Update docs for Scanner V4 installed by default

Author: kcarmichael08

cloud_service/upgrading-cloud/upgrade-cloudsvc-roxctl.adoc

@@ -57,3 +57,5 @@ include::modules/rhcos-enable-node-scan.adoc[leveloffset=+1]
 .Additional resources
 * xref:../../operating/manage-vulnerabilities/scan-rhcos-node-host.adoc#scan-rhcos-node-host[Scanning {op-system} node hosts]
 
+* xref:../../operating/examine-images-for-vulnerabilities.adoc#enabling_scanner_v4_examine-images-for-vulnerabilities[Enabling Scanner V4]
+

integration/integrate-with-image-vulnerability-scanners.adoc

@@ -35,30 +35,27 @@ You can set up {product-title-short} to obtain image vulnerability data from the
 [discrete]
 === Scanners included in {product-title-short}
 
-* Scanner V4: Beginning with {product-title-short} version 4.4, a new scanner is introduced that is built on link:https://github.com/quay/claircore[ClairCore], which also powers the link:https://github.com/quay/clair[Clair] scanner. Scanner V4 supports scanning of language and OS-specific image components. You do not have to create an integration to use this scanner, but you must enable it during or after installation. For version 4.4, if you enable this scanner, you must also enable the StackRox Scanner. For more information about Scanner V4, including links to the installation documentation, see xref:../operating/examine-images-for-vulnerabilities.adoc#about-scanner-v4_examine-images-for-vulnerabilities[About {product-title-short} Scanner V4].
-* StackRox Scanner: This scanner is the default scanner in {product-title-short}. It originates from a fork of the Clair v2 open source scanner.
-+
-[IMPORTANT]
-====
-Even if you have Scanner V4 enabled, at this time, the StackRox Scanner must still be enabled to provide scanning of RHCOS nodes and platform vulnerabilities such as {osp}, Kubernetes, and Istio. Support for that functionality in Scanner V4 is planned for a future release. Do not disable the StackRox Scanner.
-====
+* Scanner V4: Beginning with {product-title-short} version 4.4, a new scanner is introduced that is built on link:https://github.com/quay/claircore[ClairCore], which also powers the link:https://github.com/quay/clair[Clair] scanner. Scanner V4 supports scanning of language and OS-specific image components. Scanner V4 is enabled by default during installation beginning in release 4.8. For more information about Scanner V4, including links to the installation documentation, see xref:../operating/examine-images-for-vulnerabilities.adoc#about-scanner-v4_examine-images-for-vulnerabilities[About {product-title-short} Scanner V4].
+* StackRox Scanner: This scanner was the default scanner in {product-title-short} before being replaced by Scanner V4. It originates from a fork of the Clair v2 open source scanner.
+//Do we need to tell users to disable the StackRox scanner or should they keep it enabled for the time being until it is removed?
 
 [discrete]
 === Alternative scanners
 
-* link:https://github.com/quay/clair[Clair]: As of version 4.4, you can enable Scanner V4 in {product-title-short} to provide functionality provided by ClairCore, which also powers the Clair V4 scanner. However, you can configure Clair V4 as the scanner by configuring an integration.
+* link:https://github.com/quay/clair[Clair]: Scanner V4 in {product-title-short} provides functionality provided by ClairCore, which also powers the Clair V4 scanner. You can configure Clair V4 instead as the scanner by configuring an integration. However, for full functionality, use the included default scanner in {product-title-short}, which is Scanner V4.
 * link:https://cloud.google.com/container-registry/docs/container-analysis[Google Container Analysis]
 * link:https://quay.io[Red{nbsp}Hat Quay]
 
 [IMPORTANT]
 ====
-The StackRox Scanner, in conjunction with Scanner V4 (optional), is the preferred image vulnerability scanner to use with {product-title-short}.
-For more information about scanning container images with the StackRox Scanner and Scanner V4, see xref:../operating/examine-images-for-vulnerabilities.adoc#scanning-images_examine-images-for-vulnerabilities[Scanning images].
+Scanner V4 is the preferred image vulnerability scanner to use with {product-title-short}.
 ====
+//removed link in above paragraph because it repeated the link that is in "Scanners included in RHACS"
 
 If you use one of these alternative scanners in your DevOps workflow, you can use the {product-title-short} portal to configure an integration with your vulnerability scanner. After the integration, the {product-title-short} portal shows the image vulnerabilities and you can triage them easily.
 
-If multiple scanners are configured, {product-title-short} tries to use the non-StackRox/{product-title-short} and Clair scanners. If those scanners fail, {product-title-short} tries to use a configured Clair scanner. If that fails, {product-title-short} tries to use Scanner V4, if configured. If Scanner V4 is not configured, {product-title-short} tries to use the StackRox Scanner.
+If multiple scanners are configured, {product-title-short} tries to use the non-StackRox/{product-title-short} and Clair scanners. If those scanners fail, {product-title-short} tries to use a configured Clair scanner. If that fails, {product-title-short} tries to use Scanner V4. If Scanner V4 is not enabled, {product-title-short} tries to use the StackRox Scanner.
+//any changes needed here?
 
 include::modules/integrate-with-clair.adoc[leveloffset=+1]
 

modules/acs-architecture-overview.adoc

@@ -9,19 +9,19 @@
 
 .{product-title-short} architecture
 
-The following graphic shows the architecture with the StackRox Scanner and Scanner V4 components. Installation of Scanner V4 is optional, but provides additional benefits.
+The following graphic shows the product architecture, including the scanner components.
 
 image::acs-architecture-scannerv4.png[{product-title} architecture for Kubernetes]
 
+//Needs changes:
+// Change lines around Scanner V4 parts from dotted to solid in Cluster 1
+// ^^^ Cluster N
+
 You install {product-title-short} as a set of containers in your {ocp} or Kubernetes cluster. {product-title-short} includes the following services:
 
 * Central services you install on one cluster
 * Secured cluster services you install on each cluster you want to secure by {product-title-short}
 
 In addition to these primary services, {product-title-short} also interacts with other external components to enhance your clusters' security.
 
-[discrete]
-[id="installation-differences-architecture_{context}"]
-== Installation differences
-
-When you install {product-title-short} on {ocp} by using the Operator, {product-title-short} installs a lightweight version of Scanner on every secured cluster. The lightweight Scanner enables the scanning of images in the integrated OpenShift image registry. When you install {product-title-short} on {ocp} or Kubernetes by using the Helm install method with the _default_ values, the lightweight version of Scanner is not installed. To install the lightweight Scanner on the secured cluster by using Helm, you must set the `scanner.disable=false` parameter. You cannot install the lightweight Scanner by using the `roxctl` installation method.
+When you install {product-title-short} on {ocp} by using the Operator, or on {ocp} or Kubernetes by using Helm with the `secured-cluster-services` Helm chart, {product-title-short} installs Scanner V4 components on every secured cluster. This enables the scanning of images in the integrated OpenShift image registry or in registries known to the secured cluster on non-OCP systems.

modules/acs-central-services-overview.adoc

@@ -9,16 +9,4 @@
 You install Central services on a single cluster.
 These services include the following components:
 
-* *Central*: Central is the {product-title-short} application management interface and services.
-It handles API interactions and user interface ({product-title-short} Portal) access.
-You can use the same Central instance to secure multiple {ocp} or Kubernetes clusters.
-* *Central DB*: Central DB is the database for {product-title-short} and handles all data persistence. It is currently based on PostgreSQL 15.
-* *Scanner V4*: Beginning with version 4.4, {product-title-short} contains the Scanner V4 vulnerability scanner for scanning container images. Scanner V4 is built on link:https://github.com/quay/claircore[ClairCore], which also powers the link:https://github.com/quay/clair[Clair] scanner. Scanner V4 supports scanning of language and OS-specific image components. For version 4.4, you must use this scanner in conjunction with the StackRox Scanner to provide node and platform scanning capabilities until Scanner V4 support those capabilities. Scanner V4 contains the Indexer, Matcher, and DB components.
-** *Scanner V4 Indexer*: The Scanner V4 Indexer performs image indexing, previously known as image analysis. Given an image and registry credentials, the Indexer pulls the image from the registry. It finds the base operating system, if it exists, and looks for packages. It stores and outputs an index report, which contains the findings for the given image.
-** *Scanner V4 Matcher*: The Scanner V4 Matcher performs vulnerability matching. If the Central services Scanner V4 Indexer indexed the image, then the Matcher fetches the index report from the Indexer and matches the report with the vulnerabilities stored in the Scanner V4 database. If a Secured Cluster services Scanner V4 Indexer performed the indexing, then the Matcher uses the index report that was sent from that Indexer, and then matches against vulnerabilities. The Matcher also fetches vulnerability data and updates the Scanner V4 database with the latest vulnerability data. The Scanner V4 Matcher outputs a vulnerability report, which contains the final results of an image.
-** *Scanner V4 DB*: This database stores information for Scanner V4, including all vulnerability data and index reports. A persistent volume claim (PVC) is required for Scanner V4 DB on the cluster where Central is installed.
-* *StackRox Scanner*: The StackRox Scanner is the default scanner in {product-title-short}. Version 4.4 adds a new scanner, Scanner V4. The StackRox Scanner originates from a fork of the Clair v2 open source scanner. You must continue using this scanner for RHCOS node scanning and platform scanning.
-* *Scanner-DB*: This database contains data for the StackRox Scanner.
-
-{product-title-short} scanners analyze each image layer to determine the base operating system and identify programming language packages and packages that were installed by the operating system package manager. They match the findings against known vulnerabilities from various vulnerability sources. In addition, the StackRox Scanner identifies vulnerabilities in the node's operating system and platform. These capabilities are planned for Scanner V4 in a future release.
-//moved vulnerability source info to its own module - con-vuln-sources.adoc
+include::snippets/central-components.adoc[]

modules/acs-cloud-requirements.adoc

@@ -43,7 +43,9 @@ Memory:: 6 GiB of RAM is required.
 See the default memory and CPU requirements for each component and ensure that the node size can support them.
 ====
 
-Storage:: For {product-title-managed-short}, a persistent volume claim (PVC) is not required. However, a PVC is strongly recommended if you have secured clusters with Scanner V4 enabled. Use Solid-State Drives (SSDs) for best performance. However, you can use another storage type if you do not have SSDs available.
+Storage:: For {product-title-managed-short}, a persistent volume claim (PVC) is not required. However, a PVC is strongly recommended if you have secured clusters with Scanner V4 enabled.
+//Do we want to change this advice since Scanner V4 is now installed by default?
+Use Solid-State Drives (SSDs) for best performance. However, you can use another storage type if you do not have SSDs available.
 +
 [IMPORTANT]
 ====

modules/acs-requirements.adoc

@@ -43,7 +43,9 @@ Memory:: 6 GiB of RAM is required.
 See the default memory and CPU requirements for each component and ensure that the node size can support them.
 ====
 
-Storage:: A persistent volume claim (PVC) is required on the cluster where Central is installed. It is strongly recommended on the secured clusters where Scanner V4 is enabled. Use Solid-State Drives (SSDs) for best performance. However, you can use another storage type if you do not have SSDs available.
+Storage:: A persistent volume claim (PVC) is required on the cluster where Central is installed. It is strongly recommended on the secured clusters where Scanner V4 is enabled.
+//Do we want to change this advice since Scanner V4 is now installed by default?
+Use Solid-State Drives (SSDs) for best performance. However, you can use another storage type if you do not have SSDs available.
 +
 [IMPORTANT]
 ====

modules/acs-secured-cluster-services-overview.adoc

@@ -24,11 +24,13 @@ In addition, Sensor is responsible for all cluster interactions, such as applyin
 * *Admission controller*: The Admission controller prevents users from creating workloads that violate security policies in {short-title}.
 * *Collector*: Collector analyzes and monitors container activity on cluster nodes.
 It collects container runtime and network activity information and sends the collected data to Sensor.
+* *Scanner V4*: Scanner V4 components are installed on the secured cluster by default.
+** *Scanner V4 Indexer*: The Scanner V4 Indexer performs image indexing, previously known as image analysis. Given an image and registry credentials, the Indexer pulls the image from the registry. It finds the base operating system, if it exists, and looks for packages. It stores and outputs an index report, which contains the findings for the given image.
+** *Scanner V4 DB*: This database stores information for Scanner V4, including index reports. For best performance, configure a persistent volume claim (PVC) for Scanner V4 DB.
 * *StackRox Scanner*: In Kubernetes, the secured cluster services include Scanner-slim as an optional component. However, on {ocp}, {short-title} installs a Scanner-slim version on each secured cluster to scan images in the {ocp} integrated registry and optionally other registries.
+//Is this still true or does it now just install Scanner V4?
 * *Scanner-DB*: This database contains data for the StackRox Scanner.
-* *Scanner V4*: Scanner V4 components are installed on the secured cluster if enabled.
-** *Scanner V4 Indexer*: The Scanner V4 Indexer performs image indexing, previously known as image analysis. Given an image and registry credentials, the Indexer pulls the image from the registry. It finds the base operating system, if it exists, and looks for packages. It stores and outputs an index report, which contains the findings for the given image.
-** *Scanner V4 DB*: This component is installed if Scanner V4 is enabled. This database stores information for Scanner V4, including index reports. For best performance, configure a persistent volume claim (PVC) for Scanner V4 DB.
+//changes needed - should this be required?
 +
 [NOTE]
 ====

modules/acscs-architecture-overview.adoc

@@ -13,7 +13,8 @@ You can also integrate it with your existing DevOps tools and workflows to impro
 
 .{product-title-managed-short} architecture
 
-The following graphic shows the architecture with the StackRox Scanner and Scanner V4. Installation of Scanner V4 is optional, but provides additional benefits.
+The following graphic shows the architecture with the StackRox Scanner and Scanner V4.
+//Does this graphic need updates to change Scanner V4 components to non-dotted lines since they are now not optional?
 
 image::acscs-architecture-scannerv4.png[{product-title-managed-short}]
 

modules/acscs-central-overview.adoc

@@ -8,12 +8,4 @@
 Red{nbsp}Hat manages Central, the control plane for {product-title-managed-short}.
 These services include the following components:
 
-* *Central*: Central is the {product-title-short} application management interface and services.
-It handles API interactions and user interface ({product-title-short} Portal) access.
-* *Central DB*: Central DB is the database for {product-title-short} and handles all data persistence. It is currently based on PostgreSQL 15.
-* *Scanner V4*: Beginning with version 4.4, {product-title-short} contains the Scanner V4 vulnerability scanner for scanning container images. Scanner V4 is built on link:https://github.com/quay/claircore[ClairCore], which also powers the link:https://github.com/quay/clair[Clair] scanner. Scanner V4 includes the Indexer, Matcher, and Scanner V4 DB components, which are used in scanning.
-* *StackRox Scanner*: The StackRox Scanner is the default scanner in {product-title-short}. The StackRox Scanner originates from a fork of the Clair v2 open source scanner.
-* *Scanner-DB*: This database contains data for the StackRox Scanner.
-
-{product-title-short} scanners analyze each image layer to determine the base operating system and identify programming language packages and packages that were installed by the operating system package manager. They match the findings against known vulnerabilities from various vulnerability sources. In addition, the StackRox Scanner identifies vulnerabilities in the node's operating system and platform. These capabilities are planned for Scanner V4 in a future release.
-//moved vulnerability source info to its own module - con-vuln-sources.adoc
+include::snippets/central-components.adoc[]

modules/automatically-generated-ca.adoc

@@ -6,7 +6,7 @@
 [id="automatically-generated-ca_{context}"]
 = Retrieving the automatically generated certificate authority
 
-When installing {product-title-short}, a certificate authority (CA) is automatically generated and stored in a Kubernetes secret on the cluster. If you later change your installation by using Helm, you might need to supply this CA. For example, enabling Scanner V4 requires that you provide this CA.
+When installing {product-title-short}, a certificate authority (CA) is automatically generated and stored in a Kubernetes secret on the cluster. If you later change your installation by using Helm, you might need to supply this CA. For example, enabling an {product-title-short} component that was initially disabled at installation time requires that you provide this CA.
 
 The automatically generated CA is stored in a secret that is usually named similar to `stackrox-generated-_suffix_`, where _suffix_ is a randomly generated string.
 

modules/central-configuration-options-operator.adoc

@@ -193,7 +193,7 @@ Ensure that this value does not exceed the maximum number of connections support
 |Use `Enabled` to enable monitoring for the StackRox Scanner. When you enable monitoring, {product-title-short} creates a new monitoring service on port number `9090`. The default value is `Disabled`.
 
 | `scanner.scannerComponent`
-| If you do not want to deploy the StackRox Scanner, you can disable it by using this parameter. If you disable the StackRox Scanner, all other settings in this section have no effect. Red{nbsp}Hat does not recommend disabling {product-title} the StackRox Scanner. Do not disable the StackRox Scanner if you have enabled Scanner V4. Scanner V4 requires that the StackRox Scanner is also enabled to provide the necessary scanning capabilities.
+| If you do not want to deploy the StackRox Scanner, you can disable it by using this parameter. If you disable the StackRox Scanner, all other settings in this section have no effect.
 
 |===
 
@@ -287,7 +287,8 @@ The default value is `scanner-v4-db`.
 | Configures a monitoring endpoint for Scanner V4. The monitoring endpoint allows other services to collect metrics from Scanner V4, provided in a Prometheus-compatible format. Use `Enabled` to expose the monitoring endpoint. When you enable monitoring, {product-title-short} creates a new service, `monitoring`, with port 9090, and a network policy allowing inbound connections to the port. By default, this is not enabled.
 
 | `scannerV4.scannerComponent`
-| Enables Scanner V4. The default value is `default`, which is disabled. To enable Scanner V4, set this parameter to `Enabled`.
+| If this setting is not specified, by default during installation, Scanner V4 is enabled.
+//Is there a way to disable Scanner V4 with this parameter? If so, should we point out the danger of disabling Scanner V4? Does disabling Scanner V4 mean that then only the StackRox Scanner will be used and they won't have capabilities of Scanner V4? I assume that StackRox Scanner will still work until it is removed, but is that a valid assumption?
 
 |===