i1957 public certificates - Rewriting the Adding custom public SSL certificates to Che trust-store

src/main/_config.yml

@@ -67,6 +67,9 @@ asciidoc_attributes: &asciidoc_attributes
   link-limits-for-the-workspaces-of-an-user: link:{site-baseurl}che-7/advanced-configuration-options/#limits-for-the-workspaces-of-an-user[Limits for the workspaces of an user]
   link-viewing-the-state-of-the-cluster-deployment-using-openshift-4-cli-tools: link:{site-baseurl}che-7/installing-che-on-openshift-4-from-operatorhub/#viewing-the-state-of-the-che-cluster-deployment-using-openshift-4-cli-tools_installing-che-on-openshift-4-from-operatorhub[Viewing the state of the {prod-short} cluster deployment using OpenShift 4 CLI tools]
   link-building-a-custom-plug-in-registry: link:{site-baseurl}che-7/building-and-running-a-custom-registry-image/#building-a-custom-devfile-registry_building-and-running-a-custom-registry-image[Building a custom plug-in registry]
+  link-adding-ssl-certificates: link:{site-baseurl}che-7/adding-self-signed-ssl-certificates-to-che[Adding self-signed SSL certificates to {prod-short}]
+  link-advanced-configuration-options: link:{site-baseurl}che-7/advanced-configuration-options-for-the-che-server-component/[Advanced configuration options for the Che server component]
+
   link-cli-github: https://github.com/che-incubator/chectl
   identity-provider-docs-url: https://www.keycloak.org/docs/
   identity-provider-version: 6.0

src/main/_data/sidebars/che_7_docs.yml

@@ -211,8 +211,8 @@ entries:
       - title: Installing Che using storage classes
         url: che-7/installing-che-using-storage-classes
         output: web
-      - title: Adding custom public SSL certificates to Che trust-store
-        url: che-7/adding-custom-certificates-to-trust-store
+      - title: Adding self-signed SSL certificates to Che
+        url: che-7/adding-self-signed-SSL-certificates-to-che
         output: web
   - title: Installing Che in restricted environment
     url: che-7/installing-che-in-restricted-environment

src/main/pages/che-7/end-user-guide/assembly_configuring-openshift-oauth.adoc

@@ -13,19 +13,30 @@ summary:
 [id="configuring-openshift-oauth_{context}"]
 = Configuring OpenShift OAuth
 
-OAuth for OpenShift allows to authenticate the link:{site-baseurl}/che-7/openshift-connector-overview/[OpenShift connector plugin] in {prod-short}.
+For users to interact with OpenShift, they must first authenticate to the OpenShift cluster. OpenShift OAuth is a process in which users prove themselves to a cluster through an API with obtained OAuth access tokens.
+
+Authentication with the link:{site-baseurl}che-7/openshift-connector-overview/[OpenShift connector plugin] is a possible way for {prod-short} users to authenticate with an OpenShift cluster.
+
+The following section describes the OpenShift OAuth configuration options
+and its use with a {prod-short}.
+
+.Prerequisites
+
+* The OpenShift command-line tool, `oc` is installed.
 
 .Procedure
 
 ifeval::["{project-context}" == "che"]
-* For {prod-short} deployed in link:{site-baseurl}/che-7/running-che-locally/#deploying-multi-user-che-in-multiuser-mode[multiuser mode]:
+* For {prod-short} deployed in the multiuser mode, follow the link:{site-baseurl}che-7/running-che-locally/#deploying-multiuser-che-in-multiuser-mode[Deploying multiuser Che in the multiuser mode] chapter:
 +
 endif::[]
-To enable OpenShift OAuth automatically, {prod-short} should be deployed with the `--os-oauth` option (see link:{link-cli-github}#{prod-cli}-serverstart[`{prod-cli} server:start` specification]).
+To enable OpenShift OAuth automatically, deployed {prod-short} using the {prod-cli} with the `--os-oauth` option. See the
+link:{link-cli-github}#{prod-cli}-serverstart[`{prod-cli} server:start` specification] chapter.
 
-ifeval::["{project-context}" == "che"]
 * For {prod-short} deployed in single-user mode:
-. Register {prod-short} OAuth client in OpenShift (see link:https://docs.openshift.com/container-platform/4.3/authentication/configuring-internal-oauth.html#oauth-register-additional-client_configuring-internal-oauth[Register an OAuth client in OpenShift]).
++
+====
+. Register {prod-short} OAuth client in OpenShift. See the link:https://docs.openshift.com/container-platform/4.3/authentication/configuring-internal-oauth.html#oauth-register-additional-client_configuring-internal-oauth[Register an OAuth client in OpenShift] chapter.
 +
 [subs="+quotes,+attributes"]
 ----
@@ -40,26 +51,26 @@ redirectURIs:
 grantMethod: prompt
 ')
 ----
+
 . Add the OpenShift SSL certificate to the {prod-short} Java trust store.
-//TODO yhontyk to uncomment later. For now it turns into an xref that breaks the bccutil build :( 
-//See link:{site-baseurl}che-7/advanced-configuration-options/#adding-custom-certificates-to-trust-store_advanced-configuration-options[Adding custom public SSL certificates to {prod-short} trust-store]
-. Update the OpenShift deployment configuration
-(see link:{site-baseurl}che-7/advanced-configuration-options/#che-configmaps-and-their-behavior_advanced-configuration-options[{prod-short} configMaps and their behavior],
-link:{site-baseurl}che-7/advanced-configuration-options/#che-installed-using-a-helm-chart[{prod-short} installed using a Helm Chart]).
 +
-====
+* See {link-adding-ssl-certificates}.
+. Update the OpenShift deployment configuration.
++
 [subs="+quotes,macros"]
 ----
 CHE_OAUTH_OPENSHIFT_CLIENTID: _<client-ID>_
 CHE_OAUTH_OPENSHIFT_CLIENTSECRET: _<openshift-secret>_
 pass:[CHE_OAUTH_OPENSHIFT_OAUTH__ENDPOINT]: _<oauth-endpoint>_
 pass:[CHE_OAUTH_OPENSHIFT_VERIFY__TOKEN__URL]: _<verify-token-url>_
 ----
-====
++
 * `_<client-ID>_` a name specified in the OpenShift OAuthClient.
 * `_<openshift-secret>_` a secret specified in the OpenShift OAuthClient.
 * `_<oauth-endpoint>_` the URL of the OpenShift OAuth service:
 ** For OpenShift 3 specify the OpenShift master URL.
 ** For OpenShift 4 specify the `oauth-openshift` route.
 * `_<verify-token-url>_` request URL that is used to verify the token. `<OpenShift master url>/api` can be used for OpenShift 3 and 4.
-endif::[]
++
+* See {link-advanced-configuration-options}.
+====

src/main/pages/che-7/installation-guide/assembly_configuring-che-overview.adoc

@@ -35,7 +35,7 @@ The next sections describe some specific user stories.
 * link:{site-baseurl}che-7/installing-che-using-storage-classes[Installing Che using storage classes]
 
 
-* link:{site-baseurl}che-7/adding-custom-certificates-to-trust-store[Adding custom public SSL certificates to {prod-short} trust-store]
+* link:{site-baseurl}che-7/adding-self-signed-SSL-certificates-to-che[Adding self-signed SSL certificates to {prod-short}]
 
 
 

src/main/pages/che-7/installation-guide/proc_adding-self-signed-ssl-certificates-to-che.adoc

@@ -0,0 +1,79 @@
+---
+title: Adding self-signed SSL certificates to Che
+keywords:
+tags: []
+sidebar: che_7_docs
+permalink: che-7/adding-self-signed-SSL-certificates-to-che/
+folder: che-7/installation-guide
+summary:
+---
+:page-liquid:
+
+[id="adding-self-signed-SSL-certificates-to-che_{context}"]
+= Adding self-signed SSL certificates to {prod-short}
+
+When a {prod-short} user attempts to authenticate with {identity-provider} that is using OpenShift OAuth, the authentication fails if the {identity-provider} does not know the certificates needed for authorization.
+
+To fix this problem, configure {prod-short} to authorize HTTPS communication with various components, such as identity and Git servers, by adding information about the self-signed SSL certificates to the {prod-short} configuration.
+
+.Prerequisites
+
+* The OpenShift command-line tool, `oc`
+ifeval::["{project-context}" == "che"]
+or the Kubernetes command-line tool, `kubectl`,
+endif::[]
+is installed.
+
+.Procedure
+
+. Save the desired self-signed certificates to a local file system.
+
+. Create a new configMap with the required self-signed SSL certificates:
++
+[subs="+attributes,+quotes"]
+----
+$ {orch-cli} create configmap __<configMap-name>__ --from-file=__<certificate-file-path>__ -n=__<che-namespace-name>__
+----
++
+To apply more than one certificate, add another `--from-file=_<certificate-file-path>_` option to the above command.
+
+. Define a name for the newly created configMap.
++
+NOTE: Use these steps with existing instances of {prod-short}. To install a new instance of {prod-short} with self-signed SSL certificates, create a new Che Custom Resource or Helm Chart property, based on the installation method selected, instead of updating the existing configuration.
++
+====
+** For a {prod-short} link:https://docs.openshift.com/container-platform/latest/operators/olm-what-operators-are.html[Operators] deployment:
+
+* Define a name for the newly created configMap by editing the `spec.server.ServerTrustStoreConfigMapName` Che Custom Resource property to match the previously created configMap:
++
+[subs="+attributes,+quotes",options="nowrap",role=white-space-pre]
+----
+$ {orch-cli} patch checluster eclipse-che -n che --type=json -p '[{"op": "replace", "path": "/spec/server/serverTrustStoreConfigMapName", "value": "__<config-map-name>__"}]'
+----
+====
++
+ifeval::["{project-context}" == "che"]
+====
+** For a {prod-short} link:https://helm.sh/[Helm Chart] deployment: 
++
+. Clone the https://github.com/eclipse/che[che] project.
+. Go to the `deploy/kubernetes/helm/che` directory.
+. Define a name for the newly created configMap by editing the `global.tls.serverTrustStoreConfigMapName` Helm Chart property to match the previously created configMap:
++
+[subs="+quotes",options="nowrap",role=white-space-pre]
+----
+$ helm upgrade che -n che --set global.tls.serverTrustStoreConfigMapName=__<config-map name>__ \
+   --set global.ingressDomain=__<kubernetes-cluster-domain>__ .
+----
++
+When using Minikube to run {prod-short}, substitute _<kubernetes-cluster-domain>_ with `$(minikube ip).nip.io`.
+====
+endif::[]
+
+.Verification 
+
+If the certificates have been added correctly, the {prod-short} server starts and obtains {identity-provider} configuration over HTTPS with a self-signed SSL certificate, allowing user to:
+
+* Access the {prod-short} server.
+* Log in using OpenShift OAuth.
+* Clone from a Git repository that has a custom self-signed SSL certificate over HTTPS.