chore(ssl): expand ssl documentation

slack · slack · commit ecde7b9d14ae · 2016-05-18T14:38:03.000-07:00
diff --git a/src/managing-workflow/platform-ssl.md b/src/managing-workflow/platform-ssl.md
@@ -4,59 +4,88 @@ SSL/TLS is the standard security technology for establishing an encrypted link b
 and a browser. This link ensures that all data passed between the web server and browsers remain
 private and integral.
 
-To enable SSL for your cluster and all apps running upon it, you can add an SSL key to your load
-balancer. You must either provide an SSL certificate that was registered with a CA or provide
-[your own self-signed SSL certificate](../reference-guide/creating-a-self-signed-ssl-certificate.md).
+To enable SSL for the Workflow API and all managed apps, you can add an SSL certificate to the Deis Workflow router. You
+must provide either an SSL certificate that was registered with a CA or [your own self-signed SSL
+certificate](../reference-guide/creating-a-self-signed-ssl-certificate.md).
 
-## Installing SSL on a Load Balancer
+Note that the platform SSL certificate also functions as a default certificate for your apps that are deployed via
+Workflow. If you would like to attach a specific certificate to an application and domain see [Application SSL
+Certificates](../.applications/ssl-certificates.md).
 
-On most cloud-based load balancers, you can install a SSL certificate onto the load balancer
-itself. Any communication inbound to the load balancer will be encrypted while the internal
-components of Deis will still communicate over HTTP.
+## Installing SSL on the Deis Router
 
-When you install Deis, Kubernetes will provision a load balancer for the routers. To enable SSL,
-you will need to modify the listener settings on the load balancer:
+To terminate SSL connections on the Deis Router use `kubectl` to create a new Secret at a known name. The Deis Workflow
+router will automatically detect this secret and reconfigure itself appropriately.
 
- - swap the load balancer protocol on port 443 to use HTTPS
- - swap the backend protocol to use HTTP
- - change the backend port to the same backend port as the listener on port 80
- - install the certificate on the listener for port 443
+The following criteria must be met:
 
-See your vendor's specific instructions on installing SSL on your load balancer. For AWS, see their
-documentation on [installing an SSL cert for load balancing](http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/ssl-server-cert.html).
+ - The name of the secret must be `deis-router-platform-cert`
+ - The certificate's public key must be supplied as the value of the `cert` key
+ - The certificate's private key must be supplied as the value of the `key` key
+ - Both the certificate and private key must be base64 encoded
 
-## Installing SSL on the Deis Routers
+If your certificate has intermediate certs, append the intermediate signing certs to the bottom of the `cert` file
+before base64 encoding the combined certificates.
+
+Prepare your certificate and key files by encoding them in bas64:
+
+```
+$ cat certificate-file.crt
+-----BEGIN CERTIFICATE-----
+/ * your SSL certificate here */
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+/* any intermediate certificates */
+-----END CERTIFICATE-----
+$ cat certificate-file.crt | base64 -e
+LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi8gKiB5b3VyIFNTTCBjZXJ0aWZpY2F0ZSBoZXJlICovCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi8qIGFueSBpbnRlcm1lZGlhdGUgY2VydGlmaWNhdGVzICovCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+$ cat certificate.key
+-----BEGIN RSA PRIVATE KEY-----
+/* your unencrypted private key here */
+-----END RSA PRIVATE KEY-----
+$ cat certificate.key | base64 -e
+LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQovKiB5b3VyIHVuZW5jcnlwdGVkIHByaXZhdGUga2V5IGhlcmUgKi8KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K
+```
+
+Open your favorite text editor and create the Kubernetes manifest:
+
+```
+$ $EDITOR deis-router-platform-cert.yaml
+```
+
+The format of the Secret manifest should match the below example. Make sure you paste the appropriate values for `cert`
+and `key` from the above examples:
+
+```
+$ cat deis-router-platform-cert.yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: deis-router-platform-cert
+  namespace: deis
+type: Opaque
+data:
+  cert: LS0...tCg==
+  key: LS0...LQo=
+```
+
+Once you've created the `deis-router-plaform-cert.yaml` file, you can install the manifest with `kubectl create -f
+deis-router-platform-cert.yaml`. The Deis Workflow router will automatically notice the new secret and update configuration its
+on-the-fly.
 
-You can also use the Deis routers to terminate SSL connections. Use `kubectl` to install the
-certificate and private keys. Open your favorite text editor and create the Kubernetes manifest:
+## Installing SSL on a Load Balancer
 
-	$ $EDITOR deis-router-platform-cert.yaml
+Most cloud-based load balancers also support SSL termination in addition to passing traffic through to Deis Router.  Any
+communication inbound to the load balancer will be encrypted while the internal components of Deis Workflow will still
+communicate over HTTP. This offloads SSL processing to the cloud load balancer but also means that any
+application-specific SSL certificates must **also** be configured on the cloud load balancer.
 
-At this point, you'll want to create a new Kubernetes secret bearing the wildcard certificate.
-The following criteria must be met:
+To terminate SSL on the cloud load blanancer you will need to modify the load balancer's listener settings:
 
- - The name must be deis-router-platform-cert
- - The certificate's public key must be supplied as the value of the `cert` key
- - The certificate's private key must be supplied as the value of the `key` key
- - Both the certificate and private key must be base64 encoded
+ - Swap the load balancer protocol on port 443 to use HTTPS instead of TCP
+ - Swap the backend protocol to use HTTP instead of TCP
+ - Change the destination backend port to match the port configured for HTTP, usually port 80
+ - Install the certificate on the listener associated with port 443
 
-For example:
-
-	$ cat deis-router-platform-cert.yaml
-	apiVersion: v1
-	kind: Secret
-	metadata:
-	  name: deis-router-platform-cert
-	  namespace: deis
-	type: Opaque
-	data:
-	  cert: LS0...tCg==
-	  key: LS0...LQo=
-
-If your certificate has intermediate certs that need to be presented as part of a certificate
-chain, append the intermediate certs to the bottom of the `cert` value before base64 encoding the
-cert chain.
-
-Once you've created the certificate manifest, you can then install the certificate with
-`kubectl create -f deis-router-platform-cert.yaml`. The router will pick this up and update its
-configuration on-the-fly.
+See your vendor's specific instructions on installing SSL on your load balancer. For AWS, see their
+documentation on [installing an SSL cert for load balancing](http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/ssl-server-cert.html).
