Add info about configuring scanner v4

Author: kcarmichael08

installing/installing_ocp/install-central-ocp.adoc

@@ -59,6 +59,7 @@ You can install {product-title-short} on your cluster without any customizations
 
 include::modules/adding-helm-repository.adoc[leveloffset=+3]
 include::modules/acs-quick-install-using-helm.adoc[leveloffset=+3]
+include::modules/automatically-generated-ca.adoc[leveloffset=+3]
 
 [id="install-using-helm-customizations-ocp"]
 === Install Central using Helm charts with customizations

modules/automatically-generated-ca.adoc

@@ -0,0 +1,34 @@
+// Module included in the following assemblies:
+//
+// * installing/installing_ocp/install-central-ocp.adoc
+// * installing/installing_other/install-central-other.adoc
+:_mod-docs-content-type: CONCEPT
+[id="automatically-generated-ca_{context}"]
+= Retrieving the automatically generated certificate authority
+
+When installing {product-title-short}, a certificate authority (CA) is automatically generated and stored in a Kubernetes secret on the cluster. If you later change your installation by using Helm, you might need to supply this CA. For example, enabling Scanner V4 requires that you provide this CA.
+
+The automatically generated CA is stored in a secret that is usually named similar to `stackrox-generated-_suffix_`, where _suffix_ is a randomly generated string.
+
+To retrieve the CA and export it to a `generated-values.yaml` file when needed for the `helm upgrade` command, for example, run the following command:
+
+[source,terminal]
+----
+$ kubectl -n <namespace> get secret stackrox-generated-<suffix> \
+  -o go-template='{{ index .data "generated-values.yaml" }}' | \
+  base64 --decode >generated-values.yaml
+----
+
+[IMPORTANT]
+====
+This file might contain sensitive data, so store it in a safe place.
+====
+
+If you are using the `helm upgrade` command after changing a configuration, you might need to supply this CA. For example, to update your system and enable Scanner V4, you run the following command:
+
+[source,terminal]
+----
+$ helm upgrade -n stackrox stackrox-central-services rhacs/central-services --reuse-values \
+  -f <path_to_generated-values.yaml> \
+  --set scannerV4.disable=false
+----

modules/central-configuration-options-operator.adoc

@@ -141,7 +141,7 @@ Ensure that this value does not exceed the maximum number of connections support
 |===
 
 [id="scanner-settings_{context}"]
-== StackRox Scanner settings
+== StackRox Scanner settings for the Operator
 
 [cols="1,3"]
 |===
@@ -198,7 +198,7 @@ Ensure that this value does not exceed the maximum number of connections support
 |===
 
 [id="scannerv4-settings_{context}"]
-== Scanner V4 settings
+== Scanner V4 settings for the Operator
 
 [cols="1,3"]
 |===

modules/enabling-scanner-v4-after-helm-installation-central.adoc

@@ -0,0 +1,25 @@
+// Module included in the following assemblies:
+//
+// * operating/examine-images-for-vulnerabilities.adoc
+:_mod-docs-content-type: PROCEDURE
+[id="enabling-scanner-v4-after-helm-installation-central_{context}"]
+= Enabling RHACS Scanner V4 for Central after Helm installation
+
+[role="_abstract"]
+Scanner V4 is not enabled by default, but you can enable Scanner V4 after installation.
+
+.Procedure
+
+. On the cluster where Central is installed, run the following command, using the instructions in "Changing configuration options after deploying the central-services Helm chart" if you need more information:
++
+[source,terminal]
+----
+$ helm upgrade -n stackrox \
+    stackrox-central-services rhacs/central-services \
+    --reuse-values \
+    -f <path_to_values_public.yaml> \
+    -f <path_to_generated-values.yaml> \// <1>
+    --set scannerV4.disable=false
+----
+<1> When updating the system and installing a new component, you must provide the internal CA. See "Retrieving the automatically generated certificate authority".
+

modules/enabling-scanner-v4-after-helm-installation-secured-cluster.adoc

@@ -0,0 +1,28 @@
+// Module included in the following assemblies:
+//
+// * operating/examine-images-for-vulnerabilities.adoc
+:_mod-docs-content-type: PROCEDURE
+[id="enabling-scanner-v4-after-helm-installation-secured-cluster_{context}"]
+= Enabling RHACS Scanner V4 on the secured cluster after Helm installation
+
+[role="_abstract"]
+Scanner V4 is not enabled by default, but you can enable Scanner V4 after installation.
+
+.Prerequisites
+
+* You set up Central and the secured cluster by using an init bundle or CRS so that they can communicate with each other.
+
+.Procedure
+
+. On the secured cluster, run the following command, using the instructions in "Configuring the secured-cluster-services Helm chart with customizations" if you need more information:
++
+[source,terminal]
+----
+$ helm upgrade -n stackrox \
+    stackrox-central-services rhacs/secured-cluster-services \
+    --reuse-values \
+    -f <path_to_values_public.yaml> \
+    -f <path_to_generated-values.yaml> \// <1>
+    --set scannerV4.disable=false
+----
+<1> When updating the system and installing a new component, you must provide the internal CA. See "Retrieving the automatically generated certificate authority".

modules/enabling-scanner-v4-after-operator-installation-central.adoc

@@ -0,0 +1,23 @@
+// Module included in the following assemblies:
+//
+// * operating/examine-images-for-vulnerabilities.adoc
+:_mod-docs-content-type: PROCEDURE
+[id="enabling-scanner-v4-after-operator-installation-central_{context}"]
+= Enabling RHACS Scanner V4 for Central after Operator installation
+
+[role="_abstract"]
+Scanner V4 is not enabled by default. If you did not enable it during installation, you can enable it after installation.
+
+.Procedure
+
+. In the cluster where Central is installed, in the console, click *Operators* -> *Installed Operators* and select the {product-title-short} Operator.
+. Click *Central* in the menu bar.
+. Click the name of the cluster where Central was installed. The default value is *stackrox-central-services*.
+. Click the *YAML* tab.
+. Edit the YAML file as shown in the following example:
++
+[source,yaml]
+----
+  scannerV4:
+    scannerComponent: Enabled
+----

modules/enabling-scanner-v4-after-operator-installation-secured-cluster.adoc

@@ -0,0 +1,27 @@
+// Module included in the following assemblies:
+//
+// * operating/examine-images-for-vulnerabilities.adoc
+:_mod-docs-content-type: PROCEDURE
+[id="enabling-scanner-v4-after-operator-installation-secured-cluster_{context}"]
+= Enabling RHACS Scanner V4 on the secured cluster after Operator installation
+
+[role="_abstract"]
+Scanner V4 is not enabled by default. If you did not enable it during installation, you can enable it after installation.
+
+.Prerequisite
+
+* You set up Central and the secured cluster by using an init bundle or CRS so that they can communicate with each other.
+
+.Procedure
+
+. In the secured cluster, click *Operators* -> *Installed Operators* and select the {product-title-short} Operator.
+. Click *Secured Cluster* in the menu bar.
+. Click the default cluster name, *stackrox-secured-cluster-services*, or the name that you entered during installation.
+. Click the *YAML* tab.
+. Edit the YAML file as shown in the following example:
++
+[source,yaml]
+----
+  scannerV4:
+    scannerComponent: AutoSense
+----

modules/enabling-scanner-v4-helm-central.adoc

@@ -0,0 +1,37 @@
+// Module included in the following assemblies:
+//
+// * operating/examine-images-for-vulnerabilities.adoc
+:_mod-docs-content-type: PROCEDURE
+[id="enabling-scanner-v4-helm-central_{context}"]
+= Enabling RHACS Scanner V4 for Central when installing with Helm
+
+[role="_abstract"]
+Scanner V4 is not enabled by default, but you can enable it during installation.  Use this procedure to understand the steps you must follow when enabling Scanner V4. However, you might need to refer to the detailed installation documentation in "Additional resources", depending on the configuration of your other components.
+
+.Procedure
+
+. On the cluster where Central is installed, run the following command, using the instructions in "Install Central using Helm charts with customizations" if you need more information:
++
+[source,terminal]
+----
+$ helm install -n stackrox --create-namespace \
+    stackrox-central-services rhacs/central-services \
+    --set scannerV4.disable=false \
+    -f <path_to_values_public.yaml> -f <path_to_values_private.yaml>
+----
++
+.Example output
+[source,terminal]
+----
+Central Services Configuration Summary:
+
+    Stackrox Version:                            4.7.1
+    Kubernetes Version:                          v1.31.6
+    Kubernetes Namespace:                        stackrox
+    Helm Release Name:                           stackrox-central-services
+    OpenShift Cluster:                           4
+    Scanner V4:                                  enabled
+    Scanner V4 DB Volume:                        PVC (scanner-v4-db)
+----
++
+. Configure your init bundle or cluster registration secret (CRS) so that Central and the secured cluster can communicate. For more information, see "Generating and applying an init bundle or cluster registration secret for RHACS on Red Hat OpenShift" or "Generating and applying an init bundle or cluster registration secret for RHACS on other platforms".

modules/enabling-scanner-v4-helm-secured-cluster.adoc

@@ -0,0 +1,30 @@
+// Module included in the following assemblies:
+//
+// * operating/examine-images-for-vulnerabilities.adoc
+:_mod-docs-content-type: PROCEDURE
+[id="enabling-scanner-v4-helm-secured-cluster_{context}"]
+= Enabling RHACS Scanner V4 on the secured cluster when installing with Helm
+
+[role="_abstract"]
+Scanner V4 is not enabled by default, but you can enable it during installation.  Use this procedure to understand the steps you must follow when enabling Scanner V4. However, you might need to refer to the detailed installation documentation in "Additional resources", depending on the configuration of your other components.
+
+.Prerequisite
+
+* You set up Central and the secured cluster by using an init bundle or CRS so that they can communicate with each other.
+
+.Procedure
+
+. On the secured cluster, run the following command, using the instructions in "Configuring the secured-cluster-services Helm chart with customizations" if you need more information:
++
+[source,terminal]
+----
+$ helm install -n stackrox --create-namespace \
+    stackrox-secured-cluster-services rhacs/secured-cluster-services \
+    --set-file crs.file=<crs_file_name.yaml> \
+    -f <path_to_pull_secret.yaml> \
+    -f <path_to_values_public.yaml> -f <path_to_values_private.yaml> \
+    --set clusterName=<name_of_the_secured_cluster> \
+    --set centralEndpoint=<endpoint_of_central_service> \
+    --set scanner.disable=false \
+    --set scannerV4.disable=false
+----

modules/enabling-scanner-v4-operator-central.adoc

@@ -0,0 +1,22 @@
+// Module included in the following assemblies:
+//
+// * operating/examine-images-for-vulnerabilities.adoc
+:_mod-docs-content-type: PROCEDURE
+[id="enabling-scanner-v4-operator-central_{context}"]
+= Enabling RHACS Scanner V4 for Central when installing with the Operator
+
+[role="_abstract"]
+Scanner V4 is not enabled by default, but you can enable it during installation. Use this procedure to understand the steps you must follow when enabling Scanner V4. However, you might need to refer to the detailed installation documentation in "Additional resources", depending on the configuration of your other components.
+
+.Procedure
+
+. On the cluster where Central is installed, follow the installation procedures as described in "Installing Central using the Operator method". Choose one of these methods to enable Scanner V4:
+* As described in that procedure, when configuring the available options for Central, go to the *Scanner V4 Component Settings* section and in the *Scanner V4 Component* menu, select *Enabled*.
+* In the Central custom resource (CR) YAML, configure the following parameter:
++
+[source,yaml]
+----
+  scannerV4:
+    scannerComponent: Enabled
+----
+. Configure your init bundle or cluster registration secret (CRS) to allow communication between Central and the secured cluster. For more information, see "Generating and applying an init bundle or cluster registration secret for RHACS on Red Hat OpenShift".