Merge pull request #31196 from ahardin-rh/file-integrity-operator-updates

Updating the File Integrity Operator content

Author: ahardin-rh

_topic_map.yml

@@ -611,6 +611,8 @@ Topics:
 - Name: File Integrity Operator
   Dir: file_integrity_operator
   Topics:
+  - Name: Installing the File Integrity Operator
+    File: file-integrity-operator-installation
   - Name: Understanding the File Integrity Operator
     File: file-integrity-operator-understanding
   - Name: Configuring the File Integrity Operator

modules/checking-file-intergrity-cr-status.adoc

@@ -3,14 +3,13 @@
 // * security/file_integrity_operator/file-integrity-operator-understanding.adoc
 
 [id="checking-the-file-integrity-CR-status_{context}"]
-= Checking the `FileIntegrity` custom resource status
+= Checking the FileIntegrity custom resource status
 
-The `FileIntegrity` custom resource (CR) reports its status through the
-.`status.phase` subresource.
+The `FileIntegrity` custom resource (CR) reports its status through the .`status.phase` subresource.
 
 .Procedure
 
-. To query the `FileIntegrity` CR status, run:
+* To query the `FileIntegrity` CR status, run:
 +
 [source,terminal]
 ----

modules/file-integrity-CR-phases.adoc

@@ -3,7 +3,7 @@
 // * security/file_integrity_operator/file-integrity-operator-understanding.adoc
 
 [id="file-integrity-CR-phases_{context}"]
-= `FileIntegrity` custom resource phases
+= FileIntegrity custom resource phases
 
 * `Pending` - The phase after the custom resource (CR) is created.
 * `Active` -  The phase when the backing daemon set is up and running.

modules/file-integrity-node-status-failure.adoc

@@ -3,10 +3,9 @@
 // * security/file_integrity_operator/file-integrity-operator-understanding.adoc
 
 [id="file-integrity-node-status-failure_{context}"]
-= `FileIntegrityNodeStatus` failure status example
+= FileIntegrityNodeStatus CR failure status example
 
-To simulate a failure condition, modify one of the files AIDE tracks. For
-example, modify `/etc/resolv.conf` on one of the worker nodes:
+To simulate a failure condition, modify one of the files AIDE tracks. For example, modify `/etc/resolv.conf` on one of the worker nodes:
 
 [source,terminal]
 ----
@@ -28,9 +27,7 @@ Removing debug pod ...
 Removing debug namespace/openshift-debug-node-ldfbj ...
 ----
 
-After some time, the `Failed` condition was reported in the results array of the
-corresponding `FileIntegrityNodeStatus`. The previous `Succeeded` condition is
-retained, which allows you to pinpoint the time the check failed.
+After some time, the `Failed` condition is reported in the results array of the corresponding `FileIntegrityNodeStatus` object. The previous `Succeeded` condition is retained, which allows you to pinpoint the time the check failed.
 
 [source,terminal]
 ----
@@ -62,8 +59,7 @@ $ oc get fileintegritynodestatuses.fileintegrity.openshift.io -ojsonpath='{.item
 ]
 ----
 
-The `Failed` condition points to a config map that gives more details about what
-exactly failed and why:
+The `Failed` condition points to a config map that gives more details about what exactly failed and why:
 
 [source,terminal]
 ----
@@ -112,3 +108,5 @@ File: /hostroot/etc/resolv.conf
 
 Events:  <none>
 ----
+
+Due to the config map data size limit, AIDE logs over 1 MB are added to the failure config map as a base64-encoded gzip archive. In this case, you want to pipe the output of the above command to `base64 -d | gunzip`. Compressed logs are indicated by the presence of a `file-integrity.openshift.io/compressed` annotation key in the config map.

modules/file-integrity-node-status-success.adoc

@@ -3,7 +3,7 @@
 // * security/file_integrity_operator/file-integrity-operator-understanding.adoc
 
 [id="file-integrity-node-status-success_{context}"]
-= `FileIntegrityNodeStatus` success status example
+= FileIntegrityNodeStatus CR success example
 
 .Example output of a condition with a success status
 
@@ -29,5 +29,4 @@
 ]
 ----
 
-In this case, all three scans succeeded and so far there are no other
-conditions.
+In this case, all three scans succeeded and so far there are no other conditions.

modules/file-integrity-node-status.adoc

@@ -3,17 +3,12 @@
 // * security/file_integrity_operator/file-integrity-operator-understanding.adoc
 
 [id="file-integrity-node-status-types_{context}"]
-= `FileIntegrityNodeStatus` status types
+= FileIntegrityNodeStatus CR status types
 
-These conditions are reported in the results array of the
-corresponding `FileIntegrityNodeStatus`:
+These conditions are reported in the results array of the corresponding `FileIntegrityNodeStatus` CR status:
 
-* `Succeeded` - The integrity check passed; the files and directories
-covered by the AIDE check have not been modified since the database was last
-initialized.
+* `Succeeded` - The integrity check passed; the files and directories covered by the AIDE check have not been modified since the database was last initialized.
 
-* `Failed` - The integrity check failed; some files or directories
-covered by the AIDE check have been modified since the database was last
-initialized.
+* `Failed` - The integrity check failed; some files or directories covered by the AIDE check have been modified since the database was last initialized.
 
-* `Error` - The AIDE scanner encountered an internal error.
+* `Errored` - The AIDE scanner encountered an internal error.

modules/file-integrity-operator-installing-cli.adoc

@@ -0,0 +1,94 @@
+// Module included in the following assemblies:
+//
+// * security/file_integrity_operator/file-integrity-operator-installation.adoc
+
+[id="installing-file-integrity-operator-using-cli_{context}"]
+= Installing the File Integrity Operator using the CLI
+
+.Prerequisites
+
+* You must have `admin` privileges.
+
+.Procedure
+
+. Create a `Namespace` object YAML file by running:
++
+[source,terminal]
+----
+$ oc create -f <file-name>.yaml
+----
++
+.Example output
+[source,yaml]
+----
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: openshift-file-integrity
+----
+
+. Create the `OperatorGroup` object YAML file:
++
+[source,terminal]
+----
+$ oc create -f <file-name>.yaml
+----
++
+.Example output
+[source,yaml]
+----
+apiVersion: operators.coreos.com/v1
+kind: OperatorGroup
+metadata:
+  name: file-integrity-operator
+  namespace: openshift-file-integrity
+spec:
+  targetNamespaces:
+  - openshift-file-integrity
+----
+
+. Set the {product-title} major and minor version as an environment variable, which is used as the channel value in the next step:
++
+[source,terminal]
+----
+$ OC_VERSION=$(oc version -o yaml | grep openshiftVersion | grep -o '[0-9]*[.][0-9]*' | head -1)
+----
+
+. Create the `Subscription` object YAML file:
++
+[source,terminal]
+----
+$ oc create -f <file-name>.yaml
+----
++
+.Example output
+[source,yaml]
+----
+apiVersion: operators.coreos.com/v1alpha1
+kind: Subscription
+metadata:
+  name: file-integrity-operator
+  namespace: openshift-file-integrity
+spec:
+  channel: "${OC_VERSION}"
+  installPlanApproval: Automatic
+  name: file-integrity-operator
+  source: redhat-operators
+  sourceNamespace: openshift-marketplace
+----
+
+.Verification
+
+. Verify the installation succeeded by inspecting the CSV file:
++
+[source,terminal]
+----
+$ oc get csv -n openshift-file-integrity
+----
+
+. Verify that the File Integrity Operator is up and running:
++
+[source,terminal]
+----
+$ oc get deploy -n openshift-file-integrity
+----

modules/file-integrity-operator-installing-web-console.adoc

@@ -0,0 +1,29 @@
+// Module included in the following assemblies:
+//
+// * security/file_integrity_operator/file-integrity-operator-installation.adoc
+
+[id="installing-file-integrity-operator-using-web-console_{context}"]
+= Installing the File Integrity Operator using the web console
+
+.Prerequisites
+
+* You must have `admin` privileges.
+
+.Procedure
+
+. In the {product-title} web console, navigate to *Operators* -> *OperatorHub*.
+. Search for the File Integrity Operator, then click *Install*.
+. Keep the default selection of *Installation mode* and *namespace* to ensure that the Operator will be installed to the `openshift-file-integrity` namespace.
+. Click *Install*.
+
+.Verification
+
+To confirm that the installation is successful:
+
+. Navigate to the *Operators* -> *Installed Operators* page.
+. Check that the Operator is installed in the `openshift-file-integrity` namespace and its status is `Succeeded`.
+
+If the Operator is not installed successfully:
+
+. Navigate to the *Operators* -> *Installed Operators* page and inspect the `Status` column for any errors or failures.
+. Navigate to the *Workloads* -> *Pods* page and check the logs in any pods in the `openshift-file-integrity` project that are reporting issues.

modules/file-integrity-operator-reinitializing-database.adoc

@@ -5,19 +5,20 @@
 [id="file-integrity-operator-reinitializing-database_{context}"]
 = Reinitializing the database
 
-If the File Integrity Operator detects a change that was planned, it might be
-required to reinitialize the database. To do that, annotate the `FileIntegrity`
-custom resource (CR) with `file-integrity.openshift.io/re-init`:
+If the File Integrity Operator detects a change that was planned, it might be required to reinitialize the database.
 
+.Procedure
+
+* Annotate the `FileIntegrity` custom resource (CR) with `file-integrity.openshift.io/re-init`:
++
 [source,terminal]
 ----
 $ oc annotate fileintegrities/worker-fileintegrity file-integrity.openshift.io/re-init=
 ----
-
-The old database and log files are backed up and a new database is initialized.
-The old database and logs are retained on the nodes under `/etc/kubernetes`, as
++
+The old database and log files are backed up and a new database is initialized. The old database and logs are retained on the nodes under `/etc/kubernetes`, as
 seen in the following output from a pod spawned using `oc debug`:
-
++
 .Example output
 [source,terminal]
 ----
@@ -29,8 +30,6 @@ seen in the following output from a pod spawned using `oc debug`:
 -rw-------. 1 root root     613 Sep 17 15:07 /host/etc/kubernetes/aide.log.backup-20200917T15_07_38
 -rw-r--r--. 1 root root       0 Sep 17 15:07 /host/etc/kubernetes/aide.log.backup-20200917T15_07_55
 ----
-
-To provide some permanence of record, the resulting config maps are not
-owned by the `FileIntegrity` object, so manual cleanup is necessary. As a
-result, any previous integrity failures would still be visible in the
-`FileIntegrityNodeStatus` object.
++
+To provide some permanence of record, the resulting config maps are not owned by the `FileIntegrity` object, so manual cleanup is necessary. As a
+result, any previous integrity failures would still be visible in the `FileIntegrityNodeStatus` object.

modules/file-integrity-operator-viewing-attributes.adoc

@@ -3,10 +3,9 @@
 // * security/file_integrity_operator/file-integrity-operator-configuring.adoc
 
 [id="viewing-file-integrity-object-attributes_{context}"]
-= Viewing `FileIntegrity` object attributes
+= Viewing FileIntegrity object attributes
 
-As with any Kubernetes custom resources (CRs), you can run `oc explain
-fileintegrity`, and then look at the individual attributes using:
+As with any Kubernetes custom resources (CRs), you can run `oc explain fileintegrity`, and then look at the individual attributes using:
 
 [source,terminal]
 ----