Update docs for serving/pull/12174 (#4410)

docs/install/serving/install-serving-with-yaml.md

@@ -258,20 +258,3 @@ The following tabs expand to show instructions for installing each Serving exten
           --type merge \
           --patch '{"data":{"autoTLS":"Enabled"}}'
         ```
-
-
-=== "TLS wildcard support"
-
-    !!! warning
-        TLS wildcard support does not work with HTTP01.
-
-    If you are using a certificate implementation that supports provisioning
-    wildcard certificates (for example, cert-manager with a DNS01 issuer) then the most
-    efficient way to provision certificates is with the namespace wildcard
-    certificate controller.
-
-    * Install the components needed to provision wildcard certificates in each namespace by running the command:
-
-        ```bash
-        kubectl apply -f {{ artifact(repo="serving",file="serving-nscert.yaml")}}
-        ```

docs/install/serving/serving-installation-files.md

@@ -15,6 +15,5 @@ The following table describes the installation files included in Knative Serving
 | serving-crds.yaml | Required: Knative Serving core CRDs. | none |
 | serving-default-domain.yaml | Configures Knative Serving to use [http://sslip.io](http://sslip.io) as the default DNS suffix. | serving-core.yaml |
 | serving-hpa.yaml | Components to autoscale Knative revisions through the Kubernetes Horizontal Pod Autoscaler. | serving-core.yaml |
-  serving-nscert.yaml | Components to provision TLS wildcard certificates. | serving-core.yaml |
 | serving-post-install-jobs.yaml | Additional jobs after installing `serving-core.yaml`. Currently it is the same as `serving-storage-version-migration.yaml`. | serving-core.yaml |
 | serving-storage-version-migration.yaml | Migrates the storage version of Knative resources, including Service, Route, Revision, and Configuration, from `v1alpha1` and `v1beta1` to `v1`. Required by upgrade from version 0.18 to 0.19. | serving-core.yaml |

docs/install/uninstall.md

@@ -50,16 +50,6 @@ Uninstall any Serving extensions you have installed by performing the steps in t
 
 
 
-=== "TLS wildcard support"
-
-    Uninstall the components needed to provision wildcard certificates in each namespace by running:
-
-    ```bash
-    kubectl delete -f {{ artifact( repo="serving", file="serving-nscert.yaml") }}
-    ```
-
-
-
 ### Uninstalling a networking layer
 
 Follow the relevant procedure to uninstall the networking layer you installed:

docs/serving/using-auto-tls.md

@@ -132,6 +132,9 @@ Instructions about configuring cert-manager, for all the supported DNS
 providers, are provided in
 [DNS01 challenge providers and configuration instructions](https://cert-manager.io/docs/configuration/acme/dns01/#supported-dns01-providers).
 
+Note that DNS-01 challenges can be used to either validate an
+individual domain name or to validate an entire namespace using a
+wildcard certificate like `*.my-ns.example.com`.
 
 ### Install net-certmanager-controller deployment
 
@@ -148,25 +151,30 @@ providers, are provided in
     kubectl apply --filename {{ artifact( repo="net-certmanager", file="release.yaml") }}
     ```
 
-### Install net-nscert-controller component
-
-If you choose to use the mode of provisioning certificate per namespace, you need to install `net-nscert-controller` components.
+### Provising certificates per namespace (wildcard certificates)
 
 **IMPORTANT:** Provisioning a certificate per namespace only works with DNS-01
  challenge. This component cannot be used with HTTP-01 challenge.
 
-1. Determine if `net-nscert-controller` deployment is already installed by
-running the following command:
+The per-namespace certificate manager uses namespace labels to select which
+namespaces should have a certificate applied. For more details on namespace
+selectors, see
+[the Kubernetes documentation](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors).
 
-    ```bash
-    kubectl get deployment net-nscert-controller -n knative-serving
-    ```
+Prior to release 1.0, the fixed label
+`networking.knative.dev/disableWildcardCert: true` was used to disable
+certificate generation for a namespace. In 1.0 and later, other labels such as
+`kubernetes.io/metadata.name` may be used to select or restrict namespaces.
 
-1. If `net-nscert-controller` deployment is not found, run the following command:
+To enable certificates for all namespaces except those with the
+`networking.knative.dev/disableWildcardCert: true` label, use the following
+command:
 
-    ```bash
-    kubectl apply --filename {{ artifact( repo="serving", file="serving-nscert.yaml") }}
-    ```
+```bash
+kubectl patch --namespace knative-serving configmap config-network -p '{"data": {"namespace-wildcard-cert-selector": "{\"matchExpressions\": [{\"key\":\"networking.knative.dev/disableWildcardCert\", \"operator\": \"NotIn\", \"values\":[\"true\"]}]}"}}'
+```
+
+This selects all namespaces where the label value is not in the set `"true"`.
 
 ### Configure config-certmanager ConfigMap
 
@@ -333,17 +341,3 @@ Using the previous `autoscale-go` example:
 NAME           URL                                          LATEST               AGE     CONDITIONS   READY   REASON
 autoscale-go   http://autoscale-go.default.1.arenault.dev   autoscale-go-dd42t   8m17s   3 OK / 3     True    
 ```
-
-### Disable Auto TLS per namespace
-
-If you have Auto TLS enabled to provision a certificate per namespace, you can choose to disable it for an individual namespace by adding the annotation `networking.knative.dev/disableWildcardCert: true`
-1. Edit your namespace `kubectl edit namespace default` and add the annotation:
-```yaml
- apiVersion: v1
- kind: Namespace
- metadata:
-   annotations:
-    ...
-     networking.knative.dev/disableWildcardCert: "true"
-    ...
-```