Update Docker Quickstart (#2482) (#2486)

* Implement partial files

* fix markdown link

* Update Quickstart Doc

This update simplifies the quickstart process by assuming a local test environment without a TLS solution or a FQDN

* add TLS warning

* point to local verify container

* rm empty file

* reference Certificate topic page instructions

* update mkcert instructions

* Update docs/docs/install/readme.md

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

* Update docs/partials/install-mkcert.md

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

* Update examples/config/config.docker.yaml

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

* Update examples/config/config.docker.yaml

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

* Update examples/config/config.docker.yaml

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

* Update examples/config/config.docker.yaml

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

* review edits

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

docs/docs/install/helm.md

@@ -33,18 +33,7 @@ This setup uses [mkcert] to generate certificates that are trusted by your local
 
 ### Install mkcert
 
-After [installing mkcert], confirm the presence and names of your local CA files:
-
-```bash
-mkcert -install
-The local CA is already installed in the system trust store! 👍
-The local CA is already installed in the Firefox and/or Chrome/Chromium trust store! 👍
-
-ls $(mkcert -CAROOT)
-rootCA-key.pem  rootCA.pem
-```
-
-The output of `mkcert -install` may vary depending on you operating system.
+!!!include(install-mkcert.md)!!!
 
 ## Install and Configure cert-manager
 
@@ -216,7 +205,6 @@ Congratulations on installing Pomerium to your Kubernetes cluster! If you're ins
 [Install helm]: https://helm.sh/docs/using_helm/
 [identity provider]: ../identity-providers/readme.md
 [Install Pomerium Enterprise in Helm]: /enterprise/install/helm.md
-[installing mkcert]: https://github.com/FiloSottile/mkcert#installation
 [Install kubectl]: https://kubernetes.io/docs/tasks/tools/install-kubectl/
 [Kubernetes]: https://kubernetes.io
 [mkcert]: https://github.com/FiloSottile/mkcert

docs/docs/install/readme.md

@@ -16,44 +16,23 @@ In this quick-start document, we'll create a minimal but complete environment fo
 - A configured [identity provider]
 - [Docker] and [docker-compose]
 - [TLS certificates]
+  - This document assumes that your local Docker environment does not have a fully qualified domain name (**[FQDN]**) routed to it, and that you followed [Self-signed wildcard certificate] to generate a locally trusted key pair. Otherwise, adjust the configurations below to match your certificate solution.
 
 ## Configure
 
-### Configuration file
+1. Create a [configuration file] (e.g `config.yaml`) for defining Pomerium's configuration settings, routes, and access policies. Consider the following example:
 
-Create a [configuration file] (e.g `config.yaml`) for defining Pomerium's configuration settings, routes, and access-policies. Consider the following example:
+   <<< @/examples/config/config.docker.yaml
 
-<<< @/examples/config/config.minimal.yaml
+   Keep track of the path to this file, relative to the `docker-compose.yml` file created in the next step. `docker-compose.yml` will need the correct relative path to your `config.yaml`.
 
-Ensure the `docker-compose.yml` contains the correct path to your `config.yaml`.
+1. Create or copy the following `docker-compose.yml` file and modify it to match your configuration, including the correct paths to your `config.yaml` and certificate files:
 
-### Autocert Docker-compose
-Ensure you have set up the requisite DNS and port forwarding in [TLS certificates]
-
-Download the following `docker-compose.yml` file and modify it to:
-
-- generate new secrets
-- mount your [TLS certificates]
-- mount your `config.yaml` [configuration file]
-- Set `autocert_use_staging` to `false` once you have finished testing
-
-<<< @/examples/docker/autocert.docker-compose.yml
-
-Please note that you should use a persistent volume to store certificate data, or you may exhaust your domain quota on Let's Encrypt.
-
-### Wildcard Docker-compose
-
-Download the following `docker-compose.yml` file and modify it to:
-
-- generate new secrets
-- mount your [TLS certificates]
-- mount your `config.yaml` [configuration file]
-
-<<< @/examples/docker/basic.docker-compose.yml
+   <<< @/examples/docker/basic.docker-compose.yml
 
 ## Run
 
-Finally, simply run docker compose.
+Run docker compose:
 
 ```bash
 docker-compose up
@@ -63,10 +42,18 @@ Docker will automatically download the required [container images] for Pomerium
 
 You should now be able access to the routes (e.g. `https://verify.localhost.pomerium.io`) as specified in your policy file.
 
-You can also navigate to the special pomerium endpoint `verify.corp.yourdomain.example/.pomerium/` to see your current user details.
+You can also navigate to the special pomerium endpoint `verify.localhost.pomerium.io/.pomerium/` to see your current user details.
 
 ![currently logged in user](./img/logged-in-as.png)
 
+## Next Steps
+
+Now you can experiment with adding services to Docker and defining routes and policies for them in Pomerium. See [Guides](/guides/readme.md) for help or inspiration.
+
+::: warning This is a test environment!
+If you followed all the steps in this doc your Pomerium environment is not using trusted certificates. Remember to use a valid certificate solution before moving this configuration to a production environment. See [Certificates][tls certificates] for more information.
+:::
+
 [configuration file]: ../../reference/readme.md
 [container images]: https://hub.docker.com/r/pomerium/pomerium
 [docker]: https://docs.docker.com/install/
@@ -74,3 +61,6 @@ You can also navigate to the special pomerium endpoint `verify.corp.yourdomain.e
 [verify]: https://verify.pomerium.com/
 [identity provider]: ../identity-providers/readme.md
 [tls certificates]: ../topics/certificates.md
+[fqdn]: https://en.wikipedia.org/wiki/Fully_qualified_domain_name
+[mkcert]: https://github.com/FiloSottile/mkcert
+[Self-signed wildcard certificate]: /docs/topics/certificates.md##self-signed-wildcard-certificate

docs/docs/topics/certificates.md

@@ -50,15 +50,31 @@ See the [Autocert] and [Autocert Directory] settings for more details.
 
 In production, we'd use a public certificate authority such as LetsEncrypt. But for a local proof of concept or for development, we can use [mkcert](https://mkcert.dev/) to make locally trusted development certificates with any names you'd like. The easiest, is probably to use `*.localhost.pomerium.io` which we've already pre-configured to point back to localhost.
 
-```bash
-# Install mkcert.
-go get -u filippo.io/mkcert
-# Bootstrap mkcert's root certificate into your operating system's trust store.
-mkcert -install
-# Create your wildcard domain.
-# *.localhost.pomerium.io is helper domain we've hard-coded to route to localhost
-mkcert "*.localhost.pomerium.io"
-```
+1. Install mkcert.
+
+   :::: tabs
+   ::: tab Go
+   ```bash
+   go get -u filippo.io/mkcert
+   ```
+   :::
+   ::: tab Homebrew
+   ```bash
+   brew install mkcert
+   ```
+   ::::
+
+1. Bootstrap mkcert's root certificate into your operating system's trust store.
+
+   ```bash
+   mkcert -install
+   ```
+
+1. Create your wildcard domain. `*.localhost.pomerium.io` is helper domain we've hard-coded to route to localhost:
+
+   ```bash
+   mkcert "*.localhost.pomerium.io"
+   ```
 
 ### Manual DNS Let's Encrypt wildcard certificate