Merge pull request #90340 from openshift-cherrypick-robot/cherry-pick-89252-to-rhacs-docs-4.7

[rhacs-docs-4.7] ROX:26971: Add CRS to ACS docs

Author: kcarmichael08

_topic_maps/_topic_map.yml

@@ -60,9 +60,9 @@ Topics:
     File: cloud-create-instance-ocp
   - Name: Creating a project on your Red Hat OpenShift secured cluster
     File: cloud-ocp-create-project
-  - Name: Generating an init bundle for secured clusters
+  - Name: Generating an init bundle or cluster registration secret for secured clusters
     File: init-bundle-cloud-ocp-generate
-  - Name: Applying an init bundle for secured clusters
+  - Name: Applying an init bundle or cluster registration secret for secured clusters
     File: init-bundle-cloud-ocp-apply
   - Name: Installing the RHACS Operator for RHACS Cloud Service
     File: cloud-install-operator
@@ -125,7 +125,7 @@ Topics:
     File: install-central-ocp
   - Name: Configuring Central configuration options for RHACS using the Operator
     File: install-central-config-options-ocp
-  - Name: Generating and applying an init bundle for RHACS on Red Hat OpenShift
+  - Name: Generating and applying an init bundle or cluster registration secret for RHACS on Red Hat OpenShift
     File: init-bundle-ocp
   - Name: Installing Secured Cluster services for RHACS on Red Hat OpenShift
     File: install-secured-cluster-ocp
@@ -141,7 +141,7 @@ Topics:
     File: install-rhacs-other
   - Name: Installing Central services for RHACS on other platforms
     File: install-central-other
-  - Name: Generating and applying an init bundle for RHACS on other platforms
+  - Name: Generating and applying an init bundle or cluster registration secret for RHACS on other platforms
     File: init-bundle-other
   - Name: Installing Secured Cluster services for RHACS on other platforms
     File: install-secured-cluster-other

cli/command-reference/roxctl-central.adoc

@@ -24,26 +24,29 @@ $ roxctl central [command] [flags]
 
 |`cert`
 |Download the certificate chain for the Central service.
- 
-|`db` 
+
+|`crs`
+|Generate a cluster registration secret (CRS) that allows communication between Central and secured clusters for the initial setup, to retrieve a list of CRSes, or to revoke a CRS.
+
+|`db`
 |Control the database operations.
- 
-|`debug` 
+
+|`debug`
 |Debug the Central service.
 
 |`generate`
 |Generate the required YAML configuration files containing the orchestrator objects for the deployment of Central.
- 
-|`init-bundles` 
+
+|`init-bundles`
 |Initialize bundles for Central.
- 
+
 |`login`
 |Log in to the Central instance to obtain a token.
- 
-|`userpki` 
+
+|`userpki`
 |Manage the user certificate authorization providers.
- 
-|`whoami` 
+
+|`whoami`
 |Display information about the current user and their authentication method.
 |===
 
@@ -59,6 +62,12 @@ include::modules/roxctl-central-backup.adoc[leveloffset=+1]
 //roxctl central cert
 include::modules/roxctl-central-cert.adoc[leveloffset=+1]
 
+//roxctl crs
+include::modules/roxctl-central-crs.adoc[leveloffset=+1]
+include::modules/roxctl-central-crs-generate.adoc[leveloffset=+2]
+include::modules/roxctl-central-crs-list.adoc[leveloffset=+2]
+include::modules/roxctl-central-crs-revoke.adoc[leveloffset=+2]
+
 //roxctl central login
 include::modules/roxctl-central-login.adoc[leveloffset=+1]
 

cloud_service/getting-started-rhacs-cloud-ocp.adoc

@@ -8,7 +8,7 @@ toc::[]
 
 [role="_abstract"]
 
-{rh-rhacscs-first} provides security services for your {osp} and Kubernetes clusters. See the link:https://access.redhat.com/articles/7045053[Red{nbsp}Hat Advanced Cluster Security for Kubernetes Support Matrix] for more information on supported platforms for secured clusters.
+{rh-rhacscs-first} provides security services for your {osp} and Kubernetes clusters. See the link:https://access.redhat.com/articles/7045053[Red{nbsp}Hat Advanced Cluster Security for Kubernetes Support Matrix] for information about supported platforms for secured clusters.
 
 .Prerequisites
 
@@ -27,39 +27,82 @@ The following sections provide an overview of installation steps and links to th
 [id="securing-rh-cloud-clusters"]
 === Securing {osp} clusters
 
-To secure {osp} clusters by using the Operator, perform the following steps:
+You can secure {osp} clusters by using the {product-title-short} Operator, Helm charts, or the `roxctl` CLI.
 
-. Verify that the clusters you want to secure meet the xref:../cloud_service/acscs-default-requirements.adoc#acscs-default-requirements[requirements].
+[id="overview-installing-cloud-secured-clusters-osp-operator"]
+==== Securing {osp} clusters by using the Operator
+
+.Procedure
+
+. Verify that the clusters you want to secure meet the xref:../cloud_service/acscs-default-requirements.adoc#acscs-default-requirements[default requirements].
 . In the {cloud-console}, xref:../cloud_service/installing_cloud_ocp/cloud-create-instance-ocp.adoc#cloud-create-instance-ocp[create an *ACS Instance*].
 . On each {osp} cluster you want to secure, xref:../cloud_service/installing_cloud_ocp/cloud-ocp-create-project.adoc#cloud-ocp-create-project[create a project named `stackrox`]. This project will contain the resources for {product-title-managed-short} secured clusters.
-. In the ACS Console, xref:../cloud_service/installing_cloud_ocp/init-bundle-cloud-ocp-generate.adoc#init-bundle-cloud-ocp-generate[create an init bundle]. The init bundle contains secrets that allow communication between {product-title-managed-short} secured clusters and the ACS Console.
-. On each {osp} cluster, xref:../cloud_service/installing_cloud_ocp/init-bundle-cloud-ocp-apply#init-bundle-cloud-ocp-apply[apply the init bundle] by using it to create resources.
+. Create the mechanism that the Central instance, also called Central, uses to set up communication with the secured clusters. You can either create an init bundle or a cluster registration secret (CRS). Perform one of these actions:
+* In the ACS Console, xref:../cloud_service/installing_cloud_ocp/init-bundle-cloud-ocp-generate.adoc#init-bundle-cloud-ocp-generate[generate an init bundle]. The init bundle contains secrets that allow communication between {product-title-managed-short} secured clusters and Central.
+* Log in to Central and use the `roxctl` CLI to xref:../cloud_service/installing_cloud_ocp/init-bundle-cloud-ocp-generate.adoc#roxctl-generate-init-bundle_init-bundle-cloud-ocp-generate[generate an init bundle].
+* Log in to Central and use the `roxctl` CLI to xref:../cloud_service/installing_cloud_ocp/init-bundle-cloud-ocp-generate.adoc#crs-generate-roxctl_init-bundle-cloud-ocp-generate[generate a CRS].
+. On each {osp} cluster, xref:../cloud_service/installing_cloud_ocp/init-bundle-cloud-ocp-apply#init-bundle-cloud-ocp-apply[apply the init bundle or CRS].
 . On each {osp} cluster, xref:../cloud_service/installing_cloud_ocp/cloud-install-operator#cloud-install-operator[install the {product-title-short} Operator].
 . On each {osp} cluster, xref:../cloud_service/installing_cloud_ocp/install-secured-cluster-cloud-ocp.adoc#installing-sc-operator-cloud-ocp[install secured cluster resources in the `stackrox` project] by using the Operator.
 . xref:../cloud_service/installing_cloud_ocp/verify-installation-cloud-ocp.adoc#verify-installation-cloud-ocp[Verify installation] by ensuring that your secured clusters can communicate with the ACS instance.
 
-To secure {osp} clusters by using Helm charts or the `roxctl` CLI, perform the following steps:
+[id="overview-installing-cloud-secured-clusters-osp-helm"]
+==== Securing {osp} clusters by using Helm charts
 
-. Verify that the clusters you want to secure meet the xref:../cloud_service/acscs-default-requirements.adoc#acscs-default-requirements[requirements].
+.Procedure
+
+. Verify that the clusters you want to secure meet the xref:../cloud_service/acscs-default-requirements.adoc#acscs-default-requirements[default requirements].
 . In the {cloud-console}, xref:../cloud_service/installing_cloud_ocp/cloud-create-instance-ocp.adoc#cloud-create-instance-ocp[create an *ACS Instance*].
 . On each {osp} cluster you want to secure, xref:../cloud_service/installing_cloud_ocp/cloud-ocp-create-project.adoc#cloud-ocp-create-project[create a project named `stackrox`]. This project will contain the resources for {product-title-managed-short} secured clusters.
-. In the ACS Console, xref:../cloud_service/installing_cloud_ocp/init-bundle-cloud-ocp-generate.adoc#init-bundle-cloud-ocp-generate[create an init bundle]. The init bundle contains secrets that allow communication between {product-title-managed-short} secured clusters and the ACS Console.
-. On each {osp} cluster, xref:../cloud_service/installing_cloud_ocp/init-bundle-cloud-ocp-apply#init-bundle-cloud-ocp-apply[apply the init bundle] by using it to create resources.
-. On each {osp} cluster, install secured cluster resources in the `stackrox` project by using xref:../cloud_service/installing_cloud_ocp/install-secured-cluster-cloud-ocp.adoc#installing-sc-helm-cloud-ocp[Helm charts] or by using the xref:../cloud_service/installing_cloud_ocp/install-secured-cluster-cloud-ocp.adoc#installing-sc-roxctl-cloud-ocp[`roxctl` CLI].
+. Create the mechanism that the Central instance, also called Central, uses to set up communication with the secured clusters. You can either generate an init bundle or a cluster registration secret (CRS). Perform only one of these actions:
+* In the ACS Console, xref:../cloud_service/installing_cloud_ocp/init-bundle-cloud-ocp-generate.adoc#init-bundle-cloud-ocp-generate[generate an init bundle]. The init bundle contains secrets that allow communication between {product-title-managed-short} secured clusters and Central.
+* Log in to Central and use the `roxctl` CLI to xref:../cloud_service/installing_cloud_ocp/init-bundle-cloud-ocp-generate.adoc#roxctl-generate-init-bundle_init-bundle-cloud-ocp-generate[generate an init bundle].
+* Log in to Central and use the `roxctl` CLI to xref:../cloud_service/installing_cloud_ocp/init-bundle-cloud-ocp-generate.adoc#crs-generate-roxctl_init-bundle-cloud-ocp-generate[generate a CRS].
+. On each {osp} cluster, run the `helm install` command to xref:../cloud_service/installing_cloud_ocp/install-secured-cluster-cloud-ocp.adoc#installing-sc-helm-cloud-ocp[install {product-title-short} by using Helm charts], specifying the path of the init bundle or CRS.
+. xref:../cloud_service/installing_cloud_ocp/verify-installation-cloud-ocp.adoc#verify-installation-cloud-ocp[Verify installation] by ensuring that your secured clusters can communicate with the ACS instance.
+
+[id="overview-installing-cloud-secured-clusters-osp-roxctl"]
+==== Securing {osp} clusters by using the roxctl CLI, also called the manifest method
+
+.Procedure
+
+. Verify that the clusters you want to secure meet the xref:../cloud_service/acscs-default-requirements.adoc#acscs-default-requirements[default requirements].
+. In the {cloud-console}, xref:../cloud_service/installing_cloud_ocp/cloud-create-instance-ocp.adoc#cloud-create-instance-ocp[create an *ACS Instance*].
+. On each {osp} cluster you want to secure, xref:../cloud_service/installing_cloud_ocp/cloud-ocp-create-project.adoc#cloud-ocp-create-project[create a project named `stackrox`]. This project will contain the resources for {product-title-managed-short} secured clusters.
+. Perform one of the following actions:
+* In the ACS console, use the xref:../cloud_service/installing_cloud_ocp/install-secured-cluster-cloud-ocp.adoc#installing-manifest-web-portal_install-secured-cluster-cloud-ocp[legacy installation method] to create a cluster bundle.
+* From a system that has access to the monitored cluster, xref:../cloud_service/installing_cloud_ocp/install-secured-cluster-cloud-ocp.adoc#manifest-roxctl_install-secured-cluster-cloud-ocp[generate the configuration and extract and run the sensor script from the cluster bundle].
 . xref:../cloud_service/installing_cloud_ocp/verify-installation-cloud-ocp.adoc#verify-installation-cloud-ocp[Verify installation] by ensuring that your secured clusters can communicate with the ACS instance.
 
 [id="securing-kubernetes-clusters"]
 === Securing Kubernetes clusters
 
-To secure Kubernetes clusters, perform the following steps:
+You can secure Kubernetes clusters by using Helm charts or the `roxctl` CLI.
+
+[id="overview-installing-cloud-secured-clusters-kube-helm"]
+==== Securing Kubernetes clusters by using Helm charts
 
-. Verify that the clusters you want to secure meet the xref:../cloud_service/acscs-default-requirements.adoc#acscs-default-requirements[requirements].
+. Verify that the clusters you want to secure meet the xref:../cloud_service/acscs-default-requirements.adoc#acscs-default-requirements[default requirements].
 . In the {cloud-console}, xref:../cloud_service/installing_cloud_other/cloud-create-instance-other.adoc#cloud-create-instance-other[create an *ACS Instance*].
-. In the ACS Console, xref:../cloud_service/installing_cloud_other/init-bundle-cloud-other-generate.adoc#init-bundle-cloud-other-generate[create an init bundle]. The init bundle contains secrets that allow communication between {product-title-managed-short} secured clusters and the ACS Console.
-. On each Kubernetes cluster, xref:../cloud_service/installing_cloud_other/init-bundle-cloud-other-apply.adoc#init-bundle-cloud-other-apply[apply the init bundle] by using it to create resources.
-. On each Kubernetes cluster, xref:../cloud_service/installing_cloud_other/install-secured-cluster-cloud-other.adoc#install-secured-cluster-cloud-other[install secured cluster resources] by using Helm charts or the `roxctl` CLI.
+. Create the mechanism that the Central instance, also called Central, uses to set up communication with the secured clusters. You can either create an init bundle or a cluster registration secret (CRS). Perform only one of these actions:
+* In the ACS Console, xref:../cloud_service/installing_cloud_other/init-bundle-cloud-other-generate.adoc#portal-generate-init-bundle_init-bundle-cloud-other-generate[generate an init bundle]. The init bundle contains secrets that allow communication between {product-title-managed-short} secured clusters and Central.
+* Log in to Central and xref:../cloud_service/installing_cloud_other/init-bundle-cloud-other-generate#roxctl-generate-init-bundle_init-bundle-cloud-other-generate[use the `roxctl` CLI to generate an init bundle].
+* Log in to Central and use the `roxctl` CLI to xref:../cloud_service/installing_cloud_other/init-bundle-cloud-other-generate#crs-generate-roxctl_init-bundle-cloud-other-generate[generate a CRS].
+. On each Kubernetes cluster, run the `helm install` command to xref:../cloud_service/installing_cloud_other/install-secured-cluster-cloud-other.adoc#install-secured-cluster-cloud-other[install by using Helm charts], specifying the path of the init bundle or CRS.
 . xref:../cloud_service/installing_cloud_other/verify-installation-cloud-other.adoc#verify-installation-cloud-other[Verify installation] by ensuring that your secured clusters can communicate with the ACS instance.
 
+[id="overview-installing-cloud-secured-clusters-kube-roxctl"]
+==== Securing Kubernetes clusters by using the roxctl CLI, also called the manifest method
+
+. Verify that the clusters you want to secure meet the xref:../cloud_service/acscs-default-requirements.adoc#acscs-default-requirements[default requirements].
+. In the {cloud-console}, xref:../cloud_service/installing_cloud_other/cloud-create-instance-other.adoc#cloud-create-instance-other[create an *ACS Instance*].
+. On each cluster you want to secure, create a namespace named `stackrox`. This namespace will contain the resources for {product-title-managed-short} secured clusters.
+. Perform one of the following steps:
+* In the ACS console, use the xref:../cloud_service/installing_cloud_other/install-secured-cluster-cloud-other.adoc#installing-manifest-web-portal_install-secured-cluster-cloud-other[legacy installation method] to create a cluster bundle.
+* From a system that has access to the monitored cluster, xref:../cloud_service/installing_cloud_ocp/install-secured-cluster-cloud-ocp.adoc#manifest-roxctl_install-secured-cluster-cloud-ocp[generate the configuration and extract and run the sensor script from the cluster bundle].
+. xref:../cloud_service/installing_cloud_ocp/verify-installation-cloud-ocp.adoc#verify-installation-cloud-ocp[Verify installation] by ensuring that your secured clusters can communicate with the ACS instance.
+
+
 [id="default-access-acs-console"]
 == Default access to the ACS Console
 

cloud_service/installing_cloud_ocp/cloud-ocp-create-project.adoc

@@ -14,4 +14,4 @@ include::modules/cloud-ocp-create-stackrox-project.adoc[leveloffset=+1]
 [id="next-steps_cloud-ocp-create-project"]
 == Next steps
 
-* In the ACS Console, xref:../installing_cloud_ocp/init-bundle-cloud-ocp-generate.adoc#init-bundle-cloud-ocp-generate[create an init bundle]. The init bundle contains secrets that allow communication between {product-title-managed-short} secured clusters and the ACS Console.
+* In the ACS Console, xref:../installing_cloud_ocp/init-bundle-cloud-ocp-generate.adoc#init-bundle-cloud-ocp-generate[create an init bundle] or cluster registration secret (CRS). The init bundle contains secrets that allow communication between {product-title-managed-short} secured clusters and Central. The CRS can also be used to set up this initial communication and is more flexible and secure.

cloud_service/installing_cloud_ocp/init-bundle-cloud-ocp-apply.adoc

@@ -1,21 +1,21 @@
 :_mod-docs-content-type: ASSEMBLY
 [id="init-bundle-cloud-ocp-apply"]
-= Applying an init bundle for secured clusters
+= Applying an init bundle or cluster registration secret for secured clusters
 include::modules/common-attributes.adoc[]
 :context: init-bundle-cloud-ocp-apply
 
 toc::[]
 
 [role="_abstract"]
-Apply the init bundle by using it to create resources.
+Apply the init bundle or cluster registration secret (CRS) by using it to create resources.
 
 [NOTE]
 ====
-You must have the `Admin` user role to apply an init bundle.
+You must have the `Admin` user role to apply an init bundle or CRS.
 ====
 
 include::modules/create-resource-init-bundle.adoc[leveloffset=+1]
-
+include::modules/crs-apply-secured-cluster.adoc[leveloffset=+1]
 
 [id="next-steps_init-bundle-cloud-ocp-apply"]
 == Next steps