Fix plugin cert doc and improve helm instructions (#2630)

* Fix plugin cert doc.

* Small fix.

* Small fix.

* Small fix.

content/docs/concepts/security/index.md

@@ -235,7 +235,7 @@ before it becomes effective.
 ### Mutual TLS authentication
 
 Istio tunnels service-to-service communication through the client side and server side [Envoy proxies](https://envoyproxy.github.io/envoy/).
-For a client to call a server, the steps followed are:
+For a client to call a server with mutual TLS authentication:
 
 1. Istio re-routes the outbound traffic from a client to the client's local sidecar Envoy.
 

content/docs/setup/kubernetes/helm-install/index.md

@@ -45,7 +45,7 @@ via `kubectl apply`, and wait a few seconds for the CRDs to be committed in the
     $ kubectl apply -f install/kubernetes/helm/istio/templates/crds.yaml
     {{< /text >}}
 
-    > If you are enabling `certmanager`, you also need to install its CRDs as well and wait a few seconds for the CRDs to be committed in the kube-apiserver:
+    If you are enabling `certmanager`, you also need to install its CRDs as well and wait a few seconds for the CRDs to be committed in the kube-apiserver:
 
     {{< text bash >}}
     $ kubectl apply -f install/kubernetes/helm/istio/charts/certmanager/templates/crds.yaml
@@ -62,6 +62,12 @@ via `kubectl apply`, and wait a few seconds for the CRDs to be committed in the
     $ helm template install/kubernetes/helm/istio --name istio --namespace istio-system > $HOME/istio.yaml
     {{< /text >}}
 
+    If you want to enable [global mutual TLS](/docs/concepts/security/#mutual-tls-authentication), set `global.mtls.enabled` to `true`:
+
+    {{< text bash >}}
+    $ helm template install/kubernetes/helm/istio --name istio --namespace istio-system --set global.mtls.enabled=true > $HOME/istio.yaml
+    {{< /text >}}
+
 1. Install the components via the manifest:
 
     {{< text bash >}}
@@ -93,6 +99,12 @@ to manage the lifecycle of Istio.
     $ helm install install/kubernetes/helm/istio --name istio --namespace istio-system
     {{< /text >}}
 
+    If you want to enable [global mutual TLS](/docs/concepts/security/#mutual-tls-authentication), set `global.mtls.enabled` to `true`:
+
+    {{< text bash >}}
+    $ helm template install/kubernetes/helm/istio --name istio --namespace istio-system --set global.mtls.enabled=true
+    {{< /text >}}
+
 ## Uninstall
 
 * For option 1, uninstall using `kubectl`:

content/docs/setup/kubernetes/quick-start/index.md

@@ -65,8 +65,8 @@ $ kubectl apply -f install/kubernetes/istio-demo.yaml
 Use this option only on a fresh Kubernetes cluster where newly deployed
 workloads are guaranteed to have Istio sidecars installed.
 
-To Install Istio and enforce mutual TLS authentication between sidecars by
+To Install Istio and enforce [mutual TLS authentication](/docs/concepts/security/#mutual-tls-authentication)
-default:
+between sidecars by default:
 
 {{< text bash >}}
 $ kubectl apply -f install/kubernetes/istio-demo-auth.yaml

content/docs/tasks/security/plugin-ca-cert/index.md

@@ -14,8 +14,13 @@ operator-specified root certificate. This task demonstrates an example to plug c
 ## Before you begin
 
 * Set up Istio by following the instructions in the
-  [quick start](/docs/setup/kubernetes/quick-start/) with global mutual TLS enabled by using [Helm](/docs/setup/kubernetes/helm-install/)
+[quick start](/docs/setup/kubernetes/quick-start/) with global mutual TLS enabled:
-  with `global.mtls.enabled` set to `true`.
+
+  Install from the [demo yaml file](/docs/setup/kubernetes/quick-start/#option-2-install-istio-with-default-mutual-tls-authentication).
+
+  _**OR**_
+
+  Using [Helm](/docs/setup/kubernetes/helm-install/) with mutual TLS enabled.
 
 > Starting with Istio 0.7, you can use [authentication policy](/docs/concepts/security/#authentication-policies) to configure mutual TLS for all/selected services in a namespace (repeated for all namespaces to get global setting). See [authentication policy task](/docs/tasks/security/authn-policy/)
 
@@ -45,8 +50,14 @@ The following steps enable plugging in the certificates and key into Citadel:
         --from-file=samples/certs/cert-chain.pem
     {{< /text >}}
 
-1.  Redeploy Citadel, which reads the certificates and key from the secret-mount files by using [Helm](/docs/setup/kubernetes/helm-install/)
+1.  Redeploy Citadel using Helm with `global.mtls.enabled` set to `true` and `security.selfSigned` to `false`.
-    with `global.mtls.enabled` set to `true` and `security.selfSigned` to `false`.
+    Citadel will read certificates and key from the secret-mount files.
+
+    {{< text bash >}}
+    $ helm template install/kubernetes/helm/istio --name istio --namespace istio-system -x charts/security/templates/deployment.yaml \
+    --set global.mtls.enabled=true --set security.selfSigned=false > $HOME/citadel-plugin-cert.yaml
+    $ kubectl apply -f $HOME/citadel-plugin-cert.yaml
+    {{< /text >}}
 
 1.  To make sure the workloads obtain the new certificates promptly,
     delete the secrets generated by Citadel (named as istio.\*).