Add the NBDE Tang Server Operator docs

Incorporate the peer-review feedback

Update nbde-tang-server-operator-release-notes.adoc

Update the link to the released erratum

Apply suggestions from code review

Co-authored-by: Michael Burke <mburke@redhat.com>

Unify the admin prerequisites

Split commands and outputs

_topic_maps/_topic_map.yml

@@ -1021,6 +1021,22 @@ Topics:
     File: spo-troubleshooting
   - Name: Uninstalling the Security Profiles Operator
     File: spo-uninstalling
+- Name: NBDE Tang Server Operator
+  Dir: nbde_tang_server_operator
+  Distros: openshift-enterprise
+  Topics:
+  - Name: NBDE Tang Server Operator overview
+    File: nbde-tang-server-operator-overview
+  - Name: NBDE Tang Server Operator release notes
+    File: nbde-tang-server-operator-release-notes
+  - Name: Understanding the NBDE Tang Server Operator
+    File: nbde-tang-server-operator-understanding
+  - Name: Installing the NBDE Tang Server Operator
+    File: nbde-tang-server-operator-installing
+  - Name: Configuring and managing Tang servers using the NBDE Tang Server Operator
+    File: nbde-tang-server-operator-configuring-managing
+  - Name: Identifying URL of a Tang server deployed with the NBDE Tang Server Operator
+    File: nbde-tang-server-operator-identifying-url    
 - Name: cert-manager Operator for Red Hat OpenShift
   Dir: cert_manager_operator
   Distros: openshift-enterprise

modules/nbde-installing-a-tang-server.adoc

@@ -1,30 +0,0 @@
-// Module included in the following assemblies:
-//
-// security/nbde-implementation-guide.adoc
-
-:_mod-docs-content-type: PROCEDURE
-[id="nbde-installing-a-tang-server_{context}"]
-= Installing a Tang server
-
-.Procedure
-
-* You can install a Tang server on a {op-system-base-full} machine using either of the following commands:
-
-** Install the Tang server by using the `yum` command:
-+
-[source,terminal]
-----
-$ sudo yum install tang
-----
-
-** Install the Tang server by using the `dnf` command:
-+
-[source,terminal]
-----
-$ sudo dnf install tang
-----
-
-[NOTE]
-====
-Installation can also be containerized and is very lightweight.
-====

modules/nbde-openshift-installation-with-nbde.adoc

@@ -1,8 +0,0 @@
-// Module included in the following assemblies:
-//
-// security/nbde-implementation-guide.adoc
-
-[id="nbde-openshift-installation-with-nbde_{context}"]
-= Installation considerations with Network-Bound Disk Encryption
-
-Network-Bound Disk Encryption (NBDE) must be enabled when a cluster node is installed. However, you can change the disk encryption policy at any time after it was initialized at installation.

modules/nbde-tang-server-operator-deploying.adoc

@@ -0,0 +1,41 @@
+// Module included in the following assemblies:
+//
+// * security/nbde_tang_server_operator/nbde-tang-server-operator-configuring-managing.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="deploying-nbde-tang-server_{context}"]
+= Deploying a Tang server using the NBDE Tang Server Operator
+
+You can deploy and quickly configure one or more Tang servers using the NBDE Tang Server Operator in the web console.
+
+.Prerequisites
+
+* You must have `cluster-admin` privileges on an {product-title} cluster.
+* You have installed the NBDE Tang Server Operator on your OCP cluster.
+
+.Procedure
+
+. In the {product-title} web console, navigate to *Operators* -> *OperatorHub*.
+. Select *Project*, and click *Create Project*:
++
+image::nbde-tang-server-operator-07-create-project.png[Create Project in the web console]
+. On the `Create Project` page, fill in the required information, for example:
++
+image::nbde-tang-server-operator-09-project-values.png[Example values on the Create Project page]
+. Click *Create*.
+. NBDE Tang Server replicas require a Persistent Volume Claim (PVC) for storing encryption keys. In the web console, navigate to *Storage* -> *PersistentVolumeClaims*:
++
+image::nbde-tang-server-operator-11-pvc.png[PersistentVolumeClaims in the Storage menu]
+. On the following `PersistentVolumeClaims` screen, click *Create PersistentVolumeClaim*.
+. On the `Create PersistentVolumeClaim` page, select a storage that fits your deployment scenario. Consider how often you want to rotate the encryption keys. Name your PVC and choose the claimed storage capacity, for example:
++
+image::nbde-tang-server-operator-13-create-pvc.png[Create PersistentVolumeClaims page]
+. Navigate to *Operators* -> *Installed Operators*, and click *NBDE Tang Server*.
+. Click *Create instance*.
++
+image::nbde-tang-server-operator-15-create-instance.png[Create NBDE Tang Server instance]
+. On the `Create TangServer` page, choose the name of the Tang Server instance, amount of replicas, and specify the name of the previously created Persistent Volume Claim, for example:
++
+image::nbde-tang-server-operator-17-create-tangserver.png[Create TangServer page]
+. After you enter the required values a change settings that differ from the default values in your scenario, click *Create*.
+

modules/nbde-tang-server-operator-identifying-url-cli.adoc

@@ -0,0 +1,60 @@
+// Module included in the following assemblies:
+//
+// * security/nbde_tang_server_operator/nbde-tang-server-operator-identifying-url.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="identifying-url-nbde-tang-server-operator-using-cli_{context}"]
+= Identifying URL of the NBDE Tang Server Operator using CLI
+
+You can identify the URLs of Tang servers deployed with the NBDE Tang Server Operator from the OperatorHub by using the CLI. After you identify the URLs, you use the `clevis luks bind` command on your clients containing LUKS-encrypted volumes that you want to unlock automatically by using keys advertised by the Tang servers. See the link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/configuring-automated-unlocking-of-encrypted-volumes-using-policy-based-decryption_security-hardening#configuring-manual-enrollment-of-volumes-using-clevis_configuring-automated-unlocking-of-encrypted-volumes-using-policy-based-decryption[Configuring manual enrollment of LUKS-encrypted volumes] section in the RHEL 9 Security hardening document for detailed steps describing the configuration of clients with Clevis.
+
+.Prerequisites
+
+* You must have `cluster-admin` privileges on an {product-title} cluster.
+* You have installed the OpenShift CLI (`oc`).
+* You deployed a Tang server by using the NBDE Tang Server Operator on your OpenShift cluster.
+
+.Procedure
+
+. List details about your Tang server, for example:
++
+[source,terminal]
+----
+$ oc -n nbde describe tangserver
+----
++
+.Example output
+[source,terminal]
+----
+…
+Spec:
+…
+Status:
+  Ready:                 1
+  Running:               1
+  Service External URL:  http://34.28.173.205:7500/adv
+  Tang Server Error:     No
+Events:
+…
+----
+
+. Use the value of the `Service External URL:` item without the `/adv` part. In this example, the URL of the Tang server is `\http://34.28.173.205:7500`.
+
+.Verification
+
+* You can check that the Tang server is advertising by using `curl`, `wget`, or similar tools, for example:
++
+[source,terminal]
+----
+$ curl 2> /dev/null http://34.28.173.205:7500/adv  | jq
+----
++
+.Example output
+[source,terminal]
+----
+{
+  "payload": "eyJrZXlzIj…eSJdfV19",
+  "protected": "eyJhbGciOiJFUzUxMiIsImN0eSI6Imp3ay1zZXQranNvbiJ9",
+  "signature": "AUB0qSFx0FJLeTU…aV_GYWlDx50vCXKNyMMCRx"
+}
+----

modules/nbde-tang-server-operator-identifying-url-web-console.adoc

@@ -0,0 +1,49 @@
+// Module included in the following assemblies:
+//
+// * security/nbde_tang_server_operator/nbde-tang-server-operator-identifying-url.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="identifying-url-nbde-tang-server-operator-using-web-console_{context}"]
+= Identifying URL of the NBDE Tang Server Operator using the web console
+
+You can identify the URLs of Tang servers deployed with the NBDE Tang Server Operator from the OperatorHub by using the {product-title} web console. After you identify the URLs, you use the `clevis luks bind` command on your clients containing LUKS-encrypted volumes that you want to unlock automatically by using keys advertised by the Tang servers. See the link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/configuring-automated-unlocking-of-encrypted-volumes-using-policy-based-decryption_security-hardening#configuring-manual-enrollment-of-volumes-using-clevis_configuring-automated-unlocking-of-encrypted-volumes-using-policy-based-decryption[Configuring manual enrollment of LUKS-encrypted volumes] section in the RHEL 9 Security hardening document for detailed steps describing the configuration of clients with Clevis.
+
+.Prerequisites
+
+* You must have `cluster-admin` privileges on an {product-title} cluster.
+* You deployed a Tang server by using the NBDE Tang Server Operator on your OpenShift cluster.
+
+.Procedure
+
+. In the {product-title} web console, navigate to *Operators* -> *Installed Operators* -> *Tang Server*.
+
+. On the NBDE Tang Server Operator details page, select *Tang Server*.
++
+image::nbde-tang-server-operator-19-tangserver-details.png[NBDE Tang Server Operator details]
+
+. The list of Tang servers deployed and available for your cluster appears. Click the name of the Tang server you want to bind with a Clevis client.
+
+. The web console displays an overview of the selected Tang server. You can find the URL of your Tang server in the `Tang Server External Url` section of the screen:
++
+image::nbde-tang-server-operator-21-tangserver-overview.png[NBDE Tang Server Operator overview of a Tang server]
++
+In this example, the URL of the Tang server is `\http://34.28.173.205:7500`.
+
+.Verification
+
+* You can check that the Tang server is advertising by using `curl`, `wget`, or similar tools, for example:
++
+[source,terminal]
+----
+$ curl 2> /dev/null http://34.28.173.205:7500/adv  | jq
+----
++
+.Example output
+[source,terminal]
+----
+{
+  "payload": "eyJrZXlzIj…eSJdfV19",
+  "protected": "eyJhbGciOiJFUzUxMiIsImN0eSI6Imp3ay1zZXQranNvbiJ9",
+  "signature": "AUB0qSFx0FJLeTU…aV_GYWlDx50vCXKNyMMCRx"
+}
+----

modules/nbde-tang-server-operator-installing-cli.adoc

@@ -0,0 +1,77 @@
+// Module included in the following assemblies:
+//
+// * security/nbde_tang_server_operator/nbde-tang-server-operator-installing.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="installing-nbde-tang-server-operator-using-cli_{context}"]
+= Installing the NBDE Tang Server Operator using CLI
+
+You can install the NBDE Tang Server Operator from the OperatorHub using the CLI.
+
+.Prerequisites
+
+* You must have `cluster-admin` privileges on an {product-title} cluster.
+* You have installed the OpenShift CLI (`oc`).
+
+.Procedure
+
+. Use the following command to list available Operators on OperatorHub, and limit the output to Tang-related results:
++
+[source,terminal]
+----
+$ oc get packagemanifests -n openshift-marketplace | grep tang
+----
++
+.Example output
+[source,terminal]
+----
+tang-operator           Red Hat
+----
++
+In this case, the corresponding packagemanifest name is `tang-operator`.
+
+. Create a `Subscription` object YAML file to subscribe a namespace to the NBDE Tang Server Operator, for example, `tang-operator.yaml`:
++
+.Example subscription YAML for tang-operator
+[source,yaml]
+----
+apiVersion: operators.coreos.com/v1alpha1
+kind: Subscription
+metadata:
+  name: tang-operator
+  namespace: openshift-operators
+spec:
+  channel: latest <1>
+  installPlanApproval: Automatic
+  name: tang-operator <2>
+  source: redhat-operators <3>
+  sourceNamespace: openshift-marketplace <4> 
+----
+<1> Specify the channel name from where you want to subscribe the Operator.
+<2> Specify the name of the Operator to subscribe to.
+<3> Specify the name of the CatalogSource that provides the Operator.
+<4> The namespace of the CatalogSource. Use `openshift-marketplace` for the default OperatorHub CatalogSources.
+
+. Apply the `Subscription` to the cluster:
++
+[source,terminal]
+----
+$ oc apply -f tang-operator.yaml
+----
+
+
+.Verification
+
+* Check that the NBDE Tang Server Operator controller runs in the `openshift-operators` namespace:
++
+[source,terminal]
+----
+$ oc -n openshift-operators get pods
+----
++
+.Example output
+[source,terminal]
+----
+NAME                                                READY   STATUS    RESTARTS   AGE
+tang-operator-controller-manager-694b754bd6-4zk7x   2/2     Running   0          12s
+----

modules/nbde-tang-server-operator-installing-web-console.adoc

@@ -0,0 +1,33 @@
+// Module included in the following assemblies:
+//
+// * security/nbde_tang_server_operator/nbde-tang-server-operator-installing.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="installing-nbde-tang-server-operator-using-web-console_{context}"]
+= Installing the NBDE Tang Server Operator using the web console
+
+You can install the NBDE Tang Server Operator from the OperatorHub using the web console.
+
+.Prerequisites
+
+* You must have `cluster-admin` privileges on an {product-title} cluster.
+
+.Procedure
+
+. In the {product-title} web console, navigate to *Operators* -> *OperatorHub*.
+. Search for the NBDE Tang Server Operator:
++
+image::nbde-tang-server-operator-01-operatorhub.png[NBDE Tang Server Operator in OperatorHub]
+. Click *Install*.
+. On the *Operator Installation* screen, keep the *Update channel*, *Version*, *Installation mode*, *Installed Namespace*, and *Update approval* fields on the default values. 
+. After you confirm the installation options by clicking *Install*, the console displays the installation confirmation.
++
+image::nbde-tang-server-operator-03-confirmation.png[Confirmation of a NBDE Tang Server Operator installation]
+
+.Verification
+
+. Navigate to the *Operators* -> *Installed Operators* page.
+. Check that the NBDE Tang Server Operator is installed and its status is `Succeeded`.
++
+image::nbde-tang-server-operator-05-succeeded.png[NBDE Tang Server Operator status]
+

modules/nbde-tang-server-operator-removing-hidden-keys.adoc

@@ -0,0 +1,95 @@
+// Module included in the following assemblies:
+//
+// * security/nbde_tang_server_operator/nbde-tang-server-operator-configuring-managing.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="deleting-hidden-keys-with-nbde-tang-server-operator_{context}"]
+= Deleting hidden keys with the NBDE Tang Server Operator
+
+After you rotate your Tang server keys, the previously active keys become hidden and are no longer advertised by the Tang instance. You can use the NBDE Tang Server Operator to remove encryption keys no longer used.
+
+WARNING:: Do not remove any hidden keys unless you are sure that all bound Clevis clients already use new keys.
+
+.Prerequisites
+
+* You must have `cluster-admin` privileges on an {product-title} cluster.
+* You deployed a Tang server using the NBDE Tang Server Operator on your OpenShift cluster.
+* You have installed the OpenShift CLI (`oc`).
+
+.Procedure
+
+. List the existing keys on your Tang server, for example:
++
+[source,terminal]
+----
+$ oc -n nbde describe tangserver
+----
++
+.Example output
+[source,terminal]
+----
+…
+Status:
+  Active Keys:
+	File Name:  	PvYQKtrTuYsMV2AomUeHrUWkCGg.jwk
+	Generated:  	2022-02-08 15:44:17.030090484 +0000
+	sha1:	    	PvYQKtrTuYsMV2AomUeHrUWkCGg
+	sha256:	    	QS82aXnPKA4XpfHr3umbA0r2iTbRcpWQ0VI2Qdhi6xg
+…
+----
+. Create a YAML file for removing all hidden keys, for example, `hidden-keys-deletion-tangserver.yaml`:
++
+.Example hidden-keys-deletion YAML for tang-operator
+[source,yaml]
+----
+apiVersion: daemons.redhat.com/v1alpha1
+kind: TangServer
+metadata:
+  name: tangserver
+  namespace: nbde
+  finalizers:
+    - finalizer.daemons.tangserver.redhat.com
+spec:
+  replicas: 1
+  hiddenKeys: [] <1>
+----
+<1> The empty array as the value of the `hiddenKeys` entry indicates you want to preserve no hidden keys on your Tang server.
+
+. Apply the YAML file:
++
+[source,terminal]
+----
+$ oc apply -f hidden-keys-deletion-tangserver.yaml
+----
+
+.Verification
+
+. After a certain amount of time depending on your configuration, check that the previous active key still exists, but no hidden key is available, for example:
++
+[source,terminal]
+----
+$ oc -n nbde describe tangserver
+----
++
+.Example output
+[source,terminal]
+----
+…
+Spec:
+  Hidden Keys:
+    sha1:    PvYQKtrTuYsMV2AomUeHrUWkCGg
+  Replicas:  1
+Status:
+  Active Keys:
+    File Name:  T-0wx1HusMeWx4WMOk4eK97Q5u4dY5tamdDs7_ughnY.jwk
+    Generated:  2023-10-25 15:38:18.134939752 +0000
+    sha1:       vVxkNCNq7gygeeA9zrHrbc3_NZ4
+    sha256:     T-0wx1HusMeWx4WMOk4eK97Q5u4dY5tamdDs7_ughnY
+Status:
+  Ready:                 1
+  Running:               1
+  Service External URL:  http://35.222.247.84:7500/adv
+  Tang Server Error:     No
+Events:
+…
+----

modules/nbde-tang-server-operator-rotating-keys.adoc

@@ -0,0 +1,94 @@
+// Module included in the following assemblies:
+//
+// * security/nbde_tang_server_operator/nbde-tang-server-operator-configuring-managing.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="rotating-keys-using-nbde-tang-server-operator_{context}"]
+= Rotating keys using the NBDE Tang Server Operator
+
+With the NBDE Tang Server Operator, you also can rotate your Tang server keys. The precise interval at which you should rotate them depends on your application, key sizes, and institutional policy.
+
+.Prerequisites
+
+* You must have `cluster-admin` privileges on an {product-title} cluster.
+* You deployed a Tang server using the NBDE Tang Server Operator on your OpenShift cluster.
+* You have installed the OpenShift CLI (`oc`).
+
+.Procedure
+
+. List the existing keys on your Tang server, for example:
++
+[source,terminal]
+----
+$ oc -n nbde describe tangserver
+----
++
+.Example output
+[source,terminal]
+----
+…
+Status:
+  Active Keys:
+	File Name:  	QS82aXnPKA4XpfHr3umbA0r2iTbRcpWQ0VI2Qdhi6xg
+	Generated:  	2022-02-08 15:44:17.030090484 +0000
+	sha1:       	PvYQKtrTuYsMV2AomUeHrUWkCGg
+	sha256:     	QS82aXnPKA4XpfHr3umbA0r2iTbRcpWQ0VI2Qdhi6xg
+…	
+----
+. Create a YAML file for moving your active keys to hidden keys, for example, `minimal-keyretrieve-rotate-tangserver.yaml`:
++
+.Example key-rotation YAML for tang-operator
+[source,yaml]
+----
+apiVersion: daemons.redhat.com/v1alpha1
+kind: TangServer
+metadata:
+  name: tangserver
+  namespace: nbde
+  finalizers:
+    - finalizer.daemons.tangserver.redhat.com
+spec:
+  replicas: 1
+  hiddenKeys:
+    - sha1: "PvYQKtrTuYsMV2AomUeHrUWkCGg" <1>
+----
+<1> Specify the SHA-1 thumbprint of your active key to rotate it.
+
+. Apply the YAML file:
++
+[source,terminal]
+----
+$ oc apply -f minimal-keyretrieve-rotate-tangserver.yaml
+----
+
+.Verification
+
+. After a certain amount of time depending on your configuration, check that the previous `activeKey` value is the new `hiddenKey` value and the `activeKey` key file is newly generated, for example:
++
+[source,terminal]
+----
+$ oc -n nbde describe tangserver
+----
++
+.Example output
+[source,terminal]
+----
+…
+Spec:
+  Hidden Keys:
+    sha1:    PvYQKtrTuYsMV2AomUeHrUWkCGg
+  Replicas:  1
+Status:
+  Active Keys:
+    File Name:  T-0wx1HusMeWx4WMOk4eK97Q5u4dY5tamdDs7_ughnY.jwk
+    Generated:  2023-10-25 15:38:18.134939752 +0000
+    sha1:       vVxkNCNq7gygeeA9zrHrbc3_NZ4
+    sha256:     T-0wx1HusMeWx4WMOk4eK97Q5u4dY5tamdDs7_ughnY
+  Hidden Keys:
+    File Name:           .QS82aXnPKA4XpfHr3umbA0r2iTbRcpWQ0VI2Qdhi6xg.jwk
+    Generated:           2023-10-25 15:37:29.126928965 +0000
+    Hidden:              2023-10-25 15:38:13.515467436 +0000
+    sha1:                PvYQKtrTuYsMV2AomUeHrUWkCGg
+    sha256:              QS82aXnPKA4XpfHr3umbA0r2iTbRcpWQ0VI2Qdhi6xg
+…
+----

modules/nbde-using-tang-servers-for-disk-encryption.adoc

@@ -7,6 +7,8 @@
 
 The following components and technologies implement Network-Bound Disk Encryption (NBDE).
 
+[[fig-NBDE-Clevis-Tang]]
+.NBDE scheme when using a LUKS1-encrypted volume. The luksmeta package is not used for LUKS2 volumes.
 image::179_OpenShift_NBDE_implementation_0821_3.png[Network-Bound Disk Encryption (NBDE), Clevis framework, Tang server]
 
 _Tang_ is a server for binding data to network presence. It makes a node containing the data available when the node is bound to a certain secure network. Tang is stateless and does not require Transport Layer Security (TLS) or authentication. Unlike escrow-based solutions, where the key server stores all encryption keys and has knowledge of every encryption key, Tang never interacts with any node keys, so it never gains any identifying information from the node.

security/nbde_tang_server_operator/_attributes

@@ -0,0 +1 @@
+../../_attributes/

security/nbde_tang_server_operator/images

@@ -0,0 +1 @@
+../../images/

security/nbde_tang_server_operator/modules

@@ -0,0 +1 @@
+../../modules/

security/nbde_tang_server_operator/nbde-tang-server-operator-configuring-managing.adoc

@@ -0,0 +1,18 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="configuring-and-managing-nbde-tang-server-operator"]
+= Configuring and managing Tang servers using the NBDE Tang Server Operator
+include::_attributes/common-attributes.adoc[]
+:context: configuring-and-managing-nbde-tang-server-operator
+
+toc::[]
+
+With the NBDE Tang Server Operator, you can deploy and quickly configure Tang servers. On the deployed Tang servers, you can list existing keys and rotate them.
+
+include::modules/nbde-tang-server-operator-deploying.adoc[leveloffset=+1]
+
+include::modules/nbde-tang-server-operator-rotating-keys.adoc[leveloffset=+1]
+
+include::modules/nbde-tang-server-operator-removing-hidden-keys.adoc[leveloffset=+1]
+
+
+

security/nbde_tang_server_operator/nbde-tang-server-operator-identifying-url.adoc

@@ -0,0 +1,19 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="identifying-url-nbde-tang-server-operator"]
+= Identifying URL of a Tang server deployed with the NBDE Tang Server Operator
+include::_attributes/common-attributes.adoc[]
+:context: identifying-url-nbde-tang-server-operator
+
+toc::[]
+
+Before you can configure your Clevis clients to use encryption keys advertised by your Tang servers, you must identify the URLs of the servers.
+
+include::modules/nbde-tang-server-operator-identifying-url-web-console.adoc[leveloffset=+1]
+
+include::modules/nbde-tang-server-operator-identifying-url-cli.adoc[leveloffset=+1]
+
+[id="additional-resources-identifying-url-nbde-tang-server-operator"]
+[role="_additional-resources"]
+== Additional resources
+
+* link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/configuring-automated-unlocking-of-encrypted-volumes-using-policy-based-decryption_security-hardening#configuring-manual-enrollment-of-volumes-using-clevis_configuring-automated-unlocking-of-encrypted-volumes-using-policy-based-decryption[Configuring manual enrollment of LUKS-encrypted volumes] section in the RHEL 9 Security hardening document.

security/nbde_tang_server_operator/nbde-tang-server-operator-installing.adoc

@@ -0,0 +1,17 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="installing-nbde-tang-server-operator"]
+= Installing the NBDE Tang Server Operator
+include::_attributes/common-attributes.adoc[]
+:context: installing-nbde-tang-server-operator
+
+toc::[]
+
+You can install the NBDE Tang Operator either by using the web console or through the `oc` command from CLI.
+
+include::modules/nbde-tang-server-operator-installing-web-console.adoc[leveloffset=+1]
+
+include::modules/nbde-tang-server-operator-installing-cli.adoc[leveloffset=+1]
+
+
+
+

security/nbde_tang_server_operator/nbde-tang-server-operator-overview.adoc

@@ -0,0 +1,12 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="nbde-tang-server-operator-overview"]
+= NBDE Tang Server Operator overview
+include::_attributes/common-attributes.adoc[]
+:context: nbde-tang-server-operator-overview
+
+toc::[]
+
+Network-bound Disk Encryption (NBDE) provides an automated unlocking of LUKS-encrypted volumes using one or more dedicated network-binding servers. The client side of NBDE is called the Clevis decryption policy framework and the server side is represented by Tang.
+
+The NBDE Tang Server Operator allows the automation of deployments of one or several Tang servers in the OpenShift Container Platform (OCP) environment.
+

security/nbde_tang_server_operator/nbde-tang-server-operator-release-notes.adoc

@@ -0,0 +1,42 @@
+//NBDE Tang Server Operator Release Notes
+:_mod-docs-content-type: ASSEMBLY
+[id="nbde-tang-server-operator-release-notes"]
+= NBDE Tang Server Operator release notes
+:context: nbde-tang-server-operator-release-notes
+include::_attributes/common-attributes.adoc[]
+
+toc::[]
+
+The following release notes track the development of the Security Profiles Operator in the OpenShift Container Platform.
+
+* link:https://access.redhat.com/errata/RHEA-2023:7491[RHEA-2023:7491 - Release of the NBDE Tang Server Operator 1.0]
+
+////
+A template for a future use
+
+[id="nbde-tang-server-operator-release-notes-1-0-0"]
+== NBDE Tang Server Operator 1.0.0
+
+The following advisory is available for the NBDE Tang Server Operator 1.0.0:
+
+* link:https://access.redhat.com/errata/RHBA-2023:XXXX[RHBA-2023:XXXX NBDE Tang Server Operator bug fix update]
+
+[id="nbde-tang-server-operator-1-0-0-new-features-and-enhancements"]
+=== New features and enhancements
+
+* Lorem ipsum. (link:https://issues.redhat.com/browse/OCPBUGS-XXXXX[*OCPBUGS-XXXXX*])
+
+
+[id="nbde-tang-server-operator-1-0-0-bug-fixes"]
+=== Bug fixes
+
+* Lorem ipsum. (link:https://issues.redhat.com/browse/OCPBUGS-XXXXX[*OCPBUGS-XXXXX*])
+
+////
+
+////
+[id="nbde-tang-server-operator-release-notes_additional-resources"]
+[role="_additional-resources"]
+== Additional resources
+xref:../../security/nbde_tang_server_operator/nbde-tang-server-operator-understanding.adoc#understanding-nbde-tang-server-operator[Understanding the NBDE Tang Server Operator]
+////

security/nbde_tang_server_operator/nbde-tang-server-operator-understanding.adoc

@@ -0,0 +1,26 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="understanding-nbde-tang-server-operator"]
+= Understanding the NBDE Tang Server Operator
+include::_attributes/common-attributes.adoc[]
+:context: understanding-nbde-tang-server-operator
+
+toc::[]
+
+You can use the NBDE Tang Server Operator to automate the deployment of a Tang server in an {product-title} cluster that requires Network Bound Disk Encryption (NBDE) internally, leveraging the tools that {product-title} provides to achieve this automation.
+
+The NBDE Tang Server Operator simplifies the installation process and uses native features provided by the {product-title} environment, such as multi-replica deployment, scaling, traffic load balancing, and so on. The Operator also provides automation of certain operations that are error-prone when you perform them manually, for example:
+
+* server deployment and configuration
+* key rotation
+* hidden keys deletion
+
+The NBDE Tang Server Operator is implemented using the Operator SDK and allows the deployment of one or more Tang servers in OpenShift through custom resource definitions (CRDs).
+
+
+[id="understanding-nbde-tang-server-operator_additional-resources"]
+[role="_additional-resources"]
+== Additional resources
+* link:https://cloud.redhat.com/blog/tang-operator-providing-nbde-in-openshift[Tang-Operator: Providing NBDE in OpenShift] Red Hat Hybrid Cloud blog article
+* link:https://github.com/latchset/tang-operator[tang-operator] Github project
+* link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/configuring-automated-unlocking-of-encrypted-volumes-using-policy-based-decryption_security-hardening[Configuring automated unlocking of encrypted volumes using policy-based decryption] chapter in the RHEL 9 Security hardening document
+

security/nbde_tang_server_operator/snippets

@@ -0,0 +1 @@
+../../snippets/

security/network_bound_disk_encryption/nbde-tang-server-installation-considerations.adoc

@@ -7,9 +7,20 @@ include::_attributes/common-attributes.adoc[]
 
 toc::[]
 
+Network-Bound Disk Encryption (NBDE) must be enabled when a cluster node is installed. However, you can change the disk encryption policy at any time after it was initialized at installation.
+
 include::modules/nbde-installation-scenarios.adoc[leveloffset=+1]
 
-include::modules/nbde-installing-a-tang-server.adoc[leveloffset=+1]
+[id="nbde-installing-a-tang-server_{context}"]
+== Installing a Tang server
+
+To deploy one or more Tang servers, you can choose from the following options depending on your scenario:
+
+. xref:../../security/nbde_tang_server_operator/nbde-tang-server-operator-configuring-managing.adoc#deploying-nbde-tang-server_configuring-and-managing-nbde-tang-server-operator[Deploying a Tang server using the NBDE Tang Server Operator]
+. link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/configuring-automated-unlocking-of-encrypted-volumes-using-policy-based-decryption_security-hardening#deploying-a-tang-server-with-selinux-in-enforcing-mode_configuring-automated-unlocking-of-encrypted-volumes-using-policy-based-decryption[Deploying a Tang server with SELinux in enforcing mode on RHEL systems]
+. link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/configuring-automated-unlocking-of-encrypted-volumes-using-policy-based-decryption_security-hardening#configuring-automated-unlocking-using-a-tang-key-in-the-web-console_configuring-automated-unlocking-of-encrypted-volumes-using-policy-based-decryption[Configuring a Tang server in the RHEL web console]
+. link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/configuring-automated-unlocking-of-encrypted-volumes-using-policy-based-decryption_security-hardening#proc_deploying-tang-as-a-container_configuring-automated-unlocking-of-encrypted-volumes-using-policy-based-decryption[Deploying Tang as a container]
+. link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/configuring-automated-unlocking-of-encrypted-volumes-using-policy-based-decryption_security-hardening#using-the-nbde_server-system-role-for-setting-up-multiple-tang-servers_configuring-automated-unlocking-of-encrypted-volumes-using-policy-based-decryption[Using the nbde_server System Role for setting up multiple Tang servers]
 
 include::modules/nbde-compute-requirements.adoc[leveloffset=+2]
 
@@ -17,10 +28,8 @@ include::modules/nbde-automatic-start-at-boot.adoc[leveloffset=+2]
 
 include::modules/nbde-http-versus-https.adoc[leveloffset=+2]
 
-include::modules/nbde-openshift-installation-with-nbde.adoc[leveloffset=+1]
-
 [role="_additional-resources"]
 .Additional resources
-* https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/configuring-automated-unlocking-of-encrypted-volumes-using-policy-based-decryption_security-hardening[Configuring automated unlocking of encrypted volumes using policy-based decryption]
+* https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/configuring-automated-unlocking-of-encrypted-volumes-using-policy-based-decryption_security-hardening[Configuring automated unlocking of encrypted volumes using policy-based decryption] in the link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/index[RHEL 8 Security hardening] document
 * https://catalog.redhat.com/software/containers/detail/5fbc405674aa0cc23b445f8f?container-tabs=overview&gti-tabs=registry-tokens[Official Tang server container]
 * xref:../../installing/install_config/installing-customizing.adoc#installation-special-config-storage_installing-customizing[Encrypting and mirroring disks during installation]