/guestbook/ing-guestbook.yaml) as the ingress.
 
 This ingress will expose the `frontend` service of the `guestbook-all-in-one` deployment
 as a default backend of the Application Gateway.
 
-1. Deploy `ing-frontend.yaml` by running
+1. Deploy `ing-guestbook.yaml` by running
 
     ```bash
-    kubectl apply -f ing-frontend.yaml
+    kubectl apply -f ing-guestbook.yaml
     ```
 
 2. Check the log of the ingress controller for deployment status.
@@ -38,5 +39,76 @@ as a default backend of the Application Gateway.
 Now the `guestbook` application should be available. You can check this by visiting the
 public address of the Application Gateway.
 
+## Deploy Ingress with HTTPS
+
+### Without specified hostname
+
+Without specifying hostname, the guestbook service will be availble on through all the hostnames pointing to the application gateway.
+
+1. Before deploying ingress, you need to create a kubernetes secret to host the certificate and private key.
+    You can create a kubernetes secret by running
+
+    ```bash
+    kubectl create secret tls <guestbook-secret-name> --key <path-to-key> --cert <path-to-cert>
+    ```
+
+2. You will be using [ing-guestbook-tls.yaml](example/guestbook/ing-guestbook-tls.yaml) as the ingress. In the ingress,
+    specify the name of the secret in the `secretName` section.
+
+    ```yaml
+    ...
+    spec:
+      tls:
+        - secretName: <guestbook-secret-name>
+    ...
+    ```
+
+3. Deploy `ing-guestbook-tls.yaml` by running
+
+    ```bash
+    kubectl apply -f ing-guestbook-tls.yaml
+    ```
+
+4. Check the log of the ingress controller for deployment status.
+
+Now the `guestbook` application will be availble on both HTTP and HTTPS.
+
+### With specified hostname
+
+You can also sepcify the hostname on the ingress in order to multiplex TLS configurations and services.
+By specifying hostname, the guestbook service will only be availble on the specified host.
+
+1. You will be using [ing-guestbook-tls-sni.yaml](example/guestbook/ing-guestbook-tls-sni.yaml) as the ingress.
+    In the ingress, specify the name of the secret in the `secretName` section and replace the hostname accordingly.
+
+    ```yaml
+    ...
+    spec:
+      tls:
+        - hosts:
+          - <guestbook.contoso.com>
+          secretName: <guestbook-secret-name>
+      rules:
+      - host: <guestbook.contoso.com>
+        http:
+          paths:
+          - backend:
+              serviceName: frontend
+              servicePort: 80
+    ...
+    ```
+
+2. Deploy `ing-guestbook-tls-sni.yaml` by running
+
+    ```bash
+    kubectl apply -f ing-guestbook-tls-sni.yaml
+    ```
+
+3. Check the log of the ingress controller for deployment status.
+
+Now the `guestbook` application will be availble on both HTTP and HTTPS only on the specified host (`<guestbook.contoso.com>` in this example).
+
+## Integrate with other services
+
 You can also add additional paths into this ingress and redirect those paths to other services.
-Please take a look at [ing-frontend.yaml](example/guestbook/ing-guestbook-other.yaml)
\ No newline at end of file
+Please take a look at [ing-guestbook-other.yaml](example/guestbook/ing-guestbook-other.yaml).
\ No newline at end of file