From 0d9ff60b9e7607ab34c67d5416cee49f5462b998 Mon Sep 17 00:00:00 2001
From: Eric <ericpaulsen@coder.com>
Date: Wed, 9 Aug 2023 19:52:36 +0000
Subject: [PATCH 1/2] docs: add TLS config steps for K8s

---
 docs/admin/configure.md | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

diff --git a/docs/admin/configure.md b/docs/admin/configure.md
index e74d447c0b4e1..348e437e00e33 100644
--- a/docs/admin/configure.md
+++ b/docs/admin/configure.md
@@ -55,6 +55,33 @@ The Coder server can directly use TLS certificates with `CODER_TLS_ENABLE` and a
 - [Caddy](https://github.com/coder/coder/tree/main/examples/web-server/caddy)
 - [NGINX](https://github.com/coder/coder/tree/main/examples/web-server/nginx)
 
+### Kubernetes TLS configuration
+
+Below are the steps to configure Coder to terminate TLS when running on Kubernetes.
+You must have the certificate `.key` and `.crt` files in your working directory prior to step 1.
+
+1. Create the TLS secret in your Kubernetes cluster
+
+```console
+kubectl create secret tls coder-tls -n <coder-namespace> --key="tls.key" --cert="tls.crt"
+```
+
+1. Reference the TLS secret in your Coder Helm chart values
+
+```yaml
+coder:
+  tls:
+    secretName:
+      - coder-tls
+
+  # alternatively, if you use an Ingress controller to terminate TLS,
+  # set the following values:
+  ingress:
+    enable: true
+    secretName: coder-tls
+    wildcardSecretName: coder-tls
+```
+
 ## PostgreSQL Database
 
 Coder uses a PostgreSQL database to store users, workspace metadata, and other deployment information.

From 23144a71ba7114d5f51e71ab75c547e6b7d97a5f Mon Sep 17 00:00:00 2001
From: Eric <ericpaulsen@coder.com>
Date: Wed, 9 Aug 2023 20:12:39 +0000
Subject: [PATCH 2/2] add note on wildcard cert

---
 docs/admin/configure.md | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/docs/admin/configure.md b/docs/admin/configure.md
index 348e437e00e33..25f6d87583763 100644
--- a/docs/admin/configure.md
+++ b/docs/admin/configure.md
@@ -66,6 +66,9 @@ You must have the certificate `.key` and `.crt` files in your working directory
 kubectl create secret tls coder-tls -n <coder-namespace> --key="tls.key" --cert="tls.crt"
 ```
 
+> You can use a single certificate for the both the access URL and wildcard access URL.
+> The certificate CN must match the wildcard domain, such as `*.example.coder.com`.
+
 1. Reference the TLS secret in your Coder Helm chart values
 
 ```yaml
@@ -74,7 +77,7 @@ coder:
     secretName:
       - coder-tls
 
-  # alternatively, if you use an Ingress controller to terminate TLS,
+  # Alternatively, if you use an Ingress controller to terminate TLS,
   # set the following values:
   ingress:
     enable: true