ansible · g-murray · May 9, 2025 · May 8, 2025
diff --git a/downstream/assemblies/platform/assembly-edge-manager-install.adoc b/downstream/assemblies/platform/assembly-edge-manager-install.adoc
@@ -1,12 +1,33 @@
+:_mod-docs-content-type: ASSEMBLY
+
 [id="assembly-edge-manager-install"]
 
-= Enabling the {RedHatEdge}
+= Installing the {RedHatEdge} on {PlatformNameShort}
+
+Install the {RedHatEdge} to manage edge devices and applications at scale. 
+This guide focuses on a standalone deployment of the {RedHatEdge} on {RHEL} alongside {PlatformNameShort}.
+
+// For Tech Preview there is only one option, bootc not yet available:
+
+//You can select one of two methods to install the {RedHatEdge}:
+
+//* RPM Installation (on an existing {RHEL} (RHEL) system)
+//* Bootc image appliance (with the {RedHatEdge} pre-installed)
+
+include::platform/proc-edge-manager-install-rpm-package.adoc[leveloffset=+1]
+
+include::platform/con-edge-manager-set-up-oauth.adoc[leveloffset=+1]
+
+include::platform/proc-edge-manager-oauth-manually.adoc[leveloffset=+2]
+
+include::platform/proc-edge-manager-oauth-auto.adoc[leveloffset=+2]
 
-Enable the {RedHatEdge} to manage edge devices and applications at scale.
+include::platform/proc-edge-manager-integrate-aap.adoc[leveloffset=+1]
 
-ADD ENABLING/INSTALL FOR AAP CONTENT HERE WHEN AVAILABLE
+include::platform/ref-edge-manager-certificates.adoc[leveloffset=+1]
 
+//include::platform/proc-edge-manager-bootc.adoc[leveloffset=+1]
 
-include::platform/con-edge-manager-rbac-auth.adoc[leveloffset=+1]
-include::platform/ref-edge-manager-rbac-roles.adoc[leveloffset=+2]
-include::platform/ref-edge-manager-auth-resources.adoc[leveloffset=+2]
+//include::platform/con-edge-manager-rbac-auth.adoc[leveloffset=+1]
+//include::platform/ref-edge-manager-rbac-roles.adoc[leveloffset=+2]
+//include::platform/ref-edge-manager-auth-resources.adoc[leveloffset=+2]
diff --git a/downstream/attributes/attributes.adoc b/downstream/attributes/attributes.adoc
@@ -466,6 +466,11 @@
 :URLTopologies: {BaseURL}/red_hat_ansible_automation_platform/{PlatformVers}/html/tested_deployment_models
 :LinkTopologies: {URLTopologies}[{TitleTopologies}]
 //
+//titles/edge-manager/edge-manager-user-guide
+:TitleEdgeManager: Managing device fleets with the Red Hat Edge Manager
+:URLEdgeManager: {BaseURL}/red_hat_ansible_automation_platform/{PlatformVers}/html/managing_device_fleets_with_the_red_hat_edge_manager
+:LinkEdgeManager: {URLEdgeManager}[{TitleEdgeManager}]
+//
 // Lightspeed branch titles/lightspeed-user-guide
 :TitleLightspeedUserGuide: Red Hat Ansible Lightspeed with IBM watsonx Code Assistant User Guide
 :URLLightspeedUserGuide: {BaseURL}/red_hat_ansible_lightspeed_with_ibm_watsonx_code_assistant/2.x_latest/html/red_hat_ansible_lightspeed_with_ibm_watsonx_code_assistant_user_guide

diff --git a/downstream/modules/platform/con-edge-manager-agent-service.adoc b/downstream/modules/platform/con-edge-manager-agent-service.adoc
@@ -2,9 +2,7 @@
 
 = {RedHatEdge} agent and service
 
-// The intro mentions ACM, confirm if different for AAP
-
-The {RedHatEdge} agent is a process running on each managed device that periodically communicates the {RedHatEdge} service on the ACM hub cluster.
+The {RedHatEdge} agent is a process running on each managed device that periodically communicates with the {RedHatEdge} service.
 The agent is responsible for the following tasks:
 
 * Enrolling devices into the service

diff --git a/downstream/modules/platform/con-edge-manager-api-server.adoc b/downstream/modules/platform/con-edge-manager-api-server.adoc
@@ -7,7 +7,7 @@ The API server is a core part of the {RedHatEdge} service that gives users and a
 The API server exposes the following endpoints:
 
 User-facing API endpoint:: Users can connect to the user-facing API endpoint from the CLI or the web console.
-Users must authenticate with the configured external authentication service to obtain a JSON Web Token (JWT) to make HTTPS requests.
+Users must authenticate on the {Gateway} to obtain a JSON Web Token (JWT) to make HTTPS requests.
 
 Agent-facing API endpoint:: Agents connect to the agent-facing endpoint, which is mTLS-protected.
 The service authenticates devices by using the X.509 client certificates.

diff --git a/downstream/modules/platform/con-edge-manager-set-up-oauth.adoc b/downstream/modules/platform/con-edge-manager-set-up-oauth.adoc
@@ -0,0 +1,7 @@
+:_mod-docs-content-type: CONCEPT
+
+[id="edge-manager-set-up-oauth"]
+
+= Set up the OAuth application for {PlatformNameShort}
+
+You have two options for setting up the OAuth application in {PlatformNameShort}, either manually or automatically in the {PlatformNameShort} UI.
diff --git a/downstream/modules/platform/proc-edge-manager-bootc.adoc b/downstream/modules/platform/proc-edge-manager-bootc.adoc
@@ -0,0 +1,13 @@
+:_mod-docs-content-type: PROCEDURE
+
+[id="edge-manager-bootc"]
+
+= Deploying the {RedHatEdge} using the bootc image appliance
+
+For environments where you prefer a pre-configured appliance, you can use the bootc image appliance. 
+The deployment of this image provides you with a ready-to-use system that includes {RedHatEdge} pre-installed.
+
+.Procedure
+
+. Provision the bootc image by using your preferred method, such as virtualization platform or cloud service.
+. Once provisioned, follow link:https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/using_image_mode_for_rhel_to_build_deploy_and_manage_operating_systems/managing-rhel-bootc-images[Managing RHEL bootc images] to ensure {RedHatEdge} is running.
diff --git a/downstream/modules/platform/proc-edge-manager-install-rpm-package.adoc b/downstream/modules/platform/proc-edge-manager-install-rpm-package.adoc
@@ -0,0 +1,91 @@
+:_mod-docs-content-type: PROCEDURE
+
+[id="edge-manager-install-rpm-package"]
+
+= Installing the {RedHatEdge} RPM package
+
+.Prerequisites
+
+* An active {PlatformNameShort} subscription with a running instance and the necessary API URLs and OAuth credentials.
+* Podman installed for managing containers.
+* A {RHEL} host with:
+
+** Minimal installation
+** 4 cores and 16GB RAM (minimum recommended)
+** Administrative access (root or sudo-capable user)
+** SSH access
+
+.Procedure
+
+. SSH into your {RHEL} host.
+. Install the necessary repositories and packages:
+** Ensure that the {PlatformNameShort} repositories are enabled by running:
++
+[literal, options="nowrap" subs="+attributes"]
+----
+sudo dnf install -y flightctl-services
+sudo systemctl enable flightctl.target
+----
++
+** Install the {RedHatEdge} service by running the following example command based on the version of {RHEL} and architecture of your host:
++
+[literal, options="nowrap" subs="+attributes"]
+----
+subscription-manager repos --enable ansible-automation-platform-2.5-for-rhel-9-x86_64-rpms
+----
++
+. Update the installed `/etc/flightctl/service-config.yaml` to set the `baseDomain`:
++
+[literal, options="nowrap" subs="+attributes"]
+----
+sudo vi /etc/flightctl/service-config.yaml
+----
++
+[IMPORTANT]
+====
+Ensure that you set the `baseDomain` in the service configuration correctly. 
+By default, the installation process attempts to automatically set this value based on the IP address of your {RHEL} host.
+
+However, if your environment uses a specific domain name to access this host, for example `rhem-example.com`, it is recommended that you manually update the `baseDomain` in `/etc/flightctl/service-config.yaml` to this hostname.
+
+Setting the `baseDomain` correctly ensures that all generated URLs, certificates, and internal configurations within the {RedHatEdge} are accurate for your network setup. 
+This is especially important for integration with {PlatformNameShort} and for ensuring that the UI is accessible through the intended domain name.
+
+You can check the currently configured `baseDomain` using:
+
+----
+cat /etc/flightctl/service-config.yaml | grep baseDomain:
+----
+====
++
+. Start the services:
++
+[literal, options="nowrap" subs="+attributes"]
+----
+sudo systemctl start flightctl.target
+----
++
+. Verify that services are running:
++
+[literal, options="nowrap" subs="+attributes"]
+----
+sudo systemctl list-units flightctl-*.service
+----
++
+You should see these 7 services running:
++
+
+* flightctl-db
+* flightctl-kv
+* flightctl-api
+* flightctl-periodic
+* flightctl-worker
+* flightctl-ui
+* flightctl-cli-artifacts
+
++
+. Go to the UI at the `baseDomain` stored in the service configuration file:
++
+`cat /etc/flightctl/service-config.yaml | grep baseDomain:`
++
+Visit the displayed `baseDomain` in your web browser to access the UI.
diff --git a/downstream/modules/platform/proc-edge-manager-integrate-aap.adoc b/downstream/modules/platform/proc-edge-manager-integrate-aap.adoc
@@ -0,0 +1,56 @@
+:_mod-docs-content-type: PROCEDURE
+
+[id="edge-manager-integrate-aap"]
+
+= Integrating with {PlatformNameShort}
+
+To integrate the {RedHatEdge} with your {PlatformNameShort} instance, follow these additional steps.
+
+.Procedure
+
+. Configure the integration settings by editing the configuration file:
++
+[literal, options="nowrap" subs="+attributes"]
+----
+sudo vi /etc/flightctl/service-config.yaml
+----
++
+. Update the configuration to integrate with {PlatformNameShort}:
++
+[source,yaml]
+----
+global:
+  baseDomain: <your-edge-manager-ip-or-domain> <1>
+  auth:
+    type: aap <2>
+    insecureSkipTlsVerify: false <3>
+    aap:
+      apiUrl: https://your-aap-instance.example.com <4>
+      externalApiUrl: https://your-aap-instance.example.com <5>
+      oAuthApplicationClientId: <client-id-from-oauth-app> <6>
+	    oAuthToken: <your-oauth-token> <7>
+----
++
+<1> The domain name or IP for the host, this is automatically set when the RPM is installed but you can override this. 
+It is the only field that is mandatory.
+<2> Set this to `aap` to enable {PlatformNameShort} authentication.
+<3> Set to `false`.
+Only set this to `true` to skip TLS certificate verification for the {PlatformNameShort} URLs. 
+For production environments, consider configuring a CA certificate (see the Self-signed certificates section).
+<4> The internal facing API URL for the running {PlatformNameShort} instance that makes requests against.
+You can configure this URL to be an internally accessible URL for the running {PlatformNameShort} instance. 
+For example, if there are separate internal or external ingresses.
+<5> The externally accessible URL of your running {PlatformNameShort} instance.
+<6> The Client ID of the OAuth application configured in {PlatformNameShort} for the {RedHatEdge}. 
+If you do not have one yet, you can leave this empty and give an `oAuthToken` to allow the setup to create it.
+<7> An OAuth token with write permissions for the "Default" organization in your {PlatformNameShort} instance. 
+This is only needed if you want the setup process to automatically create the OAuth application. 
+Once created, this token is no longer necessary.
+
++
+. Start the services:
++
+[literal, options="nowrap" subs="+attributes"]
+----
+sudo systemctl start flightctl.target
+----
diff --git a/downstream/modules/platform/proc-edge-manager-oauth-auto.adoc b/downstream/modules/platform/proc-edge-manager-oauth-auto.adoc
@@ -0,0 +1,30 @@
+:_mod-docs-content-type: PROCEDURE
+
+[id="edge-manager-oauth-auto"]
+
+= Setting up the OAuth application automatically
+
+.Procedure
+
+. Generate an OAuth token in {PlatformNameShort}:
+.. From the navigation panel, select menu:{MenuAM}[Users].
+.. Select a user with write permissions to the *Default* organization (admin user recommended).
+.. Click the *Tokens* tab for that user.
+.. Click btn:[Create token] and enter the relevant details.
+. Add the token to *oAuthToken* in your configuration file, for example:
++
+[source,yaml]
+----
+global:
+  baseDomain: <your-edge-manager-ip-or-domain>
+  auth:
+    type: aap
+    insecureSkipTlsVerify: true
+    aap:
+      apiUrl: https://your-aap-instance.example.com
+      externalApiUrl: https://your-aap-instance.example.com
+      oAuthApplicationClientId:  # Leave empty
+      oAuthToken: <your-oauth-token>
+----
+
+When you start the services, the OAuth application is created automatically, and the *oAuthApplicationClientId* is updated in the configuration file.
diff --git a/downstream/modules/platform/proc-edge-manager-oauth-manually.adoc b/downstream/modules/platform/proc-edge-manager-oauth-manually.adoc
@@ -0,0 +1,28 @@
+:_mod-docs-content-type: PROCEDURE
+
+[id="edge-manager-oauth-manually"]
+
+= Setting up the OAuth application manually
+
+.Procedure
+
+. From the navigation panel on your {PlatformNameShort} instance, go to menu:{MenuAM}[OAuth Applications].
+. Click btn:[Create OAuth application].
+. Enter the following details:
+** *Name*: Red Hat Edge Manager
+** *URL*: The `baseDomain` of your {PlatformNameShort} UI.
+** *Authorization grant type*: Select *Authorization code*.
+** *Client*: Select *Public*.
+** *Redirect URIs*: 
+*** The redirect configured for your UI is your `baseDomain` with a /callback route appended, such as `https://your-edge-manager-ip-or-domain/callback`.
+*** To provide a redirect for console usage, configure a redirect URI, such as `http://127.0.0.1/callback`.
+. Copy the *Client ID* and update *oAuthApplicationClientId* in your configuration file with this value when {URLEdgeManager}/assembly-edge-manager-install#edge-manager-integrate-aap[Integrating with {PlatformNameShort}].
+
+[NOTE]
+====
+URIs must be separated by spaces in the *Redirect URIs* field, not commas or other delimiters.
+====
+
+.Additional resources
+
+For more information, see link:{BaseURL}/red_hat_ansible_automation_platform/{PlatformVers}/html/access_management_and_authentication/gw-token-based-authentication[Configuring access to external applications with token-based authentication]. 
diff --git a/downstream/modules/platform/ref-edge-manager-certificates.adoc b/downstream/modules/platform/ref-edge-manager-certificates.adoc
@@ -0,0 +1,29 @@
+:_mod-docs-content-type: REFERENCE
+
+[id="edge-manager-certificates"]
+
+= Self-signed certificates
+
+The {RedHatEdge} services automatically generate and store self-signed certificates in the `/etc/flightctl/pki` directory. 
+These include:
+
+* `/etc/flightctl/pki/ca.crt`
+* `/etc/flightctl/pki/ca.key`
+* `/etc/flightctl/pki/client-enrollment.crt`
+* `/etc/flightctl/pki/client-enrollment.key`
+* `/etc/flightctl/pki/server.crt`
+* `/etc/flightctl/pki/server.key`
+
+
+You can use your own custom certificates by placing them in the following locations:
+
+* Custom Server Certificate/Key Pair:
+** `/etc/flightctl/pki/server.crt`
+** `/etc/flightctl/pki/server.key`
+* Custom CA Certificate for {PlatformNameShort} authentication:
+** `/etc/flightctl/pki/auth/ca.crt`
+
+[NOTE]
+====
+Ensure that you adjust the `insecureSkipTlsVerify` setting in the `service-config.yaml` if you use a custom CA certificate for your {PlatformNameShort} instance.
+====
diff --git a/downstream/modules/platform/ref-edge-manager-config-inline.adoc b/downstream/modules/platform/ref-edge-manager-config-inline.adoc
@@ -26,4 +26,4 @@ If a file already exists in the specified path, the file is overwritten.
 .Additional resources
 
 * For more information about device lifecycle hooks and the default rules used by the {RedHatEdge} agent, see xref:edge-manager-device-lifecycle[Device lifecycle hooks].
-* For more information about granting {RedHatEdge} permissions, see xref:edge-manager-rbac-auth[{RedHatEdge} authorization].
+//* For more information about granting {RedHatEdge} permissions, see xref:edge-manager-rbac-auth[{RedHatEdge} authorization].
diff --git a/downstream/titles/edge-manager/edge-manager-user-guide/master.adoc b/downstream/titles/edge-manager/edge-manager-user-guide/master.adoc
@@ -12,6 +12,12 @@ The {RedHatEdge} aims to give simple, scalable, and secure management of edge de
 You can declare the operating system version, host configuration, and set of applications that you want to run on an individual device or a whole fleet of devices.
 The {RedHatEdge} rolls out the target configuration to devices where a device agent automatically applies them and reports progress and health status back up.
 
+[IMPORTANT]
+====
+The {RedHatEdge} is a Technology Preview feature only.
+include::platform/snippets/technology-preview.adoc[]
+====
+
 include::{Boilerplate}[]
 
 include::platform/assembly-edge-manager-intro.adoc[leveloffset=+1]