Update installation documentation (#733)

Author: thegridman

docs/images/openshift-coherence-install-done.png

@@ -0,0 +1,132 @@
+///////////////////////////////////////////////////////////////////////////////
+
+    Copyright (c) 2020, 2025, Oracle and/or its affiliates.
+    Licensed under the Universal Permissive License v 1.0 as shown at
+    http://oss.oracle.com/licenses/upl.
+
+///////////////////////////////////////////////////////////////////////////////
+
+= Coherence Operator Installation
+
+The Coherence Operator is available as an image from the GitHub container registry
+`container-registry.oracle.com/middleware/coherence-operator:{operator-version}` that can
+easily be installed into a Kubernetes cluster.
+
+== Coherence Operator Installation
+
+*Contents*
+
+* <<prereq,Prerequisites before installation>>
+* <<ha,Operator High Availability>>
+* <<images,Coherence Operator Images>>
+* <<scope,Operator Scope - monitoring all or a fixed set of namespaces>>
+
+[#prereq]
+=== Prerequisites
+The prerequisites apply to all installation methods.
+
+* Access to Oracle Coherence Operator images.
+* Access to a Kubernetes cluster. The Operator test pipeline is run using against all the currently supported Kubernetes versions.
+* A Coherence application image using Coherence version 12.2.1.3 or later. Note that some functionality (e.g. metrics) is only
+available in Coherence 12.2.1.4 and later.
+
+
+[NOTE]
+====
+Istio (or similar service meshes)
+
+When installing the Operator and Coherence into Kubernetes cluster that use Istio or similar meshes there are a
+number of pre-requisites that must be understood.
+See the <<examples/400_Istio/README.adoc,Istio example>> for more details.
+====
+
+=== Installation Options
+
+There are a number of ways to install the Coherence Operator.
+
+* <<installation/011_install_manifests.adoc,Install using the yaml manifest file>>
+* <<installation/012_install_helm.adoc,Install using Helm>>
+* <<installation/013_install_kustomize.adoc,Install using Kustomize>>
+* <<installation/014_install_openshift.adoc,Install on OpenShift>>
+* <<installation/015_install_olm.adoc,Install using the Operator Lifecycle Manager (OLM)>>
+* <<installation/016_install_tanzu.adoc,Install on VMWare Tanzu>>
+
+
+[#ha]
+=== High Availability
+
+The Coherence Operator runs in HA mode by default. The `Deployment` created by the installation will have a replica count of 3.
+In reduced capacity Kubernetes clusters, for example, local laptop development and test, the replica count can be reduced. It is recommended to leave the default of 3 for production environments.
+Instructions on how to change the replica count for the different install methods are included below.
+
+The Coherence Operator runs a REST server that the Coherence cluster members will query to discover the site and rack names that should be used by Coherence. If the Coherence Operator is not running when a Coherence Pod starts, then the Coherence member in that Pod will be unable to properly configure its site and rack names, possibly leading to data distribution that is not safely distributed over sites. In production, and in Kubernetes clusters that are spread over multiple availability zones and failure domains, it is important to run the Operator in HA mode.
+
+The Operator yaml files and Helm chart include a default Pod scheduling configuration that uses anti-affinity to distribute the three replicas onto nodes that have different `topology.kubernetes.io/zone` labels. This label is a standard Kubernetes label used to describe the zone the node is running in, and is typically applied by Kubernetes cloud vendors.
+
+
+=== Notes
+
+NOTE: Installing the Coherence Operator using the methods below will create a number of `ClusterRole` RBAC resources.
+Some corporate security policies do not like to give cluster wide roles to third-party products.
+To help in this situation the operator can be installed without cluster roles, but with caveats
+(see the <<docs/installation/09_RBAC.adoc,RBAC>> documentation) for more details.
+
+NOTE: OpenShift - the Coherence Operator works without modification on OpenShift, but some versions
+of the Coherence images will not work out of the box.
+See the <<docs/installation/06_openshift.adoc,OpensShift>> section of the documentation that explains how to
+run Coherence clusters with the Operator on OpenShift.
+
+NOTE: Whilst Coherence works out of the box on many Kubernetes installations, some Kubernetes
+installations may configure iptables in a way that causes Coherence to fail to create clusters.
+See the <<docs/installation/08_networking.adoc,O/S Network Configuration>> section of the documentation
+for more details if you have well-known-address issues when Pods attempt to form a cluster.
+
+[#images]
+== Coherence Operator Images
+
+The Coherence Operator uses a single image, the Operator also runs as an init-container in the Coherence cluster Pods.
+
+* `{operator-image}` - The Operator image.
+
+If no image is specified in the `Coherence` yaml, then the default Coherence image will also be used,
+
+* `{coherence-image}` - The default Coherence image.
+
+If using a private image registry then these images will all need to be pushed to that registry for the Operator to work. The default Coherence image may be omitted if all Coherence applications will use custom Coherence images.
+
+[#scope]
+== Operator Scope
+
+The recommended way to install the Coherence Operator is to install a single instance of the operator into a namespace
+and where it will then control `Coherence` resources in all namespaces across the Kubernetes cluster.
+Alternatively it may be configured to watch a sub-set of namespaces by setting the `WATCH_NAMESPACE` environment variable.
+The watch namespace(s) does not have to include the installation namespace.
+
+[CAUTION]
+====
+In theory, it is possible to install multiple instances of the Coherence Operator into different namespaces, where
+each instance monitors a different set of namespaces. There are a number of potential issues with this approach, so
+it is not recommended.
+
+* Only one version of a CRD can be installed - There is currently only a single version of the CRD, but different
+releases of the Operator may use slightly different specs of this CRD version, for example
+a new Operator release may introduce extra fields not in the previous releases.
+As the CRD version is fixed at `v1` there is no guarantee which CRD version has actually installed, which could lead to
+subtle issues.
+* The operator creates and installs defaulting and validating web-hooks. A web-hook is associated to a CRD resource so
+installing multiple web-hooks for the same resource may lead to issues. If an operator is uninstalled, but the web-hook
+configuration remains, then Kubernetes will not accept modifications to resources of that type as it will be
+unable to contact the web-hook.
+
+It is possible to run the Operator without web-hooks, but this has its own
+caveats see the <<docs/installation/07_webhooks.adoc,Web Hooks>> documentation for how to do this.
+====
+
+[IMPORTANT]
+====
+If multiple instances of the Operator are installed, where they are monitoring the same namespaces, this can cause issues.
+For example, when a `Coherence` resource is then changed, all the Operator deployments will receive the same events
+from Etcd and try to apply the same changes. Sometimes this may work, sometimes there may be errors, for example multiple
+Operators trying to remove finalizers and delete a Coherence cluster.
+====
+

docs/images/openshift-coherence-install-progress.png

@@ -0,0 +1,135 @@
+///////////////////////////////////////////////////////////////////////////////
+
+    Copyright (c) 2020, 2025, Oracle and/or its affiliates.
+    Licensed under the Universal Permissive License v 1.0 as shown at
+    http://oss.oracle.com/licenses/upl.
+
+///////////////////////////////////////////////////////////////////////////////
+
+= Install Using Manifests
+
+== Install Using Manifests
+
+If you want the default Coherence Operator installation then the simplest solution is use `kubectl` to
+apply the manifests from the Operator release.
+
+[NOTE]
+====
+As of v3.5.0 of the Operator the manifest yaml also installs the two CRDs that the Operator uses.
+In previous releases the Operator would install the CRDs when it started but this behaviour is disabled by default
+when installing with the manifest yaml.
+====
+
+The following command will install the Operator. This assumes that the Kubernetes account being used to perform
+the installation has all the RBAC permissions required to install all the resource types in the yaml file.
+
+[source,bash]
+----
+kubectl apply -f https://github.com/oracle/coherence-operator/releases/download/v3.5.0/coherence-operator.yaml
+----
+
+This will create a namespace called `coherence` and install the CRDs and the Operator into the namespace,
+along with all the required `ClusterRole` and `RoleBinding` resources. The `coherence` namespace can be changed by
+downloading and editing the yaml file.
+
+In some restricted environments, a Kubernetes user might not have RBAC permissions to install CRDs.
+In this case the `coherence-operator.yaml` file will need to be edited to remove the two CRDs from the
+beginning of the file. The CRDs *_must be manually installed before the Operator is installed_*, as described
+below in <<manual-crd,Manually Install the CRDs>>.
+
+[NOTE]
+====
+Because the `coherence-operator.yaml` manifest also creates the namespace, the corresponding `kubectl delete`
+command will _remove the namespace and everything deployed to it_! If you do not want this behaviour you should edit
+the `coherence-operator.yaml` to remove the namespace section from the start of the file.
+====
+
+Instead of using a hard coded version in the command above you can find the latest Operator version using `curl`:
+
+[source,bash]
+----
+export VERSION=$(curl -s \
+  https://api.github.com/repos/oracle/coherence-operator/releases/latest \
+  | grep '"name": "v' \
+  | cut -d '"' -f 4 \
+  | cut -b 2-10)
+----
+
+Then download with:
+[source,bash]
+----
+kubectl apply -f https://github.com/oracle/coherence-operator/releases/download/${VERSION}/coherence-operator.yaml
+----
+
+[#manifest-restrict]
+== Installing Without Cluster Roles
+
+The default install for the Operator is to have one Operator deployment that manages all Coherence resources across
+all the namespaces in a Kubernetes cluster. This requires the Operator to have cluster role RBAC permissions
+to manage and monitor all the resources.
+
+Sometimes, for security reasons or for example in a shared Kubernetes cluster this is not desirable.
+The Operator can therefore be installed with plain namespaced scoped roles and role bindings.
+The Operator release includes a single yaml file named `coherence-operator-restricted.yaml` that may be used to install
+the Operator into a single namespace without any cluster roles.
+
+The Operator installed with this yaml
+
+* will not use WebHooks
+* will not look-up Node labels for Coherence site and rack configurations
+
+[NOTE]
+====
+As of v3.5.0 of the Operator the `coherence-operator-restricted.yaml` also installs the two CRDs that the Operator uses.
+In previous releases the Operator would install the CRDs when it started but this behaviour is disabled by default
+when installing with the manifest yaml.
+====
+
+The following command will install the Operator. This assumes that the Kubernetes account being used to perform
+the installation has all the RBAC permissions required to install all the resource types in the yaml file.
+
+[source,bash]
+----
+kubectl apply -f https://github.com/oracle/coherence-operator/releases/download/v3.5.0/coherence-operator-restricted.yaml
+----
+[IMPORTANT]
+====
+In some restricted environments, a Kubernetes user might not have RBAC permissions to install CRDs.
+In this case the `coherence-operator.yaml` file will need to be edited to remove the two CRDs from the
+beginning of the file. The CRDs *_must be manually installed before the Operator is installed_*, as described
+below in <<manual-crd,Manually Install the CRDs>>.
+====
+
+[#manual-crd]
+== Manually Install the CRDs
+
+Although by default the Operator will install its CRDs, they can be manually installed into Kubernetes.
+This may be required where the Operator is running with restricted permissions as described above.
+
+The Operator release artifacts include small versions of the two CRDs which can be installed with the following commands:
+
+[source,bash]
+----
+kubectl apply -f https://github.com/oracle/coherence-operator/releases/download/v3.5.0/coherence.oracle.com_coherence_small.yaml
+kubectl apply -f https://github.com/oracle/coherence-operator/releases/download/v3.5.0/coherencejob.oracle.com_coherence_small.yaml
+----
+
+The small versions of the CRDs are identical to the full versions but hav a cut down OpenAPI spec with a lot of comments
+removed so that the CRDs are small enough to be installed with `kubectl apply`
+
+== Change the Operator Replica Count
+
+When installing with single manifest yaml file, the replica count can be changed by editing the yaml file itself
+to change the occurrence of `replicas: 3` in the manifest yaml to `replicas: 1`
+
+For example, this could be done using `sed`
+[source,bash]
+----
+sed -i -e 's/replicas: 3/replicas: 1/g' coherence-operator.yaml
+----
+
+Or on MacOS, where `sed` is slightly different:
+[source,bash]
+----
+sed -i '' -e 's/replicas: 3/replicas: 1/g' coherence-operator.yaml
+----