From 88a1c19ec13b7bca679fec6c75f47f1ca4bf6ff9 Mon Sep 17 00:00:00 2001 From: Agil Antony Date: Fri, 22 May 2026 18:18:39 +0530 Subject: [PATCH] ROX33164 Fixing DITA errors in cloud_service/installing_cloud_ocp/install-secured-cluster-cloud-ocp.adoc ROX33164 Fixing attribute error --- .../getting-started-rhacs-cloud-ocp.adoc | 4 +- .../install-secured-cluster-cloud-ocp.adoc | 74 +++++++------------ .../verify-installation-cloud-ocp.adoc | 2 +- .../verify-installation-cloud-other.adoc | 2 +- .../upgrade-cloudsvc-helm.adoc | 2 +- ...ck-install-secured-cluster-using-helm.adoc | 18 ++--- modules/adding-helm-repository.adoc | 2 +- ...hange-config-options-after-deployment.adoc | 6 +- ...gure-sc-helm-customizations-cloud-ocp.adoc | 20 +++++ modules/install-acs-operator-annotations.adoc | 6 +- modules/install-roxctl-cli-linux.adoc | 4 +- modules/install-roxctl-cli-macos.adoc | 4 +- ...-secured-cluster-cloud-ocp-next-steps.adoc | 10 +++ ...cured-cluster-cloud-ocp-prerequisites.adoc | 17 +++++ modules/install-secured-cluster-operator.adoc | 10 +-- ...l-secured-cluster-services-helm-chart.adoc | 2 +- modules/install-sensor-roxctl.adoc | 3 +- .../installing-roxctl-cli-sc-cloud-ocp.adoc | 10 +++ modules/installing-sc-helm-cloud-ocp.adoc | 12 +++ .../installing-sc-helm-default-cloud-ocp.adoc | 10 +++ modules/installing-sc-operator-cloud-ocp.adoc | 10 +++ modules/installing-sc-roxctl-cloud-ocp.adoc | 13 ++++ modules/secured-cluster-services-config.adoc | 12 +-- 23 files changed, 165 insertions(+), 88 deletions(-) create mode 100644 modules/configure-sc-helm-customizations-cloud-ocp.adoc create mode 100644 modules/install-secured-cluster-cloud-ocp-next-steps.adoc create mode 100644 modules/install-secured-cluster-cloud-ocp-prerequisites.adoc create mode 100644 modules/installing-roxctl-cli-sc-cloud-ocp.adoc create mode 100644 modules/installing-sc-helm-cloud-ocp.adoc create mode 100644 modules/installing-sc-helm-default-cloud-ocp.adoc create mode 100644 modules/installing-sc-operator-cloud-ocp.adoc create mode 100644 modules/installing-sc-roxctl-cloud-ocp.adoc diff --git a/cloud_service/getting-started-rhacs-cloud-ocp.adoc b/cloud_service/getting-started-rhacs-cloud-ocp.adoc index 1c4748c75788..656a78e0323b 100644 --- a/cloud_service/getting-started-rhacs-cloud-ocp.adoc +++ b/cloud_service/getting-started-rhacs-cloud-ocp.adoc @@ -42,7 +42,7 @@ You can secure {osp} clusters by using the {product-title-short} Operator, Helm * Log in to Central and use the `roxctl` CLI to xref:../cloud_service/installing_cloud_ocp/init-bundle-cloud-ocp-generate.adoc#crs-generate-roxctl_init-bundle-cloud-ocp-generate[generate a CRS]. . On each {osp} cluster, xref:../cloud_service/installing_cloud_ocp/init-bundle-cloud-ocp-apply.adoc#init-bundle-cloud-ocp-apply[apply the CRS]. . On each {osp} cluster, xref:../cloud_service/installing_cloud_ocp/cloud-install-operator.adoc#cloud-install-operator[install the {product-title-short} Operator]. -. On each {osp} cluster, xref:../cloud_service/installing_cloud_ocp/install-secured-cluster-cloud-ocp.adoc#installing-sc-operator-cloud-ocp[install secured cluster resources in the `stackrox` project] by using the Operator. +. On each {osp} cluster, xref:../cloud_service/installing_cloud_ocp/install-secured-cluster-cloud-ocp.adoc#installing-sc-operator-cloud-ocp_install-secured-cluster-cloud-ocp[install secured cluster resources in the `stackrox` project] by using the Operator. . xref:../cloud_service/installing_cloud_ocp/verify-installation-cloud-ocp.adoc#verify-installation-cloud-ocp[Verify installation] by ensuring that your secured clusters can communicate with the ACS instance. [id="overview-installing-cloud-secured-clusters-osp-helm"] @@ -56,7 +56,7 @@ You can secure {osp} clusters by using the {product-title-short} Operator, Helm . Generate a cluster registration secret (CRS) or an init bundle, which contains secrets that are used to establish initial trust between Central and the secured clusters. Using a CRS is the preferred method. Complete only one of the following actions to generate the CRS: * In the ACS Console, xref:../cloud_service/installing_cloud_ocp/init-bundle-cloud-ocp-generate.adoc#portal-generate-init-bundle_init-bundle-cloud-ocp-generate[generate a CRS]. This file contains the secrets that are used to set up the initial secured communication between {product-title-managed-short} secured clusters and Central. * Log in to Central and use the `roxctl` CLI to xref:../cloud_service/installing_cloud_ocp/init-bundle-cloud-ocp-generate.adoc#crs-generate-roxctl_init-bundle-cloud-ocp-generate[generate a CRS]. -. On each {osp} cluster, run the `helm install` command to xref:../cloud_service/installing_cloud_ocp/install-secured-cluster-cloud-ocp.adoc#installing-sc-helm-cloud-ocp[install {product-title-short} by using Helm charts], specifying the path of the CRS. +. On each {osp} cluster, run the `helm install` command to xref:../cloud_service/installing_cloud_ocp/install-secured-cluster-cloud-ocp.adoc#installing-sc-helm-cloud-ocp_install-secured-cluster-cloud-ocp[install {product-title-short} by using Helm charts], specifying the path of the CRS. . xref:../cloud_service/installing_cloud_ocp/verify-installation-cloud-ocp.adoc#verify-installation-cloud-ocp[Verify installation] by ensuring that your secured clusters can communicate with the ACS instance. [id="overview-installing-cloud-secured-clusters-osp-roxctl"] diff --git a/cloud_service/installing_cloud_ocp/install-secured-cluster-cloud-ocp.adoc b/cloud_service/installing_cloud_ocp/install-secured-cluster-cloud-ocp.adoc index 2190a1c1d4c7..7ff0c8091e29 100644 --- a/cloud_service/installing_cloud_ocp/install-secured-cluster-cloud-ocp.adoc +++ b/cloud_service/installing_cloud_ocp/install-secured-cluster-cloud-ocp.adoc @@ -9,88 +9,64 @@ toc::[] [role="_abstract"] You can install {product-title-managed-short} on your secured clusters by using the Operator or Helm charts. You can also use the `roxctl` CLI to install it, but do not use this method unless you have a specific installation need that requires using it. -.Prerequisites +//Prerequisites +include::modules/install-secured-cluster-cloud-ocp-prerequisites.adoc[leveloffset=+1] -* During {product-title-short} installation, you noted the *Central instance* address. You can view this information by choosing *Advanced Cluster Security* -> *ACS Instances* from the cloud console navigation menu, and then clicking the ACS instance you created. -* If you are installing by using the Operator, you created your {osp} cluster that you want to secure and installed the Operator on it. -* You generated and downloaded the cluster registration secret (CRS) or the init bundle by using the ACS Console or by using the `roxctl` CLI. -* You applied the CRS or the init bundle on the cluster that you want to secure, unless you are installing by using a Helm chart. - - -[id="installing-sc-operator-cloud-ocp"] -== Installing {product-title-short} on secured clusters by using the Operator - -To install {product-title-short} by using the Operator, you first install the Operator and then use it to install {product-title-short} on the secured cluster. +//Installing {product-title-short} on secured clusters by using the Operator +include::modules/installing-sc-operator-cloud-ocp.adoc[leveloffset=+1] include::modules/install-acs-operator-annotations.adoc[leveloffset=+2] include::modules/install-secured-cluster-operator.adoc[leveloffset=+2] -[id="installing-sc-helm-cloud-ocp"] -== Installing {product-title-managed-short} on secured clusters by using Helm charts - -You can install {product-title-short} on secured clusters by using Helm charts with no customization, using the default values, or with customizations of configuration parameters. - -First, ensure that you add the Helm chart repository. +//Installing {product-title-managed-short} on secured clusters by using Helm charts +include::modules/installing-sc-helm-cloud-ocp.adoc[leveloffset=+1] include::modules/adding-helm-repository.adoc[leveloffset=+2] -[id="installing-sc-helm-default-cloud-ocp"] -=== Installing {product-title-managed-short} on secured clusters by using Helm charts without customizations +//Installing {product-title-managed-short} on secured clusters by using Helm charts without customizations +include::modules/installing-sc-helm-default-cloud-ocp.adoc[leveloffset=+2] include::modules/acs-quick-install-secured-cluster-using-helm.adoc[leveloffset=+3] [role="_additional-resources"] .Additional resources +* link:https://access.redhat.com/RegistryAuthentication[Red{nbsp}Hat Container Registry Authentication] * xref:../../cloud_service/installing_cloud_ocp/init-bundle-cloud-ocp-generate.adoc#init-bundle-cloud-ocp-generate[Generating a cluster registration secret or an init bundle for secured clusters] * xref:../../cloud_service/installing_cloud_ocp/init-bundle-cloud-ocp-apply.adoc#init-bundle-cloud-ocp-apply[Applying a cluster registration secret or an init bundle for secured clusters] -[id="configure-secured-cluster-services-helm-chart-customizations-cloud-ocp"] -=== Configuring the secured-cluster-services Helm chart with customizations - -You can use Helm chart configuration parameters with the `helm install` and `helm upgrade` commands. -Specify these parameters by using the `--set` option or by creating YAML configuration files. - -Create the following files for configuring the Helm chart for installing {product-title}: - -* Public configuration file `values-public.yaml`: Use this file to save all non-sensitive configuration options. -* Private configuration file `values-private.yaml`: Use this file to save all sensitive configuration options. Ensure that you store this file securely. - -[IMPORTANT] -==== -When using the `secured-cluster-services` Helm chart, do not change the `values.yaml` file that is part of the chart. -==== +//Configuring the secured-cluster-services Helm chart with customizations +include::modules/configure-sc-helm-customizations-cloud-ocp.adoc[leveloffset=+2] include::modules/secured-cluster-services-config.adoc[leveloffset=+3] + include::modules/install-secured-cluster-services-helm-chart.adoc[leveloffset=+3] [role="_additional-resources"] .Additional resources +* link:https://access.redhat.com/RegistryAuthentication[Red{nbsp}Hat Container Registry Authentication] * xref:../../cloud_service/installing_cloud_ocp/init-bundle-cloud-ocp-generate.adoc#init-bundle-cloud-ocp-generate[Generating a cluster registration secret or an init bundle for secured clusters] * xref:../../cloud_service/installing_cloud_ocp/init-bundle-cloud-ocp-apply.adoc#init-bundle-cloud-ocp-apply[Applying a cluster registration secret or an init bundle for secured clusters] include::modules/change-config-options-after-deployment.adoc[leveloffset=+2] -[id="installing-sc-roxctl-cloud-ocp"] -== Installing {product-title-short} on secured clusters by using the roxctl CLI - -To install {product-title-short} on secured clusters by using the CLI, perform the following steps: - -. Install the `roxctl` CLI. -. Install Sensor. +//Installing {product-title-short} on secured clusters by using the roxctl CLI +include::modules/installing-sc-roxctl-cloud-ocp.adoc[leveloffset=+1] -[id="installing-roxctl-cli-sc-cloud-ocp"] -=== Installing the roxctl CLI +//Installing the roxctl CLI +include::modules/installing-roxctl-cli-sc-cloud-ocp.adoc[leveloffset=+2] -You must first download the binary. You can install `roxctl` on Linux, Windows, or macOS. - -// Installing the CLI by downloading the binary include::modules/install-roxctl-cli-linux.adoc[leveloffset=+3] + include::modules/install-roxctl-cli-macos.adoc[leveloffset=+3] + include::modules/install-roxctl-cli-windows.adoc[leveloffset=+3] + include::modules/install-sensor-roxctl.adoc[leveloffset=+2] -[id="next-steps_install-secured-cluster-cloud-ocp"] -== Next steps +//Next steps +include::modules/install-secured-cluster-cloud-ocp-next-steps.adoc[leveloffset=+1] -* xref:../installing_cloud_ocp/verify-installation-cloud-ocp.adoc#verify-installation-cloud-ocp[Verify installation] by ensuring that your secured clusters can communicate with the ACS instance. \ No newline at end of file +[role="_additional-resources"] +.Additional resources +* xref:../installing_cloud_ocp/verify-installation-cloud-ocp.adoc#verify-installation-cloud-ocp[Verify installation] \ No newline at end of file diff --git a/cloud_service/installing_cloud_ocp/verify-installation-cloud-ocp.adoc b/cloud_service/installing_cloud_ocp/verify-installation-cloud-ocp.adoc index ac581e5b9f4e..62108bf7ec7e 100644 --- a/cloud_service/installing_cloud_ocp/verify-installation-cloud-ocp.adoc +++ b/cloud_service/installing_cloud_ocp/verify-installation-cloud-ocp.adoc @@ -13,7 +13,7 @@ To verify installation, access your ACS Console from the {cloud-console}. The Da If no data appears in the ACS Console: -* Ensure that at least one secured cluster is connected to your {product-title-managed-short} instance. For more information, see xref:../installing_cloud_ocp/install-secured-cluster-cloud-ocp.adoc#installing-sc-operator-cloud-ocp[Installing secured cluster resources from {product-title-managed-short}]. +* Ensure that at least one secured cluster is connected to your {product-title-managed-short} instance. For more information, see xref:../installing_cloud_ocp/install-secured-cluster-cloud-ocp.adoc#installing-sc-operator-cloud-ocp_install-secured-cluster-cloud-ocp[Installing secured cluster resources from {product-title-managed-short}]. * Examine your Sensor pod logs to ensure that the connection to your {product-title-managed-short} instance is successful. * In the {osp} cluster, go to *Platform Configuration* -> *Clusters* to verify that the components are healthy and view additional operational information. * Examine the values in the `SecuredCluster` API in the Operator on your local cluster to ensure that the *Central API Endpoint* has been entered correctly. This value should be the same value as shown in the *ACS instance* details in the {cloud-console}. \ No newline at end of file diff --git a/cloud_service/installing_cloud_other/verify-installation-cloud-other.adoc b/cloud_service/installing_cloud_other/verify-installation-cloud-other.adoc index dfdf19236eb2..5216e5b52024 100644 --- a/cloud_service/installing_cloud_other/verify-installation-cloud-other.adoc +++ b/cloud_service/installing_cloud_other/verify-installation-cloud-other.adoc @@ -13,6 +13,6 @@ To verify installation, access your ACS Console from the {cloud-console}. The Da If no data appears in the ACS Console: -* Ensure that at least one secured cluster is connected to your {product-title-managed-short} instance. For more information, see instructions for installing by using xref:../installing_cloud_ocp/install-secured-cluster-cloud-ocp.adoc#installing-sc-helm-cloud-ocp[Helm charts] or by using the xref:../installing_cloud_ocp/install-secured-cluster-cloud-ocp.adoc#installing-sc-roxctl-cloud-ocp[`roxctl` CLI]. +* Ensure that at least one secured cluster is connected to your {product-title-managed-short} instance. For more information, see instructions for installing by using xref:../installing_cloud_ocp/install-secured-cluster-cloud-ocp.adoc#installing-sc-helm-cloud-ocp_install-secured-cluster-cloud-ocp[Helm charts] or by using the xref:../installing_cloud_ocp/install-secured-cluster-cloud-ocp.adoc#installing-sc-roxctl-cloud-ocp_install-secured-cluster-cloud-ocp[`roxctl` CLI]. * Examine your Sensor pod logs to ensure that the connection to your {product-title-managed-short} instance is successful. * Examine the values in the `SecuredCluster` API in the Operator on your local cluster to ensure that the *Central API Endpoint* has been entered correctly. This value should be the same value as shown in the *ACS instance* details in the {cloud-console}. \ No newline at end of file diff --git a/cloud_service/upgrading-cloud/upgrade-cloudsvc-helm.adoc b/cloud_service/upgrading-cloud/upgrade-cloudsvc-helm.adoc index 5fc19f40271e..fc3a40fc287c 100644 --- a/cloud_service/upgrading-cloud/upgrade-cloudsvc-helm.adoc +++ b/cloud_service/upgrading-cloud/upgrade-cloudsvc-helm.adoc @@ -17,4 +17,4 @@ include::modules/upgrade-helm-chart.adoc[leveloffset=+1] [role="_additional-resources"] == Additional resources -* xref:../../cloud_service/installing_cloud_ocp/install-secured-cluster-cloud-ocp.adoc#installing-sc-helm-cloud-ocp[Installing {product-title-managed-short} on secured clusters by using Helm charts] \ No newline at end of file +* xref:../../cloud_service/installing_cloud_ocp/install-secured-cluster-cloud-ocp.adoc#installing-sc-helm-cloud-ocp_install-secured-cluster-cloud-ocp[Installing {product-title-managed-short} on secured clusters by using Helm charts] \ No newline at end of file diff --git a/modules/acs-quick-install-secured-cluster-using-helm.adoc b/modules/acs-quick-install-secured-cluster-using-helm.adoc index e331eff2638a..e7b64dd133c9 100644 --- a/modules/acs-quick-install-secured-cluster-using-helm.adoc +++ b/modules/acs-quick-install-secured-cluster-using-helm.adoc @@ -29,7 +29,7 @@ Use the following instructions to install the `secured-cluster-services` Helm ch .Prerequisites * You must have generated a {product-title-short} cluster registration secret (CRS) or an init bundle for your cluster. -* You must have access to the Red{nbsp}Hat Container Registry and a pull secret for authentication. For information about downloading images from `registry.redhat.io`, see link:https://access.redhat.com/RegistryAuthentication[Red{nbsp}Hat Container Registry Authentication]. +* You must have access to the Red{nbsp}Hat Container Registry and a pull secret for authentication. For information about downloading images from `registry.redhat.io`, see the "Red{nbsp}Hat Container Registry Authentication". ifndef::cloud-svc[] * You must have the address that you are exposing the Central service on. endif::cloud-svc[] @@ -57,7 +57,7 @@ $ helm install -n stackrox --create-namespace \ where: + -- -``:: Specifies the name of the file in which the generated CRS has been stored. +``:: Specifies the name of the file in which the generated CRS stores. ``:: Specifies the path for the pull secret for Red{nbsp}Hat Container Registry authentication. Or, you can specify `--set imagePullSecrets.username=` and `--set imagePullSecrets.password=` in the command. ``:: Specifies the address and port number for Central. For example, `acs.domain.com:443`. -- @@ -100,7 +100,7 @@ $ helm install -n stackrox --create-namespace \ where: + -- -``:: Specifies the name of the file in which the generated CRS has been stored. +``:: Specifies the name of the file in which the generated CRS stores. ``:: Specifies the path for the pull secret for Red{nbsp}Hat Container Registry authentication. Or, you can specify `--set imagePullSecrets.username=` and `--set imagePullSecrets.password=` in the command. ``:: Specifies the address and port number for Central. For example, `acs.domain.com:443`. ``:: Specifies the user name for your pull secret for Red{nbsp}Hat Container Registry authentication. @@ -150,10 +150,10 @@ $ helm install -n stackrox --create-namespace \ where: + -- -``:: Specifies the name of the file in which the generated CRS has been stored. +``:: Specifies the name of the file in which the generated CRS stores. ``:: Specifies the path for the pull secret for Red{nbsp}Hat Container Registry authentication. Or, you can specify `--set imagePullSecrets.username=` and `--set imagePullSecrets.password=` in the command. ``:: Specifies specify the address and port number for Central. For example, `acs.domain.com:443`. -`--set scanner.disable=false`:: Sets the value of the `scanner.disable` parameter to `false`, which means that Scanner-slim will be enabled during the installation. In Kubernetes, the secured cluster services now include Scanner-slim. +`--set scanner.disable=false`:: Sets the value of the `scanner.disable` parameter to `false`, which means that Scanner-slim will enable during the installation. In Kubernetes, the secured cluster services now include Scanner-slim. -- ** If you are using an init bundle, run the following command: + @@ -174,7 +174,7 @@ where: ``:: Specifies the path for the init bundle. ``:: Specifies the path for the pull secret for Red{nbsp}Hat Container Registry authentication. ``:: Specifies the address and port number for Central. For example, `acs.domain.com:443`. -`--set scanner.disable=false`:: Sets the value of the `scanner.disable` parameter to `false`, which means that Scanner-slim will be enabled during the installation. In Kubernetes, the secured cluster services now include Scanner-slim. +`--set scanner.disable=false`:: Sets the value of the `scanner.disable` parameter to `false`, which means that Scanner-slim will enable during the installation. In Kubernetes, the secured cluster services now include Scanner-slim. -- endif::cloud-svc[] @@ -198,10 +198,10 @@ $ helm install -n stackrox --create-namespace \ where: + -- -``:: Specifies the name of the file in which the generated CRS has been stored. +``:: Specifies the name of the file in which the generated CRS stores. ``:: Specifies the path for the pull secret for Red{nbsp}Hat Container Registry authentication. ``:: Specifies the *Central API Endpoint* address. You can view this information by choosing *Advanced Cluster Security* -> *ACS Instances* from the Red{nbsp}Hat Hybrid Cloud Console navigation menu, then clicking the {product-title-short} instance you created. -`--set scanner.disable=false`:: Sets the value of the `scanner.disable` parameter to `false`, which means that Scanner-slim will be enabled during the installation. In Kubernetes, the secured cluster services now include Scanner-slim. +`--set scanner.disable=false`:: Sets the value of the `scanner.disable` parameter to `false`, which means that Scanner-slim will enable during the installation. In Kubernetes, the secured cluster services now include Scanner-slim. -- ** If you are using an init bundle, run the following command: + @@ -222,6 +222,6 @@ where: ``:: Specifies the path for the init bundle. ``:: Specifies the path for the pull secret for Red{nbsp}Hat Container Registry authentication. ``:: Specifies the *Central API Endpoint* address. You can view this information by choosing *Advanced Cluster Security* -> *ACS Instances* from the Red{nbsp}Hat Hybrid Cloud Console navigation menu, then clicking the {product-title-short} instance you created. -`--set` scanner.disable=false:: Sets the value of the `scanner.disable` parameter to `false`, which means that Scanner-slim will be enabled during the installation. In Kubernetes, the secured cluster services now include Scanner-slim. +`--set` scanner.disable=false:: Sets the value of the `scanner.disable` parameter to `false`, which means that Scanner-slim will enable during the installation. In Kubernetes, the secured cluster services now include Scanner-slim. -- endif::cloud-svc[] \ No newline at end of file diff --git a/modules/adding-helm-repository.adoc b/modules/adding-helm-repository.adoc index b72271e36a98..cc4dbd27c4a0 100644 --- a/modules/adding-helm-repository.adoc +++ b/modules/adding-helm-repository.adoc @@ -29,7 +29,7 @@ ifndef::cloud-svc[] + [NOTE] ==== -You deploy centralized components only once and you can monitor multiple separate clusters by using the same installation. +You deploy centralized components only once and you can monitor many separate clusters by using the same installation. ==== endif::[] * Secured Cluster Services Helm chart (`secured-cluster-services`) for installing the per-cluster and per-node components (Sensor, Admission Controller, Collector, and Scanner-slim). diff --git a/modules/change-config-options-after-deployment.adoc b/modules/change-config-options-after-deployment.adoc index c3fbeacf3667..b025cc290537 100644 --- a/modules/change-config-options-after-deployment.adoc +++ b/modules/change-config-options-after-deployment.adoc @@ -17,9 +17,9 @@ When using the `helm upgrade` command to make changes, the following guidelines * You can also specify configuration values using the `--set` or `--set-file` parameters. However, these options are not saved, and you must manually specify all the options again whenever you make changes. -* Some changes, such as enabling a new component, require new certificates to be issued for the component. Therefore, you must provide a CA when making these changes. -** If the CA was generated by the Helm chart during the initial installation, you must retrieve these automatically generated values from the cluster and provide them to the `helm upgrade` command. The post-installation notes of the `central-services` Helm chart include a command for retrieving the automatically generated values. -** If the CA was generated outside of the Helm chart and provided during the installation of the `central-services` chart, then you must perform that action again when using the `helm upgrade` command, for example, by using the `--reuse-values` flag with the `helm upgrade` command. +* Some changes, such as enabling a new component, require issuing new certificates for the component. Therefore, you must give a CA when making these changes. +** If the Helm chart generated the CA during the initial installation, you must retrieve these automatically generated values from the cluster and give them to the `helm upgrade` command. The postinstallation notes of the `central-services` Helm chart include a command for retrieving the automatically generated values. +** If you generated the CA outside of the Helm chart and gave it during the installation of the `central-services` chart, then you must perform that action again when using the `helm upgrade` command, for example, by using the `--reuse-values` flag with the `helm upgrade` command. .Procedure diff --git a/modules/configure-sc-helm-customizations-cloud-ocp.adoc b/modules/configure-sc-helm-customizations-cloud-ocp.adoc new file mode 100644 index 000000000000..71f35e04f8c1 --- /dev/null +++ b/modules/configure-sc-helm-customizations-cloud-ocp.adoc @@ -0,0 +1,20 @@ +// Module included in the following assemblies: +// +// * cloud_service/installing_cloud_ocp/install-secured-cluster-cloud-ocp.adoc + +:_mod-docs-content-type: CONCEPT +[id="configure-secured-cluster-services-helm-chart-customizations-cloud-ocp_{context}"] += Configuring the secured-cluster-services Helm chart with customizations + +[role="_abstract"] +You can use Helm chart configuration parameters with the `helm install` and `helm upgrade` commands by specifying these parameters by using the `--set` option or by creating YAML configuration files. + +Create the following files for configuring the Helm chart for installing {product-title}: + +* Public configuration file `values-public.yaml`: Use this file to save all non-sensitive configuration options. +* Private configuration file `values-private.yaml`: Use this file to save all sensitive configuration options. Ensure that you store this file securely. + +[IMPORTANT] +==== +When using the `secured-cluster-services` Helm chart, do not change the `values.yaml` file that is part of the chart. +==== diff --git a/modules/install-acs-operator-annotations.adoc b/modules/install-acs-operator-annotations.adoc index dac4a7481203..8e7f8992945a 100644 --- a/modules/install-acs-operator-annotations.adoc +++ b/modules/install-acs-operator-annotations.adoc @@ -6,11 +6,11 @@ = Operator annotations used during installation [role="_abstract"] -{product-title-short} uses annotations attached to the custom resource (CR) so that for installations performed by using the Operator, the default values for certain configuration items are decided at runtime by the Operator based on the current environment, allowing the previously configured value of an item to persist. +{product-title-short} uses annotations attached to the custom resource (CR) so that for installations performed by using the Operator, the Operator decides the default values for certain configuration items at runtime based on the current environment, allowing the earlier configured value of an item to persist. -For some configuration items, using a static default value for the installation is not ideal. Beginning with {product-title-short} version 4.8, the Operator can add annotations that are attached to the CR that you apply to clusters. These annotations allow a default decision that the Operator previously made to persist and be reapplied in the future, even if the default behavior for a fresh installation has changed. In summary, {product-title-short} uses annotations to persist runtime defaults. This means that the default value for a certain configuration setting is decided by the Operator at runtime. +For some configuration items, using a static default value for the installation is not ideal. Beginning with {product-title-short} version 4.8, the Operator can add annotations that attach to the CR that you apply to clusters. These annotations allow a default decision that the Operator made before to persist and reapply in the future, even if the default behavior for a fresh installation has changed. In summary, {product-title-short} uses annotations to persist runtime defaults. This means that the Operator decides the default value for a certain configuration setting at runtime. -For example, in release 4.8 and later, if a value is not specified for enabling Scanner V4, the default behavior is to enable Scanner V4. However, if a value is configured in the CR, such as `disable`, then {product-title-short} uses that value. In the Scanner V4 example, Scanner V4 was disabled by default in version 4.7; when updating to version 4.8 by using the Operator, that disabled setting persists and Scanner V4 is disabled. +For example, in release 4.8 and later, if a value is not specified for enabling Scanner V4, the default behavior is to enable Scanner V4. However, if you configure a value in the CR, such as `disable`, then {product-title-short} uses that value. In the Scanner V4 example, Scanner V4 disabled by default in version 4.7; when updating to version 4.8 by using the Operator, that disabled setting persists and Scanner V4 disables. Annotations are in the form `feature-defaults.platform.stackrox.io/`. For example, `feature-defaults.platform.stackrox.io/scannerV4` is the annotation that allows the Operator to keep the default Scanner V4 enablement toggle stable during updating to {product-title-short} version 4.8. diff --git a/modules/install-roxctl-cli-linux.adoc b/modules/install-roxctl-cli-linux.adoc index e02b68d48a08..b9b60fb48cae 100644 --- a/modules/install-roxctl-cli-linux.adoc +++ b/modules/install-roxctl-cli-linux.adoc @@ -16,7 +16,7 @@ You can install the `roxctl` CLI binary on Linux by using the following procedur .Procedure -. Determine the `roxctl` architecture for the target operating system: +. Find the `roxctl` architecture for the target operating system: + [source,terminal,subs=attributes+] ---- @@ -39,7 +39,7 @@ $ chmod +x roxctl . Place the `roxctl` binary in a directory that is on your `PATH`: + -To check your `PATH`, execute the following command: +To check your `PATH`, run the following command: + [source,terminal] ---- diff --git a/modules/install-roxctl-cli-macos.adoc b/modules/install-roxctl-cli-macos.adoc index 569cc4493426..bbbabb42283c 100644 --- a/modules/install-roxctl-cli-macos.adoc +++ b/modules/install-roxctl-cli-macos.adoc @@ -16,7 +16,7 @@ You can install the `roxctl` CLI binary on macOS by using the following procedur .Procedure -. Determine the `roxctl` architecture for the target operating system: +. Find the `roxctl` architecture for the target operating system: + [source,terminal,subs=attributes+] ---- @@ -46,7 +46,7 @@ $ chmod +x roxctl . Place the `roxctl` binary in a directory that is on your `PATH`: + -To check your `PATH`, execute the following command: +To check your `PATH`, run the following command: + [source,terminal] ---- diff --git a/modules/install-secured-cluster-cloud-ocp-next-steps.adoc b/modules/install-secured-cluster-cloud-ocp-next-steps.adoc new file mode 100644 index 000000000000..076d1be6804a --- /dev/null +++ b/modules/install-secured-cluster-cloud-ocp-next-steps.adoc @@ -0,0 +1,10 @@ +// Module included in the following assemblies: +// +// * cloud_service/installing_cloud_ocp/install-secured-cluster-cloud-ocp.adoc + +:_mod-docs-content-type: REFERENCE +[id="next-steps_{context}"] += Next steps + +[role="_abstract"] +After installing {product-title-managed-short} on your secured clusters, verify the installation to ensure proper communication with the ACS instance. \ No newline at end of file diff --git a/modules/install-secured-cluster-cloud-ocp-prerequisites.adoc b/modules/install-secured-cluster-cloud-ocp-prerequisites.adoc new file mode 100644 index 000000000000..1200abca08be --- /dev/null +++ b/modules/install-secured-cluster-cloud-ocp-prerequisites.adoc @@ -0,0 +1,17 @@ +// Module included in the following assemblies: +// +// * cloud_service/installing_cloud_ocp/install-secured-cluster-cloud-ocp.adoc + +:_mod-docs-content-type: PROCEDURE +[id="install-secured-cluster-cloud-ocp-prerequisites_{context}"] += Prerequisites + +[role="_abstract"] +Prerequisites for installing {product-title-managed-short} on secured clusters. + +.Procedure + +* During {product-title-short} installation, you noted the *Central instance* address. You can view this information by choosing *Advanced Cluster Security* -> *ACS Instances* from the {cloud-console} navigation menu, and then clicking the ACS instance you created. +* If you are installing by using the Operator, you created your {osp} cluster that you want to secure and installed the Operator on it. +* You generated and downloaded the cluster registration secret (CRS) or the init bundle by using the ACS Console or by using the `roxctl` CLI. +* You applied the CRS or the init bundle on the cluster that you want to secure, unless you are installing by using a Helm chart. diff --git a/modules/install-secured-cluster-operator.adoc b/modules/install-secured-cluster-operator.adoc index a474284dc662..94e88c3d80ee 100644 --- a/modules/install-secured-cluster-operator.adoc +++ b/modules/install-secured-cluster-operator.adoc @@ -39,12 +39,12 @@ When you install {product-title}: * If you installed the Operator in a different namespace, {ocp} lists the name of that namespace instead of `rhacs-operator`. ==== . Click *Installed Operators*. -. You should have created the `stackrox` namespace when you applied the CRS or the init bundle. Make sure that you are in this namespace by verifying that *Project:stackrox* is selected in the menu. +. You should have created the `stackrox` namespace when you applied the CRS or the init bundle. Make sure that you are in this namespace by verifying that the menu shows *Project:stackrox*. . In *Provided APIs*, click *Secured Cluster*. . Click *Create SecuredCluster*. . Select one of the following options in the *Configure via* field: * *Form view*: Use this option if you want to use the on-screen fields to configure the secured cluster and do not need to change any other fields. -* *YAML view*: Use this view to set up the secured cluster by using the YAML file. The YAML file is displayed in the window and you can edit fields in it. If you select this option, when you are finished editing the file, click *Create*. +* *YAML view*: Use this view to set up the secured cluster by using the YAML file. The YAML file is displayed in the window and you can edit fields in it. If you select this option, when you finish editing the file, click *Create*. . If you are using *Form view*, enter the new project name by accepting or editing the default name. The default value is *stackrox-secured-cluster-services*. . Optional: Add any labels for the cluster. . Enter a unique name for your `SecuredCluster` custom resource. @@ -52,15 +52,15 @@ When you install {product-title}: ifdef::cloud-svc[] * For {product-title-managed-short} use the *Central API Endpoint* address. You can view this information by choosing *Advanced Cluster Security* -> *ACS Instances* from the Red{nbsp}Hat Hybrid Cloud Console navigation menu, then clicking the {product-title-short} instance you created. endif::cloud-svc[] -* Use the default value of `central.stackrox.svc:443` _only_ if you are installing secured cluster services in the same cluster where Central is installed. -* Do not use the default value when you are configuring multiple clusters. Instead, use the hostname when configuring the *Central Endpoint* value for each cluster. +* Use the default value of `central.stackrox.svc:443` _only_ if you install secured cluster services in the same cluster where Central runs. +* Do not use the default value when you configure many clusters. Instead, use the hostname when configuring the *Central Endpoint* value for each cluster. . For the remaining fields, accept the default values or configure custom values if needed. For example, you might need to configure TLS if you are using custom certificates or untrusted CAs. See "Configuring Secured Cluster services options for {product-title-short} using the Operator" for more information. . To use file active monitoring, you must enable the SFA agent: .. Expand *SFA*. .. From the *SFA Agent* list, select *Enabled*. . Click *Create*. . After a brief pause, the *SecuredClusters* page displays the status of `stackrox-secured-cluster-services`. You might see the following conditions: -* *Conditions: Deployed, Initialized*: The secured cluster services have been installed and the secured cluster is communicating with Central. +* *Conditions: Deployed, Initialized*: You installed the secured cluster services and the secured cluster is communicating with Central. * *Conditions: Initialized, Irreconcilable*: The secured cluster is not communicating with Central. Make sure that you applied the CRS or the init bundle you created in the {product-title-short} web portal to the secured cluster. .Next steps diff --git a/modules/install-secured-cluster-services-helm-chart.adoc b/modules/install-secured-cluster-services-helm-chart.adoc index 1cf6fecca213..3856e70be9f6 100644 --- a/modules/install-secured-cluster-services-helm-chart.adoc +++ b/modules/install-secured-cluster-services-helm-chart.adoc @@ -24,7 +24,7 @@ After you configure the `values-public.yaml` and `values-private.yaml` files, in .Prerequisites * You must have generated a cluster registration secret (CRS) or an init bundle for your cluster. -* You must have access to the Red{nbsp}Hat Container Registry and a pull secret for authentication. For information about downloading images from `registry.redhat.io`, see link:https://access.redhat.com/RegistryAuthentication[Red{nbsp}Hat Container Registry Authentication]. +* You must have access to the Red{nbsp}Hat Container Registry and a pull secret for authentication. For information about downloading images from `registry.redhat.io`, see the "Red{nbsp}Hat Container Registry Authentication". ifndef::cloud-svc[] * You must have the address and the port number that you are exposing the Central service on. endif::cloud-svc[] diff --git a/modules/install-sensor-roxctl.adoc b/modules/install-sensor-roxctl.adoc index fae533d75f7f..6c5a91eab02f 100644 --- a/modules/install-sensor-roxctl.adoc +++ b/modules/install-sensor-roxctl.adoc @@ -20,5 +20,4 @@ To perform an installation by using the manifest installation method, follow _on * Use the {product-title-short} web portal to download the cluster bundle, and then extract and run the sensor script. * Use the `roxctl` CLI to generate the required sensor configuration for your {ocp} cluster and associate it with your Central instance. -.Prerequisites -* You must have already installed Central services, or you can access Central services by selecting your *ACS instance* on {rh-rhacscs-first}. \ No newline at end of file +You must have already installed Central services, or you can access Central services by selecting your *ACS instance* on {rh-rhacscs-first}. \ No newline at end of file diff --git a/modules/installing-roxctl-cli-sc-cloud-ocp.adoc b/modules/installing-roxctl-cli-sc-cloud-ocp.adoc new file mode 100644 index 000000000000..17c3d8f5274a --- /dev/null +++ b/modules/installing-roxctl-cli-sc-cloud-ocp.adoc @@ -0,0 +1,10 @@ +// Module included in the following assemblies: +// +// * cloud_service/installing_cloud_ocp/install-secured-cluster-cloud-ocp.adoc + +:_mod-docs-content-type: CONCEPT +[id="installing-roxctl-cli-sc-cloud-ocp_{context}"] += Installing the roxctl CLI + +[role="_abstract"] +You must first download the binary. You can install `roxctl` on Linux, Windows, or macOS. diff --git a/modules/installing-sc-helm-cloud-ocp.adoc b/modules/installing-sc-helm-cloud-ocp.adoc new file mode 100644 index 000000000000..ce39338f7499 --- /dev/null +++ b/modules/installing-sc-helm-cloud-ocp.adoc @@ -0,0 +1,12 @@ +// Module included in the following assemblies: +// +// * cloud_service/installing_cloud_ocp/install-secured-cluster-cloud-ocp.adoc + +:_mod-docs-content-type: CONCEPT +[id="installing-sc-helm-cloud-ocp_{context}"] += Installing {product-title-managed-short} on secured clusters by using Helm charts + +[role="_abstract"] +You can install {product-title-short} on secured clusters by using Helm charts with no customization, using the default values, or with customizations of configuration parameters. + +First, ensure that you add the Helm chart repository. diff --git a/modules/installing-sc-helm-default-cloud-ocp.adoc b/modules/installing-sc-helm-default-cloud-ocp.adoc new file mode 100644 index 000000000000..2eb699e93035 --- /dev/null +++ b/modules/installing-sc-helm-default-cloud-ocp.adoc @@ -0,0 +1,10 @@ +// Module included in the following assemblies: +// +// * cloud_service/installing_cloud_ocp/install-secured-cluster-cloud-ocp.adoc + +:_mod-docs-content-type: CONCEPT +[id="installing-sc-helm-default-cloud-ocp_{context}"] += Installing {product-title-managed-short} on secured clusters by using Helm charts without customizations + +[role="_abstract"] +Install the secured-cluster-services Helm chart by using default configuration values without any customizations. diff --git a/modules/installing-sc-operator-cloud-ocp.adoc b/modules/installing-sc-operator-cloud-ocp.adoc new file mode 100644 index 000000000000..17cc0c58c64e --- /dev/null +++ b/modules/installing-sc-operator-cloud-ocp.adoc @@ -0,0 +1,10 @@ +// Module included in the following assemblies: +// +// * cloud_service/installing_cloud_ocp/install-secured-cluster-cloud-ocp.adoc + +:_mod-docs-content-type: CONCEPT +[id="installing-sc-operator-cloud-ocp_{context}"] += Installing {product-title-short} on secured clusters by using the Operator + +[role="_abstract"] +To install {product-title-short} by using the Operator, you first install the Operator and then use it to install {product-title-short} on the secured cluster. diff --git a/modules/installing-sc-roxctl-cloud-ocp.adoc b/modules/installing-sc-roxctl-cloud-ocp.adoc new file mode 100644 index 000000000000..0777adf0796c --- /dev/null +++ b/modules/installing-sc-roxctl-cloud-ocp.adoc @@ -0,0 +1,13 @@ +// Module included in the following assemblies: +// +// * cloud_service/installing_cloud_ocp/install-secured-cluster-cloud-ocp.adoc + +:_mod-docs-content-type: CONCEPT +[id="installing-sc-roxctl-cloud-ocp_{context}"] += Installing {product-title-short} on secured clusters by using the roxctl CLI + +[role="_abstract"] +To install {product-title-short} on secured clusters by using the CLI, perform the following steps: + +. Install the `roxctl` CLI. +. Install Sensor. diff --git a/modules/secured-cluster-services-config.adoc b/modules/secured-cluster-services-config.adoc index e9e1c7c877e4..c055c759adee 100644 --- a/modules/secured-cluster-services-config.adoc +++ b/modules/secured-cluster-services-config.adoc @@ -36,7 +36,7 @@ endif::[] | Name of your cluster. | `centralEndpoint` -| Address of the Central endpoint. If you are using a non-gRPC capable load balancer, use the WebSocket protocol by prefixing the endpoint address with `wss://`. When configuring multiple clusters, use the hostname for the address. For example, `central.example.com`. +| Address of the Central endpoint. If you are using a non-gRPC capable load balancer, use the WebSocket protocol by prefixing the endpoint address with `wss://`. When configuring many clusters, use the hostname for the address. For example, `central.example.com`. | `env.grpcEnforceALPN` | Use `true` to force application-level protocol negotiation (ALPN) during the TLS handshake. @@ -118,7 +118,7 @@ endif::[] | `collector.disableTaintTolerations` | If you specify `false`, tolerations are applied to Collector, and the collector pods can schedule onto all nodes with taints. -If you specify it as `true`, no tolerations are applied, and the collector pods are not scheduled onto nodes with taints. +If you specify it as `true`, no tolerations are applied, and the collector pods cannot schedule onto nodes with taints. | `collector.resources.requests.memory` | The memory request for the Collector container. Use this parameter to override the default value. @@ -151,7 +151,7 @@ If you specify it as `true`, no tolerations are applied, and the collector pods | The internal service-to-service TLS certificate key that Collector uses. |`admissionControl.enforce` -| This parameter determines if the admission controller has been configured to enforce policies that have enforcement enabled. For a new secured cluster deployed with {product-title-short} 4.9, the default value is `true`. For secured clusters updating from {product-title-short} versions before 4.9, previous values for the admission controller configuration parameters determine the value of this parameter. Before the update, if either of the `admissionControl.enforceOnCreates` or `admissionControl.enforceOnUpdates` parameters was set to `true`, the value of this parameter defaults to `true` after upgrade. If both of these parameters were set to `false`, the default value becomes `false` on update. +| This parameter determines if you configured the admission controller to enforce policies that have enforcement enabled. For a new secured cluster deployed with {product-title-short} 4.9, the default value is `true`. For secured clusters updating from {product-title-short} versions before 4.9, earlier values for the admission controller configuration parameters determine the value of this parameter. Before the update, if you set either of the `admissionControl.enforceOnCreates` or `admissionControl.enforceOnUpdates` parameters to `true`, the value of this parameter defaults to `true` after upgrade. If you set both of these parameters to `false`, the default value becomes `false` on update. |`admissionControl.failurePolicy` | Determines whether API server request is allowed (fail open) or blocked (fail closed) if an error or timeout happens in the {product-title-short} validating webhook's evaluation. Valid values are `Ignore` and `Fail`. The default value is `Ignore` to fail open. @@ -214,7 +214,7 @@ Specify the name of your registry if you are using some other registry. | `collector.disableTaintTolerations` | If you specify `false`, tolerations are applied to Collector, and the Collector pods can schedule onto all nodes with taints. -If you specify it as `true`, no tolerations are applied, and the Collector pods are not scheduled onto nodes with taints. +If you specify it as `true`, no tolerations are applied, and the Collector pods cannot schedule onto nodes with taints. | `createUpgraderServiceAccount` | Specify `true` to create the `sensor-upgrader` account. @@ -263,7 +263,7 @@ If you do not create this account, you must complete future upgrades manually if | Resource specification for Collector's Compliance container. | `scanner.logLevel` -| Setting this parameter allows you to modify the scanner log level. Use this option only for troubleshooting purposes. +| Setting this parameter allows you to change the scanner log level. Use this option only for troubleshooting purposes. | `scanner.autoscaling.disable` | If you set this option to `true`, {product-title} disables autoscaling on the Scanner deployment. @@ -314,7 +314,7 @@ If you do not create this account, you must complete future upgrades manually if | If you set this option to `false`, {product-title} will not set up {osp} monitoring. Defaults to `true` on {osp} 4. | `network.enableNetworkPolicies` -a| To provide security at the network level, {product-title-short} creates default `NetworkPolicy` resources in the namespace where secured cluster resources are installed. These network policies allow ingress to specific components on specific ports. If you do not want {product-title-short} to create these policies, set this parameter to `False`. This is a Boolean value. The default value is `True`, which means the default policies are automatically created. +a| To give security at the network level, {product-title-short} creates default `NetworkPolicy` resources in the namespace where secured cluster resources are installed. These network policies allow ingress to specific components on specific ports. If you do not want {product-title-short} to create these policies, set this parameter to `False`. This is a Boolean value. The default value is `True`, which means the default policies are automatically created. [WARNING] ====