[TLS] Document using self-signed TLS mode in Che

[sleshchenko]

Is your task related to a problem? Please describe.

From time to time users complains about issues that they faced actually because of documentation lack.
It's needed to write documentation that would contain:

1. Basic information about self-signed certificates.
2. Instructions how to deploy Che with self-signed TLS mode enabled:

• K8s and helm chart
• K8s/OS and operator as an installer

3. How to use Che with a self-signed certificate, for example - it's needed to import CA into a browser. Sometimes for example with crc/minishift - CA cert is not known, some instructions are needed - how to retrieve such CA cert.

[apupier]

To help increasing the priority of this task, TLS seems to be required to have some VS Code webviews working (the one using WebService workers such AtlasMap for instance) see #13922 (comment)

[apupier]

or we can also have TLS activated by default: #14742

[sparkoo]

I've came up with this script for minishift. It is adding generated certificate to system-wide trusted certs. It can be instead imported manually into the browser.

#!/bin/sh

set -x
set -e

DOMAIN="*.$( minishift ip ).nip.io"
PASSWORD=eclipse-che

if [ -d certs ]; then
	echo "folder certs exists"
	exit 1
fi

mkdir certs
pushd certs

# generate certs
openssl genrsa -des3 -passout pass:${PASSWORD} -out rootCA.key 4096
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt -subj "/CN=${DOMAIN}" -passin pass:${PASSWORD}
openssl genrsa -out domain.key 2048
openssl req -new -sha256 -key domain.key -subj "/C=CZ/ST=Brno/O=Red Hat/CN=${DOMAIN}" -out domain.csr
openssl x509 -req -in domain.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out domain.crt -days 500 -sha256 -passin pass:${PASSWORD}

# this adds cert to system trusted
sudo trust anchor rootCA.crt

# now use the cert for minishift routes
oc login -u system:admin --insecure-skip-tls-verify=true
oc project default
oc delete secret router-certs
cat domain.crt domain.key > minishift.crt
oc create secret tls router-certs --key=domain.key --cert=minishift.crt
oc rollout latest router

popd

chectl server:start --installer=operator --platform=minishift --self-signed-cert --tls

[rkratky]

There's Installing Che in TLS mode with self-signed certificates in the docs now. AFAICS, it covers the requested install methods with the exception of Heml Chart.

The last section needs more info.

[rkratky]

A separate issue for Chrome on Windows at #17077

[RickJWagner]

There is a sub-topic here that could be addressed.
Using 'self-signed certificates' with Che/OpenShift will cause Che to generate certificates rather than use the cert from the OpenShift router. Che provides the certs.
But what if the user has their own self-signed certificate? (So this is also 'self-signed certificate', but Che does not produce the certificate, the user has them.)

[tolusha]

Fixed by eclipse-che/che-docs#1331