Change docs according self-signed certificate flag automation

src/main/pages/che-7/installation-guide/assembly_installing-che-in-tls-mode-with-self-signed-certificates.adoc

@@ -16,21 +16,55 @@ summary:
 
 :context: installing-{prod-id-short}-in-tls-mode-with-self-signed-certificates
 
-WARNING: This guide is for development only. Do not use self-signed certificates in production.
+WARNING: Self-signed certificates is usually used in development and evaluation enviromnents. If you want to use them in production you should understand the consequences.
 
-The following section describes the deployment and configuration of {prod} for use in TLS mode with self-signed certificates. It consists of following steps:
+The following section describes the deployment and configuration of {prod} with self-signed certificates.
 
-. link:{site-baseurl}che-7/installing-che-in-tls-mode-with-self-signed-certificates/#generating-self-signed-certificates_installing-che-in-tls-mode-with-self-signed-certificates[Generate needed keys and certificates if needed]
+{prod} can be deployed on:
 
-. Prepare target deployment environment (one of the following):
-+
-* link:{site-baseurl}che-7/installing-che-in-tls-mode-with-self-signed-certificates/#deploying-{prod-id-short}-with-self-signed-tls-on-kubernetes_installing-{prod-id-short}-in-tls-mode-with-self-signed-certificates[Minikube] (Kubernetes)
+ * Kubernetes family infrastructures
+ * Openshift family infrastructures
 
-* link:{site-baseurl}che-7/installing-{prod-id-short}-in-tls-mode-with-self-signed-certificates/#deploying-{prod-id-short}-with-self-signed-tls-on-openshift3-using-operator_installing-{prod-id-short}-in-tls-mode-with-self-signed-certificates[Minishift] (OpenShift 3)
+### Delpoying {prod} on Kubernetes family infrastructures
 
-* link:{site-baseurl}che-7/installing-che-in-tls-mode-with-self-signed-certificates/#deploying-{prod-id-short}-with-self-signed-tls-on-openshift4-using-operator_installing-{prod-id-short}-in-tls-mode-with-self-signed-certificates[CodeReady Containers] (OpenShift 4)
+By default, {prod} is deployed on Kubernetes family infratructures with self-signed certificate which is generated automatically during {prod} installation process. There is no need in any additional prerequiremens for the deployment.
 
-. link:{site-baseurl}che-7/installing-che-in-tls-mode-with-self-signed-certificates/#using-{prod-id-short}-with-tls_installing-{prod-id-short}-in-tls-mode-with-self-signed-certificates[Configure the browser]
+However, it is required to link:{site-baseurl}che-7/installing-che-in-tls-mode-with-self-signed-certificates/#using-{prod-id-short}-with-tls_installing-{prod-id-short}-in-tls-mode-with-self-signed-certificates[make the browser trust] generated self-signed CA certificate.
+If `{prod-cli}` is used to deploy {prod}, it will export self-signed CA certificate into `cheCA.crt` file in current user home directory.
+Otherwise, it could be obtained via `{prod-cli} cacert:export` command or directly by reading `self-signed-certificate` secret in the namespace to which {prod} is deployed.
+
+If, due to some reasons, it is required to deploy {prod} with generated by user self-signed certificate, then a namespace for {prod} should be manually created before deployment as well as two secrets in it: `che-tls` TLS secret which holds server TLS certificate and key (with `tls.crt` and `tls.key` fields in the secret data correspondingly) which is signed by self-signed CA certificate, public part of which should be stored in opaque secret `self-signed-certificate` (`ca.crt` key under data section of the secret).
+Please refer to the link:{site-baseurl}che-7/installing-che-in-tls-mode-with-self-signed-certificates/#generating-self-signed-certificates_installing-che-in-tls-mode-with-self-signed-certificates[generate needed keys and certificates] section for more info on how to generate the certificates manually or directly see link:{site-baseurl}che-7/installing-che-in-tls-mode-with-self-signed-certificates/#deploying-{prod-id-short}-with-self-signed-tls-on-kubernetes_installing-{prod-id-short}-in-tls-mode-with-self-signed-certificates[full instruction for deploying {prod} with user-defined self-signed certificates on Kubernetes platform].
+
+An example command how to deploy Eclipse Che on Minikube with self-signed certificate:
+```sh
+chectl server:start --platform=minikube
+```
+
+To deploy {prod} with commonly trusted TLS certificate, it is required to precreate single `che-tls` secret as described above in the corresponding namespace.
+
+WARNING: Never create `self-signed-certificate` secret if {prod} deployment intended to use commonly trusted TLS certificate as {prod} will detect that data from `che-tls` secret doesn't match and will replace both secrets with autogenerated data.
+
+NOTE: `che-tls` is the default name of the {prod} server TLS secret and could be changed in the configuration.
+
+### Delpoying {prod} on Opeshift family infrastructures
+
+{prod} uses default router certificate to secure its endpoints. So, it is completely depends on Openshift cluster configuration whether self-signed certificate is used.
+
+Usually, {prod} automatically detects whether Openshift default router uses self-signed certificate by analyzing its certificate chain.
+If default router does not put its self-signed CA certificate into the response certificate chain, then it is required to create `self-signed-certificate` secret (with `ca.crt` key in secret data) before {prod} deployment in the corresponding namespace. See link:{site-baseurl}che-7/installing-che-in-tls-mode-with-self-signed-certificates/#deploying-{prod-id-short}-with-self-signed-tls-on-openshift4-using-operator_installing-{prod-id-short}-in-tls-mode-with-self-signed-certificates[this section] for more info.
+
+In case when default router certificate is configured with non root CA certificate which is signed by non-cluster root CA certificate, it is required to add the root CA into additional trusted CA certificates config map in order to deploy {prod} on such Openshift cluster.
+Sometimes, as a workaround, it is possible to create `self-signed-certificate` secret with router intermidiate CA certificate, see instructions in the paragraph above.
+
+If self-signed certificate is used, it is required to link:{site-baseurl}che-7/installing-che-in-tls-mode-with-self-signed-certificates/#using-{prod-id-short}-with-tls_installing-{prod-id-short}-in-tls-mode-with-self-signed-certificates[configure user's browser].
+
+An example command to deploy {prod} on Openshift 4:
+```sh
+{prod-cli} server:start --platform=openshift
+```
+
+WARNING: In case of using Minishift it is required to replace outdated router certificate manually. See link:{site-baseurl}che-7/installing-{prod-id-short}-in-tls-mode-with-self-signed-certificates/#deploying-{prod-id-short}-with-self-signed-tls-on-openshift3-using-operator_installing-{prod-id-short}-in-tls-mode-with-self-signed-certificates[this section] for detailed instructions.
 
 include::proc_deploying-che-with-self-signed-tls-on-openhift4-using-operator.adoc[leveloffset=+1]
 

src/main/pages/che-7/installation-guide/proc_deploying-che-with-self-signed-tls-on-kubernetes.adoc

@@ -3,9 +3,9 @@
 // setup-{prod-id-short}-in-tls-mode
 
 [id="deploying-{prod-id-short}-with-self-signed-tls-on-kubernetes_{context}"]
-= Deploying {prod-short} with self signed TLS certificates on Kubernetes
+= Deploying {prod-short} with generated by user self-signed TLS certificates on Kubernetes
 
-This section describes how to deploy {prod-short} with self-signed TLS certificates on the Kubernetes platform.
+This section describes how to deploy {prod-short} on the Kubernetes platform with manually generated self-signed TLS certificates.
 
 
 .Prerequisites
@@ -41,5 +41,5 @@ $ kubectl create secret generic self-signed-certificate --from-file=ca.crt -n ch
 +
 [subs="+quotes,+attributes"]
 ----
-$ {prod-cli} server:start --platform=minikube --installer=operator --self-signed-cert
+$ {prod-cli} server:start --platform=minikube
 ----

src/main/pages/che-7/installation-guide/proc_deploying-che-with-self-signed-tls-on-openhift3-using-operator.adoc

@@ -3,9 +3,11 @@
 // setup-{prod-id-short}-in-tls-mode
 
 [id="deploying-{prod-id-short}-with-self-signed-tls-on-openshift3-using-operator_{context}"]
-= Deploying {prod-short} with self-signed TLS certificates on OpenShift 3 using Operator
+= Deploying {prod-short} with generated by user router self-signed TLS certificates on OpenShift 3 using Operator installer
 
-This section describes how to deploy {prod-short} with self-signed TLS certificates on the OpenShift 3 platform.
+This section describes how to deploy {prod-short} with generated by user self-signed TLS certificates on the OpenShift 3 platform.
+
+WARNING: This method involves reconfiguration of Openshift router to use user provided TLS certificates.
 
 
 .Prerequisites
@@ -51,5 +53,5 @@ $ oc create secret generic self-signed-certificate --from-file=ca.crt -n=che
 +
 [subs="+quotes,+attributes"]
 ----
-$ {prod-cli} server:start --platform=minishift --installer=operator --self-signed-cert
+$ {prod-cli} server:start --platform=minishift --installer=operator
 ----

src/main/pages/che-7/installation-guide/proc_deploying-che-with-self-signed-tls-on-openhift4-using-operator.adoc

@@ -52,5 +52,5 @@ $ oc create secret generic self-signed-certificate --from-file=ca.crt -n=che
 +
 [subs="+quotes,+attributes"]
 ----
-$ {prod-cli} server:start --platform=crc --installer=operator --self-signed-cert
+$ {prod-cli} server:start --platform=crc --installer=operator
 ----

src/main/pages/che-7/installation-guide/proc_using-che-with-tls.adoc

@@ -5,9 +5,9 @@
 [id="using-{prod-id-short}-with-tls_{context}"]
 = Using {prod-short} with TLS
 
-Self-signed certificates are certificates that are not signed by a certificate authority (CA). Self-signed certificates do not provide all of the security properties that certificates signed by a CA aim to provide. For example, when a website owner uses a self-signed certificate to provide HTTPS services, users who visit that website will see a warning in their browser.
+Self-signed certificates are certificates that are not signed by a commonly trusted certificate authority (CA), but instead signed by locally created CA. Self-signed certificates are not trusted by default. For example, when a website owner uses a self-signed certificate to provide HTTPS services, users who visit that website will see a warning in their browser.
 
-After installing {prod-short} on {ocp} with TLS support and a self-signed certificate, a user has to add a self-signed TLS certificate to the browser for each route exposed in {prod-short}. If they do not, the error message: *Authorization token is missing. Click here to reload page* will block the login process.
+After installing {prod-short} on {ocp} with TLS support and a self-signed certificate, a user has to add public part of self-signed CA certificate into the browser. Also it is possible to add an exception for each route exposed in {prod-short}, but practically this could be used only in single host mode. If a TLS certificate isn't trusted, the error message: *Authorization token is missing. Click here to reload page* will block the login process.
 
 This section describes how to import a root certificate authority into the browser to use {prod-short} with self-signed TLS certificates.
 
@@ -55,7 +55,7 @@ image::contributor/macOS-adding-certificate.png[]
 == Examples
 
 .Google Chrome
-. Go to link:chrome://settings/certificates[Google Chrome Settings], then to the *Authorities* tab 
+. Go to link:chrome://settings/certificates[Google Chrome Settings], then to the *Authorities* tab
 . Click *Import* and find the generated `rootCA.crt` or `ca.crt` file.
 +
 image::contributor/che-tls-chrome-import_1.png[link="{imagesdir}/contributor/che-tls-chrome-import_1.png"]

src/main/pages/che-7/overview/proc_installing-che-on-kubespray-using-chectl.adoc

@@ -34,7 +34,6 @@ It corresponds to the `EXTERNAL-IP` of the `ingress-nginx-controller` service. U
 +
 [subs="+attributes,quotes"]
 ----
-$ {prod-cli} server:start --platform k8s --domain _<ip-from-load-balancer>_.nip.io --self-signed-cert
+$ {prod-cli} server:start --platform k8s --domain _<ip-from-load-balancer>_.nip.io
 ----
-+
-NOTE: Unless providing a certificate, use the `--self-signed-cert` flag.
+

src/main/pages/che-7/overview/proc_installing-che-on-openshift-3-using-the-operator-and-ssl.adoc

@@ -27,7 +27,6 @@ $ {prod-cli} server:start -n _<project-name>_ --domain=<OPENSHIFT_APPS_URL> \
 +
 [NOTE]
 ====
-* To create the {prod-short} instance on demo OpenShift clusters that have not been setup with a valid certificate for the routes, run the command with the `--self-signed-cert` flag.
 * To install {prod-short} with the default values, omit the `--che-operator-cr-patch-yaml=configuration.yaml` option.
 ====
 

src/main/pages/che-7/overview/ref_che-deployment-options-using-chectl.adoc

@@ -34,5 +34,4 @@ OPTIONS
   --listr-renderer=default|silent|verbose                  [default: default] Listr renderer
   --os-oauth                                               Enable use of OpenShift credentials to log into {prod-short}
   --plugin-registry-url=plug-in-registry-url               The URL of the external plug-in registry.
-  --self-signed-cert                                       Authorize usage of self signed certificates for encryption. Note that `self-signed-certificate` secret with CA certificate must be created in the configured namespace.
 ----