From 5cb0f97295d550b6022a732e0e709e2c307a8b10 Mon Sep 17 00:00:00 2001
From: YZ775 <yuzuki-mimura@cybozu.co.jp>
Date: Tue, 23 Jan 2024 02:13:34 +0000
Subject: [PATCH] update document for sabakan TLS

Signed-off-by: YZ775 <yuzuki-mimura@cybozu.co.jp>
---
 README.md               | 14 ++++++++++++--
 docs/getting_started.md | 15 +++++++++++++++
 2 files changed, 27 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 97cb0ec1..5bb8aaae 100644
--- a/README.md
+++ b/README.md
@@ -60,7 +60,7 @@ Features
     To help implementing full disk encryption on client machines, sabakan accepts and stores
     encrypted disk encryption keys.  The key can be downloaded in the next boot to decrypt
     disks.
-    
+
     `sabakan-cryptsetup` is a tool for clients to encrypt disks; the tool generates a disk
     encryption key, encrypts it, and sends the encrypted key to sabakan.  In the next boot,
     it downloads the encrypted key from sabakan, decrypts it, then uses it to decrypt disks.
@@ -107,13 +107,23 @@ Run sabakan with docker
 # create directory to store OS images
 $ sudo mkdir -p /var/lib/sabakan
 
+# create server certificate
+$ sudo mkdir -p /etc/sabakan
+$ make setup-cfssl
+$ cd e2e/certs && ./gencerts.sh
+$ cd ../..
+$ sudo cp e2e/output/certs/server.crt /etc/sabakan/server.crt
+$ sudo cp e2e/output/certs/server.key.insecure /etc/sabakan/server.key
+
 # -advertise-url is the canonical URL of this sabakan.
 $ docker run -d --read-only --cap-drop ALL --cap-add NET_BIND_SERVICE \
     --network host --name sabakan \
     --mount type=bind,source=/var/lib/sabakan,target=/var/lib/sabakan \
+    --mount type=bind,source=/etc/sabakan,target=/etc/sabakan \
     ghcr.io/cybozu-go/sabakan:3.1 \
     -etcd-endpoints http://foo.bar:2379,http://zot.bar:2379 \
-    -advertise-url http://12.34.56.78:10080
+    -advertise-url http://12.34.56.78:10080 \
+    -advertise-url-https http://12.34.56.78:10443
 ```
 
 License
diff --git a/docs/getting_started.md b/docs/getting_started.md
index 0b5abb40..e5f354c8 100644
--- a/docs/getting_started.md
+++ b/docs/getting_started.md
@@ -35,11 +35,26 @@ $ docker run -d --rm --name etcd --network=host --uts=host gcr.io/etcd-developme
 $ sudo mkdir -p /var/lib/sabakan
 ```
 
+### <a name="certs" />Prepare server certificate
+
+Create self-signed server certificate by using script and put it to `/etc/sabakan`:
+```console
+$ sudo mkdir -p /etc/sabakan
+$ git clone github.com/cybozu-go/sabakan
+$ make setup-cfssl
+$ cd e2e/certs && ./gencerts.sh
+$ cd ../..
+$ sudo cp e2e/output/certs/server.crt /etc/sabakan/server.crt
+$ sudo cp e2e/output/certs/server.key.insecure /etc/sabakan/server.key
+```
+
 ### <a name="configure" />Prepare sabakan.yml
 
 Save the following contents as `/usr/local/etc/sabakan.yml`:
 
 ```yaml
+advertise-url: http://localhost:10080
+advertise-url-https: https://localhost:10443
 etcd:
   endpoints:
     - http://localhost:2379