diff --git a/_topic_maps/_topic_map.yml b/_topic_maps/_topic_map.yml index 9b45b682eebd..c88d909ac2b9 100644 --- a/_topic_maps/_topic_map.yml +++ b/_topic_maps/_topic_map.yml @@ -1234,6 +1234,8 @@ Topics: Topics: - Name: Zero Trust Workload Identity Manager overview File: zero-trust-manager-overview + - Name: Zero Trust Workload Identity Manager components + File: zero-trust-manager-components - Name: Zero Trust Workload Identity Manager release notes File: zero-trust-manager-release-notes - Name: Installing Zero Trust Workload Identity Manager diff --git a/modules/zero-trust-manager-about-components.adoc b/modules/zero-trust-manager-about-components.adoc deleted file mode 100644 index bc73512210a7..000000000000 --- a/modules/zero-trust-manager-about-components.adoc +++ /dev/null @@ -1,30 +0,0 @@ -// Module included in the following assemblies: -// -// * security/zero_trust_workload_identity_manager/zer-trust-manager-features.adoc - -:_mod-docs-content-type: CONCEPT -[id="zero-trust-manager-about-features_{context}"] -= {zero-trust-full} components - -The following components are available as part of the initial release of {zero-trust-full}. - -[id="spiffe-csi-driver_{context}"] -== SPIFFE CSI Driver - -The SPIFFE Container Storage Interface (CSI) is a plugin that helps pods securely obtain their {svid-full} by delivering the Workload API socket into the pod. The SPIFFE CSI driver is deployed as a daemonset on the cluster ensuring that a driver instance runs on each node. The driver uses the ephemeral inline volume capability of Kubernetes allowing pods to request volumes directly provided by the SPIFFE CSI driver. This simplifies their use by applications that need temporary storage. - -When the pod starts, the Kubelet calls the SPIFFE CSI driver to provision and mount a volume into the pod's containers. The SPIFFE CSI driver mounts a directory that contains the SPIFFE Workload API into the pod. Applications in the pod then communicate with the Workload API to obtain their SVIDs. The driver guarantees that each SVID is unique. - -[id="spire-oidc-federation_{context}"] -== SPIRE OpenID Connect Discovery Provider - -The SPIRE OpenID Connect Discovery Provider is a standalone component that makes SPIRE-issued JWT-SVIDs compatible with standard OpenID Connect (OIDC) users by exposing a open ID configuration endpoint and a JWKS URI for token verification. It is essential for integrating SPIRE-based workload identity with systems that require OIDC-compliant tokens, especially, external APIs. While SPIRE primarily issues identities for workloads, additional workload-related claims can be embedded into JWT-SVIDs through the configuration of SPIRE, which these claims to be included in the token and verified by OIDC-compliant clients. - -[id="spire-controller-manager_{context}"] -== SPIRE Controller Manager - -The SPIRE Controller Manager uses custom resource definitions (CRDs) to facilitate the registration of workloads. To facilitate workload registration, the SPIRE Controller Manager registers controllers against pods and CRDs. When changes are detected on these resources, a workload reconciliation process is triggered. This process determines which SPIRE entries should exist based on the existing pods and CRDs. The reconciliation process creates, updates, and deletes entries on the SPIRE Server as appropriate. - -The SPIRE Controller Manager is designed to be deployed on the same pod as the SPIRE Server. The manager communicates with the SPIRE Server API using a private UNIX Domain Socket within a shared volume. - - diff --git a/modules/zero-trust-manager-about-controller-manager.adoc b/modules/zero-trust-manager-about-controller-manager.adoc new file mode 100644 index 000000000000..9880a2e8cc34 --- /dev/null +++ b/modules/zero-trust-manager-about-controller-manager.adoc @@ -0,0 +1,13 @@ +// Module included in the following assemblies: +// +// * security/zero_trust_workload_identity_manager/zer-trust-manager-features.adoc + +:_mod-docs-content-type: CONCEPT +[id="zero-trust-manager-about-controller-manager_{context}"] += SPIRE Controller Manager + +[role="_abstract"] +Use the SPIRE Controller Manager to automate workload registration with custom resource definitions (CRDs). The manager monitors pods and CRDs to create, update, or delete entries on the SPIRE Server. This process helps ensure that your SPIRE entries accurately reflect your active resources. + +The SPIRE Controller Manager is designed to be deployed on the same pod as the SPIRE Server. The manager communicates with the SPIRE Server API using a private UNIX Domain Socket within a shared volume. + diff --git a/modules/zero-trust-manager-about-csi-driver.adoc b/modules/zero-trust-manager-about-csi-driver.adoc new file mode 100644 index 000000000000..3dcfdb3fbb1c --- /dev/null +++ b/modules/zero-trust-manager-about-csi-driver.adoc @@ -0,0 +1,13 @@ +// Module included in the following assemblies: +// +// * security/zero_trust_workload_identity_manager/zer-trust-manager-features.adoc + +:_mod-docs-content-type: CONCEPT +[id="zero-trust-manager-about-csi-driver_{context}"] += SPIFFE CSI Driver + +[role="_abstract"] +The SPIFFE Container Storage Interface (CSI) driver helps pods securely obtain their {svid-full} by delivering the Workload API socket. By using Kubernetes ephemeral inline volumes, the driver simplifies how applications request temporary storage for identity management. + +When the pod starts, the Kubelet calls the SPIFFE CSI driver to provision and mount a volume into the pod's containers. The SPIFFE CSI driver mounts a directory that contains the SPIFFE Workload API into the pod. Applications in the pod then communicate with the Workload API to obtain their SVIDs. The driver guarantees that each SVID is unique. + diff --git a/modules/zero-trust-manager-about-oidc-provider.adoc b/modules/zero-trust-manager-about-oidc-provider.adoc new file mode 100644 index 000000000000..a51b29026e50 --- /dev/null +++ b/modules/zero-trust-manager-about-oidc-provider.adoc @@ -0,0 +1,12 @@ +// Module included in the following assemblies: +// +// * security/zero_trust_workload_identity_manager/zer-trust-manager-features.adoc + +:_mod-docs-content-type: CONCEPT +[id="zero-trust-manager-about-oidc-provider_{context}"] += SPIRE OpenID Connect Discovery Provider + +[role="_abstract"] +Use the SPIRE OpenID Connect (OIDC) Discovery Provider to integrate SPIRE workload identities with OIDC-compliant systems. This component exposes endpoints for token verification. It helps ensure compatibility between SPIRE-issued credentials and external APIs requiring standard OIDC tokens. + +While SPIRE primarily issues identities for workloads, additional workload-related claims can be embedded into JWT-SVIDs through the configuration of SPIRE, which these claims to be included in the token and verified by OIDC-compliant clients. \ No newline at end of file diff --git a/modules/zero-trust-manager-available-metrics.adoc b/modules/zero-trust-manager-available-metrics.adoc new file mode 100644 index 000000000000..fc18c95c1835 --- /dev/null +++ b/modules/zero-trust-manager-available-metrics.adoc @@ -0,0 +1,60 @@ +// Module included in the following assemblies: +// +// * security/zer_trust_workload_identity_manager/zero-trust-manager-monitoring.adoc + +:_mod-docs-content-type: REFERENCE +[id="zero-trust-manager-available-metrics_{context}"] += {zero-trust-full} monitoring available metrics + +[role="_abstract"] +Monitor the health and performance of {zero-trust-full} components by reviewing exposed metrics. This reference describes controller, certificate, and runtime metrics that help you maintain system health and troubleshoot errors. + +The {zero-trust-full} exposes the following metrics: + +Controller runtime metrics:: + +* `controller_runtime_active_workers`: Number of currently used workers per controller + +* `controller_runtime_max_concurrent_reconciles`: Maximum number of concurrent reconciles per controller + +* `controller_runtime_reconcile_errors_total`: Total number of reconciliation errors per controller + +* `controller_runtime_reconcile_time_seconds`: Length of time per reconciliation per controller + +* `controller_runtime_reconcile_total`: Total number of reconciliations per controller + +Certificate watcher metrics:: + +* `certwatcher_read_certificate_errors_total`: Total number of certificate read errors + +* `certwatcher_read_certificate_total`: Total number of certificates read + +Go runtime metrics:: + +Standard Go runtime metrics including: + +* `go_gc_duration_seconds`: Garbage collection duration + +* `go_goroutines`: Number of goroutines + +* `go_memstats_*`: Memory statistics + +* `process_*`: Process statistics + + Custom Operator metrics:: + +The operator also exposes custom metrics related to: + +* SPIRE Server status and health + +* SPIRE Agent deployment status + +* SPIFFE CSI Driver status + +* OIDC Discovery Provider status + +* Workload identity management operations + + + + diff --git a/modules/zero-trust-manager-enable-metrics-server.adoc b/modules/zero-trust-manager-enable-metrics-server.adoc index 5cd185907534..65eccc51b821 100644 --- a/modules/zero-trust-manager-enable-metrics-server.adoc +++ b/modules/zero-trust-manager-enable-metrics-server.adoc @@ -4,63 +4,193 @@ :_mod-docs-content-type: PROCEDURE [id="zero-trust-manager-enable-metrics-server_{context}"] -= Configuring metrics collection for SPIRE Server by using a Service Monitor += Configuring metrics collection for SPIRE Server by using a ServiceMonitor + +[role="_abstract"] +The {zero-trust-full} exposes metrics by default on port 8443 at the `/metrics` service endpoint. You can configure metrics collection for the Operator by creating a `ServiceMonitor` custom resource (CR) that enables the Prometheus Operator to collect custom metrics. For more information, see "Configuring user workload monitoring". + The SPIRE Server operand exposes metrics by default on port `9402` at the `/metrics` endpoint. You can configure metrics collection for the SPIRE Server by creating a `ServiceMonitor` custom resource (CR) that enables the Prometheus Operator to collect custom metrics. + .Prerequisites * You have access to the cluster as a user with the `cluster-admin` cluster role. * You have installed the {zero-trust-full}. -* You have deployed the SPIRE Server operand in the cluster. - * You have enabled the user workload monitoring. .Procedure -. Create the `ServiceMonitor` CR: +. Configure the Operator to use HTTP or HTTPS protocols for the metrics server. + +.. Update the subscription object for {zero-trust-full} to configure the HTTP protocol by running the following command: ++ +[source,terminal] +---- +$ oc -n zero-trust-workload-identity-manager patch subscription zero-trust-workload-identity-manager-subscription --type='merge' -p '{"spec":{"config":{"env":[{"name":"METRICS_BIND_ADDRESS","value":":8080"}, {"name": "METRICS_SECURE", "value": "false"}]}}}' +---- + +.. Verify the {zero-trust-full} pod is redeployed and that the configured values for `METRICS_BIND_ADDRESS` and `METRICS_SECURE` is updated by running the following command: ++ +[source,terminal] +---- +$ oc set env --list deployment/zero-trust-workload-identity-manager-controller-manager -n zero-trust-workload-identity-manager | grep -e METRICS_BIND_ADDRESS -e METRICS_SECURE -e container +---- ++ +.Example output +[source,text] +---- +deployments/zero-trust-workload-identity-manager-controller-manager, container manager +METRICS_BIND_ADDRESS=:8080 +METRICS_SECURE=false +---- + +. Create the `Secret` resource with `kubernetes.io/service-account.name` annotation to inject the token required for authenticating with the metrics server. -.. Create the YAML file that defines the `ServiceMonitor` CR: +.. Create the `secret-zero-trust-workload-identity-manager.yaml` YAML file: + -.Example `servicemonitor-spire-server` file [source,yaml] ---- -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor +apiVersion: v1 +kind: Secret metadata: labels: - app.kubernetes.io/name: server - app.kubernetes.io/instance: spire - name: spire-server-metrics + name: zero-trust-workload-identity-manager + name: zero-trust-workload-identity-manager-metrics-auth namespace: zero-trust-workload-identity-manager + annotations: + kubernetes.io/service-account.name: zero-trust-workload-identity-manager-controller-manager +type: kubernetes.io/service-account-token +---- + +.. Create the `Secret` resource by running the following command: ++ +[source,terminal] +---- +$ oc apply -f secret-zero-trust-workload-identity-manager.yaml +---- + +. Create the `ClusterRoleBinding` resource required for granting permissions to access the metrics. + +.. Create the `clusterrolebinding-zero-trust-workload-identity-manager.yaml` YAML file: ++ +[source,yaml] +---- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + name: zero-trust-workload-identity-manager + name: zero-trust-workload-identity-manager-allow-metrics-access +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: zero-trust-workload-identity-manager-metrics-reader +subjects: +- kind: ServiceAccount + name: zero-trust-workload-identity-manager-controller-manager + namespace: zero-trust-workload-identity-manager +---- + +.. Create the `ClusterRoleBinding` resource by running the following command: ++ +[source,terminal] +---- +$ oc apply -f clusterrolebinding-zero-trust-workload-identity-manager.yaml +---- + +. Create the following `ServiceMonitor` CR if the metrics server is configured to use `http`. + +.. Create the `servicemonitor-zero-trust-workload-identity-manager-http.yaml` YAML file: ++ +[source,yaml] +---- +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: +labels: + name: zero-trust-workload-identity-manager +name: zero-trust-workload-identity-manager-metrics-monitor +namespace: zero-trust-workload-identity-manager spec: - endpoints: - - port: metrics - interval: 30s - path: /metrics - selector: - matchLabels: - app.kubernetes.io/name: server - app.kubernetes.io/instance: spire - namespaceSelector: - matchNames: - - zero-trust-workload-identity-manager +endpoints: + - authorization: + credentials: + name: zero-trust-workload-identity-manager-metrics-auth + key: token + type: Bearer + interval: 60s + path: /metrics + port: metrics-http + scheme: http + scrapeTimeout: 30s +namespaceSelector: + matchNames: + - zero-trust-workload-identity-manager +selector: + matchLabels: + name: zero-trust-workload-identity-manager ---- .. Create the `ServiceMonitor` CR by running the following command: + [source,terminal] ---- -$ oc create -f servicemonitor-spire-server.yaml +$ oc apply -f servicemonitor-zero-trust-workload-identity-manager-http.yaml ---- +. Create the following `ServiceMonitor` CR if the metrics server is configured to use `https`. + +.. Create the `servicemonitor-zero-trust-workload-identity-manager-https.yaml` YAML file: + -After the `ServiceMonitor` CR is created, the user workload Prometheus instance begins metrics collection from the SPIRE Server. The collected metrics are labeled with `job="spire-server"`. +[source,yaml] +---- +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: +labels: + name: zero-trust-workload-identity-manager +name: zero-trust-workload-identity-manager-metrics-monitor +namespace: zero-trust-workload-identity-manager +spec: +endpoints: + - authorization: + credentials: + name: zero-trust-workload-identity-manager-metrics-auth + key: token + type: Bearer + interval: 60s + path: /metrics + port: metrics-https + scheme: https + scrapeTimeout: 30s + tlsConfig: + ca: + configMap: + name: openshift-service-ca.crt + key: service-ca.crt + serverName: zero-trust-workload-identity-manager-metrics-service.zero-trust-workload-identity-manager.svc.cluster.local +namespaceSelector: + matchNames: + - zero-trust-workload-identity-manager +selector: + matchLabels: + name: zero-trust-workload-identity-manager +---- + +.. Create the `ServiceMonitor` CR by running the following command: ++ +[source,terminal] +---- +$ oc apply -f servicemonitor-zero-trust-workload-identity-manager-https.yaml +---- ++ +After the `ServiceMonitor` CR is created, the user workload Prometheus instance begins metrics collection from the SPIRE Server. The collected metrics are labeled with `job="zero-trust-workload-identity-manager-metrics-service"`. .Verification -. In the {product-title} web console, navigate to *Observe* -> *Targets*. +. In the {product-title} web console, navigate to *Observe* → *Targets*. . In the *Label* filter field, enter the following label to filter the metrics targets: + @@ -70,3 +200,4 @@ $ service=zero-trust-workload-identity-manager-metrics-service ---- . Confirm that the *Status* column shows `Up` for the `spire-server-metrics` entry. + diff --git a/modules/zero-trust-manager-how-it-works.adoc b/modules/zero-trust-manager-how-it-works.adoc index f7b8a0c2f6af..bd98accc3670 100644 --- a/modules/zero-trust-manager-how-it-works.adoc +++ b/modules/zero-trust-manager-how-it-works.adoc @@ -6,6 +6,8 @@ [id="zero-trust-manager-how-it-works_{context}"] = About the {zero-trust-full} workflow +[role="_abstract"] +Understand the high-level workflow of {zero-trust-full} to help you manage secure identities. This process relies on SPIRE components and custom resource definitions (CRDs) to validate nodes and workloads. The following is a high-level workflow of the {zero-trust-full} within the Red{nbsp}Hat OpenShift cluster. diff --git a/modules/zero-trust-manager-install-cli.adoc b/modules/zero-trust-manager-install-cli.adoc index 60baf8737079..d7eddd8bbabc 100644 --- a/modules/zero-trust-manager-install-cli.adoc +++ b/modules/zero-trust-manager-install-cli.adoc @@ -10,6 +10,11 @@ * You have access to the cluster with `cluster-admin` privileges. +[NOTE] +==== +A minimum of 1Gi persistent volume is required to install the SPIRE Server. +==== + .Procedure . Create a new project named `zero-trust-workload-identity-manager` by running the following command: @@ -57,7 +62,7 @@ metadata: name: openshift-zero-trust-workload-identity-manager namespace: zero-trust-workload-identity-manager spec: - channel: tech-preview-v0.1 + channel: stable-v1 name: openshift-zero-trust-workload-identity-manager source: redhat-operators sourceNamespace: openshift-marketplace @@ -84,7 +89,7 @@ $ oc get subscription -n zero-trust-workload-identity-manager [source, terminal] ---- NAME PACKAGE SOURCE CHANNEL -openshift-zero-trust-workload-identity-manager zero-trust-workload-identity-manager redhat-operators tech-preview-v0.1 +openshift-zero-trust-workload-identity-manager zero-trust-workload-identity-manager redhat-operators stable-v1 ---- * Verify whether the Operator is successfully installed by running the following command: @@ -98,7 +103,7 @@ $ oc get csv -n zero-trust-workload-identity-manager [source, terminal] ---- NAME DISPLAY VERSION PHASE -zero-trust-workload-identity-manager.v0.1.0 Zero Trust Workload Identity Manager 0.1.0 Succeeded +zero-trust-workload-identity-manager.v1.0.0 Zero Trust Workload Identity Manager 1.0.0 Succeeded ---- * Verify that the {zero-trust-full} controller manager is ready by running the following command: diff --git a/modules/zero-trust-manager-install-console.adoc b/modules/zero-trust-manager-install-console.adoc index d82754ef46a4..c66f22d16f7f 100644 --- a/modules/zero-trust-manager-install-console.adoc +++ b/modules/zero-trust-manager-install-console.adoc @@ -6,7 +6,12 @@ [id="zero-trust-manager-install-console_{context}"] = Installing the {zero-trust-full} by using the web console -You can use the web console to install the {zero-trust-full}. +Use the OperatorHub in the {product-title} web console to install the {zero-trust-full}. This process streamlines deployment and helps ensure the Operator is installed in the correct namespace with the appropriate installation mode. + +[NOTE] +==== +A minimum of 1Gi persistent volume is required to install the SPIRE Server. +==== .Prerequisites @@ -20,35 +25,36 @@ You can use the web console to install the {zero-trust-full}. . Go to *Ecosystem* -> *Software Catalog*. -. Enter *{zero-trust-full}* into the filter box. - -. Select the *{zero-trust-full}* - -. Select the {zero-trust-full} version from *Version* drop-down list, and click *Install*. +. Search for *{zero-trust-full}*. . On the *Install Operator* page: -.. Update the *Update channel*, if necessary. The channel defaults to *tech-preview-v0.1*, which installs the latest Technology Preview v0.1 release of the {zero-trust-full}. +.. Update the *Update channel*, if necessary. The channel defaults to `stable-v1`, which installs the latest `stable-v1` release of the {zero-trust-full}. .. Choose the *Installed Namespace* for the Operator. The default Operator namespace is `zero-trust-workload-identity-manager`. + If the `zero-trust-workload-identity-manager` namespace does not exist, it is created for you. - -.. Select an *Update approval* strategy. + -* The *Automatic* strategy allows Operator Lifecycle Manager (OLM) to automatically update the Operator when a new version is available. -+ -* The *Manual* strategy requires a user with appropriate credentials to approve the Operator update. +[NOTE] +==== +The Operator and operands are deployed in the same namespace. +==== + +.. Select an *Update Approval* strategy + +* The *Automatic strategy* allows Operator Lifecycle Manager (OLM) to automatically update the Operator when a new version is available. -.. Click *Install*. +* The *Manual strategy* requires a user with appropriate credentials to approve the Operator update. + +. Click *Install*. .Verification -* Navigate to *Ecosystem* -> *Installed Operators*. +. Navigate to *Ecosystem* -> *Installed Operators*. -** Verify that *{zero-trust-full}* is listed with a *Status* of *Succeeded* in the `zero-trust-workload-identity-manager` namespace. +.. Verify that *Zero Trust Workload Identity Manager* is listed with a *Status* of *Succeeded* in the `zero-trust-workload-identity-manager` namespace. -** Verify that {zero-trust-full} controller manager deployment is ready and available by running the following command: +.. Verify that Zero Trust Workload Identity Manager controller manager deployment is ready and available by running the following command: + [source,terminal] ---- @@ -58,6 +64,13 @@ $ oc get deployment -l name=zero-trust-workload-identity-manager -n zero-trust-w .Example output [source,terminal] ---- -NAME READY UP-TO-DATE AVAILABLE AGE -zero-trust-workload-identity-manager-controller-manager-6c4djb 1/1 1 1 43m +NAME READY UP-TO-DATE AVAILABLE AGE +zero-trust-workload-identity-manager-controller-manager-6c4djb 1/1 1 1 43m +---- + +. To check the Operator logs, run the following command: ++ +[source,terminal] +---- +$ oc logs -f deployment/zero-trust-workload-identity-manager -n zero-trust-workload-identity-manager ---- diff --git a/modules/zero-trust-manager-oidc-config.adoc b/modules/zero-trust-manager-oidc-config.adoc index b3564341a239..128e1ddd764d 100644 --- a/modules/zero-trust-manager-oidc-config.adoc +++ b/modules/zero-trust-manager-oidc-config.adoc @@ -7,7 +7,8 @@ = Deploying the SPIRE OpenID Connect Discovery Provider -You can configure the `SpireOIDCDiscoveryProvider` custom resource (CR) to deploy and configure the SPIRE OpenID Connect (OIDC) Discovery Provider. +[role="_abstract"] +Deploy the SPIRE OpenID Connect (OIDC) Discovery Provider by configuring the `SpireOIDCDiscoveryProvider` CR. This allows you to define the trust domain and JSON web token (JWT) issuer for your cluster. .Prerequisites @@ -29,14 +30,34 @@ apiVersion: operator.openshift.io/v1alpha1 kind: SpireOIDCDiscoveryProvider metadata: name: cluster + # ... spec: - trustDomain: #<1> - agentSocketName: 'spire-agent.sock' #<2> - jwtIssuer: #<3> + logLevel: "info" + logFormat: "text" + csiDriverName: "csi.spiffe.io" + jwtIssuer: "https://oidc-discovery.apps.cluster.example.com" + replicaCount: 1 + managedRoute: "true" + externalSecretRef: "" ---- -<1> The trust domain to be used for the SPIFFE identifiers. -<2> The name of the SPIRE Agent UNIX socket. -<3> The JSON Web Token (JWT) issuer domain. The value must be a valid URL. + +where: + +name:: Must be named 'cluster'. + +logLevel:: The logging level for the SPIRE Server. The valid options are `debug`, `info`, `warn`, and `error`. + +logFormat:: The logging format for the SPIRE Server. The valid options are `text` and `json`. + +csiDriverName:: The name of the CSI driver to use for mounting the Workload API socket. This must match the `SpiffeCSIDriver.spec.pluginName` value for the OIDC provider to access SPIFFE identities. Must be a valid DNS subdomain format (for example, `csi.spiffe.io`) with a maximum length of 127 characters. + +jwtIssuer:: The JWT issuer URL. Must be a valid HTTPS or HTTP URL with a maximum length of 512 characters. This value must match the `SpireServer.spec.jwtIssuer` value. + +replicaCount:: The number of replicas for the OIDC Discovery Provider deployment. Must be between 1 and 5. + +managedRoute:: Controls whether the Operator automatically creates an OpenShift route for the OIDC Discovery Provider endpoints. Set to `true` to have the Operator automatically create and maintain an OpenShift route for OIDC discovery endpoints (`*.apps.`). Set to `false` for administrators to manually configure routes or ingress. + +externalSecretRef:: A reference to an externally managed secret that contains the TLS certificate for the OIDC Discovery Provider route host. Must be a valid Kubernetes secret reference name with a maximum length of 253 characters. This field is optional. .. Apply the configuration by running the following command: + diff --git a/modules/zero-trust-manager-server-agent-telemetry.adoc b/modules/zero-trust-manager-server-agent-telemetry.adoc new file mode 100644 index 000000000000..07459978e34d --- /dev/null +++ b/modules/zero-trust-manager-server-agent-telemetry.adoc @@ -0,0 +1,11 @@ +// Module included in the following assemblies: +// +// * security/zero_trust_workload_identity_manager/zer-trust-manager-features.adoc + +:_mod-docs-content-type: CONCEPT +[id="zero-trust-manager-server-agent-telemetry_{context}"] += SPIRE Server and Agent telemetry + +[role="_abstract"] +Use the SPIRE Controller Manager to register workloads by using custom resource definitions (CRDs). The manager monitors pods and CRDs for changes and triggers a reconciliation process. This process creates, updates, or deletes SPIRE Server entries to help ensure they match your configuration. + diff --git a/modules/zero-trust-manager-spiffe-csidriver-config.adoc b/modules/zero-trust-manager-spiffe-csidriver-config.adoc index 1a1afdc7aa4b..c1c58803ab43 100644 --- a/modules/zero-trust-manager-spiffe-csidriver-config.adoc +++ b/modules/zero-trust-manager-spiffe-csidriver-config.adoc @@ -6,7 +6,8 @@ [id="zero-trust-manager-spire-csidriver-config_{context}"] = Deploying the SPIFFE Container Storage Interface driver -You can configure the `SpiffeCSIDriver` custom resource (CR) to deploy and configure a SPIFFE Container Storage Interface (CSI) driver. +[role="_abstract"] +Configure the Container Storage Interface (CSI) driver using the `SpiffeCSIDriver` CR. This configuration mounts SPIFFE sockets directly into workload pods, which allows your applications to access the SPIFFE Workload API securely. .Prerequisites @@ -24,14 +25,23 @@ You can configure the `SpiffeCSIDriver` custom resource (CR) to deploy and confi + [source,yaml] ---- -apiVersion: operator.openshift.io/v1alpha1 +apiVersion: operator.openshift.io/stable-v1 kind: SpiffeCSIDriver metadata: name: cluster + # ... spec: - agentSocketPath: '/run/spire/agent-sockets/spire-agent.sock' #<1> + agentSocketPath: "/run/spire/agent-sockets" + pluginName: "csi.spiffe.io" ---- -<1> The UNIX socket path to the SPIRE Agent. + +where: + +name:: Must be named 'cluster'. + +agentSocketPath:: The path to the directory containing the SPIRE agent's Workload API socket. This directory is bind-mounted into workload containers by the CSI driver. The directory is shared between the SPIRE agent and CSI driver via a `hostPath` volume. Must be an absolute path with a maximum length of 256 characters. This value must match `SpireAgent.spec.socketPath` for workloads to access the socket. + +pluginName:: The name of the CSI plugin. This sets the CSI driver name that is deployed to the cluster and used in `VolumeMount` configurations. Must match the driver name referenced in the workload pods. Must be a valid domain name format (for example, `csi.spiffe.io`) with a maximum length of 127 characters. .. Apply the configuration by running the following command: + diff --git a/modules/zero-trust-manager-spire-agent-config.adoc b/modules/zero-trust-manager-spire-agent-config.adoc index 663b9bbd17e6..9a63248af065 100644 --- a/modules/zero-trust-manager-spire-agent-config.adoc +++ b/modules/zero-trust-manager-spire-agent-config.adoc @@ -6,7 +6,8 @@ [id="zero-trust-manager-spire-agent-config_{context}"] = Deploying the SPIRE Agent -You can configure the `SpireAgent` custom resource (CR) to deploy and configure a SPIRE Agent. +[role="_abstract"] +Use the `SpireAgent` custom resource to configure the SPIRE Agent `DaemonSet` on your nodes. This defines how the agent verifies workloads and manages identity attestation across your {product-title} cluster. .Prerequisites @@ -29,20 +30,44 @@ kind: SpireAgent metadata: name: cluster spec: - trustDomain: #<1> - clusterName: #<2> + socketPath: "/run/spire/agent-sockets" + logLevel: "info" + logFormat: "text" nodeAttestor: - k8sPSATEnabled: "true" #<3> + k8sPSATEnabled: "true" workloadAttestors: - k8sEnabled: "true" #<4> + k8sEnabled: "true" workloadAttestorsVerification: - type: "auto" #<5> + type: "auto" + hostCertBasePath: "/etc/kubernetes" + hostCertFileName: "kubelet-ca.crt" + disableContainerSelectors: "false" + useNewContainerLocator: "true" ---- -<1> The trust domain to be used for the SPIFFE identifiers. -<2> The name of your cluster. -<3> Enable or disable the projected service account token (PSAT) Kubernetes node attestor. The valid options are `true` and `false`. -<4> Enable or disable the Kubernetes workload attestor. The valid options are `true` and `false`. -<5> The type of verification to be done against the kubelet. Valid options are `auto`, `hostCert`, `apiServerCA`, `skip`. The `auto` option initially attempts to use `hostCert`, and then falls back to `apiServerCA`. + +where: + +name:: Must be named 'cluster'. + +socketPath:: The directory on the host where the SPIRE agent socket is created. This directory is shared with the SPIFFE CSI driver via the `hostPath` volume. Must match the `SpiffeCSIDriver.spec.agentSocketPath` for workloads to access the socket. Must be an absolute path with a maximum length of 256 characters. + +logLevel:: The logging level for the SPIRE Server. The valid options are `debug`, `info`, `warn`, and `error`. + +logFormat:: The logging format for the SPIRE Server. The valid options are `text` and `json`. + +k8sPSATEnabled:: Specifies whether Kubernetes Projected Service Account Token (PSAT) node attestation is enabled. When enabled, the SPIRE agent uses K8s PSATs to prove its identity to the SPIRE server during node attestation. The valid options are `true` and `false`. + +k8sEnabled:: Specifies whether the Kubernetes workload attestor is enabled. When enabled, the SPIRE agent can verify workload identities using Kubernetes pod information and service account tokens. The valid options are `true` and `false`. + +type:: The kubelet certificate verification mode. The valid options are `auto`, `hostCert`, and `skip`. + +hostCertBasePath:: The directory containing the kubelet CA certificate. Required when type is `hostCert`. Optional when type is `auto` (defaults to /etc/kubernetes if not specified). + +hostCertFileName:: The file name for the kubelet's CA certificate. When combined with `hostCertBasePath`, forms the full path. Required when type is `hostCert`. Optional when type is `auto`. Defaults to `kubelet-ca.crt` if not specified. + +disableContainerSelectors:: Specifies whether to disable container selectors in the Kubernetes workload attestor. Set to `true` if using `holdApplicationUntilProxyStarts` in Istio. The valid options are `true` and `false`. + +useNewContainerLocator:: Enables the new container locator algorithm that has support for cgroups v2. The valid options are `true` and `false`. .. Apply the configuration by running the following command: + diff --git a/modules/zero-trust-manager-spire-server-config.adoc b/modules/zero-trust-manager-spire-server-config.adoc index b0f7bfb1af7e..7cee8f8c53af 100644 --- a/modules/zero-trust-manager-spire-server-config.adoc +++ b/modules/zero-trust-manager-spire-server-config.adoc @@ -29,36 +29,89 @@ kind: SpireServer metadata: name: cluster spec: - trustDomain: #<1> - clusterName: #<2> + logLevel: "info" + logFormat: "text" + jwtIssuer: "https://oidc-discovery.apps.cluster.example.com" + caValidity: "24h" + defaultX509Validity: "1h" + defaultJWTValidity: "5m" + jwtKeyType: "rsa-248" caSubject: - commonName: example.org #<3> - country: "US" #<4> - organization: "RH" #<5> + country: "US" + organization: "Example Corporation" + commonName: "SPIRE Server CA" persistence: - type: pvc #<6> - size: "5Gi" #<7> - accessMode: ReadWriteOnce #<8> + size: "5Gi" + accessMode: "ReadWriteOnce" + storageClass: "gp3-csi" datastore: - databaseType: sqlite3 + databaseType: "sqlite3" connectionString: "/run/spire/data/datastore.sqlite3" - maxOpenConns: 100 #<9> - maxIdleConns: 2 #<10> - connMaxLifetime: 3600 #<11> - jwtIssuer: #<12> ----- -<1> The trust domain to be used for the SPIFFE identifiers. -<2> The name of your cluster. -<3> The common name for SPIRE Server CA. -<4> The country for SPIRE Server CA. -<5> The organization for SPIRE Server CA. -<6> The volume type to be used for persistence. The valid options are `pvc` and `hostPath`. -<7> The volume size to be used for persistence -<8> The access mode to be used for persistence. The valid options are `ReadWriteOnce`, `ReadWriteOncePod`, and `ReadWriteMany`. -<9> The maximum number of open database connections. -<10> The maximum number of idle connections in the pool. -<11> The maximum amount of time a connection can be reused. To specify an unlimited time, you can set the value to `0`. -<12> The JSON Web Token (JWT) issuer domain. The value must be a valid URL. + tlsSecretName: "" + maxOpenConns: 100 + maxIdleConns: 10 + connMaxLifetime: 0 + disableMigration: "false" + federation: + bundleEndpoint: + profile: "https_spiffe" + refreshHint: 300 + federatesWith: [] + managedRoute: "true" +---- +where: + +name:: Must be named 'cluster'. + +cluster:: Must be named 'cluster'. + +logLevel:: The logging level for the SPIRE Server. The valid options are `debug`, `info`, `warn`, and `error`. + +logFormat:: The logging format for the SPIRE Server. The valid options are `text` and `json`. + +jwtIssuer:: The JWT issuer URL. Must be a valid HTTPS or HTTP URL with a maximum length of 512 characters. + +caValidity:: The validity period (Time to Live (TTL)) for the SPIRE Server's CA certificate. This determines how long the server's root or intermediate certificate is valid. The format is a duration string (for example, `24h`, `168h`). + +defaultX509Validity:: The default validity period (TTL) for X.509 SVIDs issued to workloads. This value is used if a specific TTL is not configured for a registration entry. + +defaultJWTValidity:: The default validity period (TTL) for JWT SVIDs issued to workloads. This value is used if a specific TTL is not configured for a registration entry. + +jwtKeyType:: The key type used for JWT signing. The valid options are `rsa-2048`, `rsa-4096`, `ec-p256`, and `ec-p384`. This field is optional. + +country:: The country for the SPIRE Server certificate authority (CA). Must be an ISO 3166-1 alpha-2 country code (2 characters). + +organization:: The organization for the SPIRE Server CA. Maximum length is 64 characters. + +commonName:: The common name for the SPIRE Server CA. Maximum length is 255 characters. + +size:: The size of the persistent volume (for example, `1Gi`, `5Gi`). Once set, this field is immutable. + +accessMode:: The access mode for the persistent volume. The valid options are `ReadWriteOnce`, `ReadWriteOncePod`, and `ReadWriteMany`. Once set, this field is immutable. + +storageClass:: The storage class to be used for the PVC. Once set, this field is immutable. + +databaseType:: The type of database to use for the datastore. The valid options are `sql`, `sqlite3`, `postgres`, `mysql`, `aws_postgresql`, and `aws_mysql`. + +connectionString:: The connection string for the database. For PostgreSQL with SSL, include `sslmode` and certificate paths (for example, `dbname=spire user=spire host=postgres.example.com sslmode=verify-full`). + +tlsSecretName:: The name of a Kubernetes Secret containing TLS certificates for database connections. The Secret will be mounted at `/run/spire/db/certs`. This field is optional. + +maxOpenConns:: The maximum number of open database connections. Must be between 1 and 10000. + +maxIdleConns:: The maximum number of idle database connections in the pool. Must be between 0 and 10000. + +connMaxLifetime:: The maximum lifetime of a database connection in seconds. A value of 0 means connections are not closed due to age. + +disableMigration:: Specifies whether to disable automatic database migration. The valid options are `true` and `false`. + +profile:: The bundle endpoint authentication profile for federation. The valid options are `https_spiffe` and `https_web`. + +refreshHint:: The hint for bundle refresh interval in seconds. Must be between 60 and 3600. + +federatesWith:: The list of trust domains this cluster federates with. Each entry requires `trustDomain`, `bundleEndpointUrl`, and `bundleEndpointProfile`. + +managedRoute:: Enables or disables automatic route creation for the federation endpoint. Set to `true` to allow automatic exposure through a managed OpenShift Route, or `false` to manually configure routing. .. Apply the configuration by running the following command: + @@ -110,3 +163,4 @@ $ oc get pvc -l app.kubernetes.io/name=server -n zero-trust-workload-identity-ma NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS VOLUMEATTRIBUTECLASS AGE spire-data-spire-server-0 Bound pvc-27a36535-18a1-4fde-ab6d-e7ee7d3c2744 5Gi RW0 gp3-csi 22m ---- + diff --git a/modules/zero-trust-manager-uninstall-resources.adoc b/modules/zero-trust-manager-uninstall-resources.adoc index 3e5e059d2a20..3a82bbd2941f 100644 --- a/modules/zero-trust-manager-uninstall-resources.adoc +++ b/modules/zero-trust-manager-uninstall-resources.adoc @@ -16,13 +16,6 @@ After you have uninstalled the {zero-trust-full}, you have the option to delete . Uninstall the operands by running each of the following commands: -.. Delete the `ZeroTrustWorkloadIdentityManager` cluster by running the following command: -+ -[source,terminal] ----- -$ oc delete ZeroTrustWorkloadIdentityManager cluster ----- - .. Delete the `SpireOIDCDiscoveryProvider` cluster by running the following command: + [source,terminal] @@ -30,13 +23,6 @@ $ oc delete ZeroTrustWorkloadIdentityManager cluster $ oc delete SpireOIDCDiscoveryProvider cluster ---- -.. Delete the `SpiffeCSIDriver` cluster by running the following command: -+ -[source,terminal] ----- -$ oc delete SpiffeCSIDriver cluster ----- - .. Delete the `SpireAgent` cluster by running the following command: + [source,terminal] @@ -51,25 +37,25 @@ $ oc delete SpireAgent cluster $ oc delete SpireServer cluster ---- -.. Delete the Persistent Volume Claim (PVC) by running the following command: +.. Delete the `ZeroTrustWorkloadIdentityManager` cluster by running the following command: + [source,terminal] ---- -$ oc delete pvc -l=app.kubernetes.io/managed-by=zero-trust-workload-identity-manager +$ oc delete ZeroTrustWorkloadIdentityManager cluster ---- -.. Delete the CSI Driver by running the following command: +.. Delete the persistent volume claim (PVC) by running the following command: + [source,terminal] ---- -$ oc delete csidriver -l=app.kubernetes.io/managed-by=zero-trust-workload-identity-manager +$ oc delete pvc -l=app.kubernetes.io/name=spire-server ---- .. Delete the service by running the following command: + [source,terminal] ---- -$ oc delete service -l=app.kubernetes.io/managed-by=zero-trust-workload-identity-manager +$ oc delete service -l=app.kubernetes.io/name=zero-trust-workload-identity-manager -n zero-trust-workload-identity-manager ---- .. Delete the namespace by running the following command: @@ -83,7 +69,7 @@ $ oc delete ns zero-trust-workload-identity-manager + [source,terminal] ---- -$ oc delete clusterrolebinding -l=app.kubernetes.io/managed-by=zero-trust-workload-identity-manager +$ oc delete clusterrole -l=app.kubernetes.io/name=zero-trust-workload-identity-manager ---- .. Delete the cluster role by running the following command: @@ -93,13 +79,6 @@ $ oc delete clusterrolebinding -l=app.kubernetes.io/managed-by=zero-trust-worklo $ oc delete clusterrole -l=app.kubernetes.io/managed-by=zero-trust-workload-identity-manager ---- -.. Delete the admission wehhook configuration by running the following command: -+ -[source,terminal] ----- -$ oc delete validatingwebhookconfigurations -l=app.kubernetes.io/managed-by=zero-trust-workload-identity-manager ----- - . Delete the custom resource definitions (CRDs) by running each of the following commands: .. Delete the SPIRE Server CRD by running the following command: diff --git a/modules/zero-trust-manager-verify-operands.adoc b/modules/zero-trust-manager-verify-operands.adoc new file mode 100644 index 000000000000..1264bf2281d9 --- /dev/null +++ b/modules/zero-trust-manager-verify-operands.adoc @@ -0,0 +1,46 @@ +// Module included in the following assemblies: +// +// * security/zero_trust_workload_identity_manageer/zero-trust-manager-configuration.adoc + +:_mod-docs-content-type: CONCEPT +[id="zero-trust-manager-verify-operands_{context}"] += Verify the health of the operands + +[role="_abstract"] +View the status fields to verify the operational health of managed components. This information helps you confirm that the SPIRE Server, SPIRE Agent, SPIFFE CSI driver, and the SPIRE OIDC discovery provider operands are ready and functioning correctly. + +[source,yaml] +---- +status: + conditions: + - lastTransitionTime: "2025-12-16T10:59:06Z" + message: All components are ready + reason: Ready + status: "True" + type: Ready + - lastTransitionTime: "2025-12-16T10:59:06Z" + message: All operand CRs are ready + reason: Ready + status: "True" + type: OperandsAvailable + operands: + - kind: SpireServer + message: Ready + name: cluster + ready: "true" + - kind: SpireAgent + message: Ready + name: cluster + ready: "true" + - kind: SpiffeCSIDriver + message: Ready + name: cluster + ready: "true" + - kind: SpireOIDCDiscoveryProvider + message: Ready + name: cluster + ready: "true" + # ... +---- + +This status is reflected when all operands are healthy and stable. \ No newline at end of file diff --git a/modules/zero-trust-manager-ztwim-cr.adoc b/modules/zero-trust-manager-ztwim-cr.adoc new file mode 100644 index 000000000000..375b0e64e808 --- /dev/null +++ b/modules/zero-trust-manager-ztwim-cr.adoc @@ -0,0 +1,38 @@ +// Module included in the following assemblies: +// +// * security/zero_trust_workload_identity_manageer/zero-trust-manager-configuration.adoc + +:_mod-docs-content-type: CONCEPT +[id="zero-trust-manager-ztwim-cr_{context}"] += About the ZeroTrustWorkloadIdentityManager custom resource + + +[role="_abstract"] +The `ZeroTrustWorkloadIdentityManager` is the primary custom resource that initializes the SPIRE deployments. This primary resource defines the trust domain and cluster name to help ensure secure workload identity management. + +Reference the complete YAML specification to correctly structure the `ZeroTrustWorkloadIdentityManager` CR. This example helps you identify required fields and immutable parameters for your configuration. + +[source,yaml] +---- +apiVersion: operator.openshift.io/v1alpha1 +kind: ZeroTrustWorkloadIdentityManager +metadata: + name: cluster + labels: + app.kubernetes.io/name: zero-trust-workload-identity-manager + app.kubernetes.io/managed-by: zero-trust-workload-identity-manager +spec: + trustDomain: "example.com" + clusterName: "production-cluster" + bundleConfigMap: "spire-bundle" +---- + +where: + +trustDomain:: The trust domain to be used for the SPIFFE identifiers. Must be a valid SPIFFE trust domain (lowercase alphanumeric, hyphens, and dots). Maximum length is 255 characters. Once set, this field is immutable. + +clusterName:: The name that identifies this cluster within the trust domain. Must be a valid DNS-1123 subdomain with a maximum length of 63 characters. Once set, this field is immutable. + +bundleConfigMap:: The name of the ConfigMap that stores the SPIRE trust bundle. This ConfigMap contains the root certificates for the trust domain and is created and maintained by the Operator. Must be a valid Kubernetes name with a maximum length of 253 characters. This field is optional (defaults to `spire-bundle`) and once set, is immutable. + + diff --git a/security/zero_trust_workload_identity_manager/zero-trust-manager-components.adoc b/security/zero_trust_workload_identity_manager/zero-trust-manager-components.adoc new file mode 100644 index 000000000000..4c1b6470fa3c --- /dev/null +++ b/security/zero_trust_workload_identity_manager/zero-trust-manager-components.adoc @@ -0,0 +1,25 @@ +:_mod-docs-content-type: ASSEMBLY +[id="zero-trust-manager-components"] += Zero Trust Workload Identity Manager components +include::_attributes/common-attributes.adoc[] +:context: zero-trust-manager-components + +toc::[] + +[role="_abstract"] +Review the components available in the initial release of {zero-trust-full} to understand the architecture. These components provide the foundation for identifying and securing your workloads. + +// about csi driver +include::modules/zero-trust-manager-about-csi-driver.adoc[leveloffset=+1] + +// about oidc provider +include::modules/zero-trust-manager-about-oidc-provider.adoc[leveloffset=+1] + +// about controller manager +include::modules/zero-trust-manager-about-controller-manager.adoc[leveloffset=+1] + +// about telemetry +include::modules/zero-trust-manager-server-agent-telemetry.adoc[leveloffset=+1] + +// about the workflow +include::modules/zero-trust-manager-how-it-works.adoc[leveloffset=+1] \ No newline at end of file diff --git a/security/zero_trust_workload_identity_manager/zero-trust-manager-configuration.adoc b/security/zero_trust_workload_identity_manager/zero-trust-manager-configuration.adoc index fab81985f94e..a6c8abcc58d9 100644 --- a/security/zero_trust_workload_identity_manager/zero-trust-manager-configuration.adoc +++ b/security/zero_trust_workload_identity_manager/zero-trust-manager-configuration.adoc @@ -4,22 +4,24 @@ toc::[] -:FeatureName: Zero Trust Workload Identity Manager -include::snippets/technology-preview.adoc[] - You can deploy the following operands by creating the respective custom resources (CRs). You must deploy the operands in the following sequence to ensure successful installation. -. SPIRE Server +* SPIRE Server + +* `ZeroTrustWorkloadIdentityManager` CR -. SPIRE Agent +* SPIRE Agent -. SPIFFE CSI driver +* SPIFFE CSI driver -. SPIRE OIDC discovery provider +* SPIRE OIDC discovery provider // Deploying and configuring SPIRE Server include::modules/zero-trust-manager-spire-server-config.adoc[leveloffset=+1] +// Deploying and configuring ZTWIM custom resource +include::modules/zero-trust-manager-ztwim-cr.adoc[leveloffset=+1] + // Deploying and configuring SPIRE Agent include::modules/zero-trust-manager-spire-agent-config.adoc[leveloffset=+1] @@ -30,3 +32,8 @@ include::modules/zero-trust-manager-spiffe-csidriver-config.adoc[leveloffset=+1] include::modules/zero-trust-manager-oidc-config.adoc[leveloffset=+1] +// Deploying and configuring OIDC Discovery Provider +include::modules/zero-trust-manager-verify-operands.adoc[leveloffset=+1] + + + diff --git a/security/zero_trust_workload_identity_manager/zero-trust-manager-install.adoc b/security/zero_trust_workload_identity_manager/zero-trust-manager-install.adoc index edb90fb56974..e1e9e30c0616 100644 --- a/security/zero_trust_workload_identity_manager/zero-trust-manager-install.adoc +++ b/security/zero_trust_workload_identity_manager/zero-trust-manager-install.adoc @@ -7,17 +7,19 @@ include::_attributes/common-attributes.adoc[] toc::[] -:FeatureName: Zero Trust Workload Identity Manager for Red{nbsp}Hat OpenShift +[role="_abstract"] +Install {zero-trust-full} to help ensure secure communication between your workloads. You can install the {zero-trust-full} by using either the web console or CLI. -include::snippets/technology-preview.adoc[] +If you install the Operator into a custom namespace (for example, `my-custom-namespace`), all managed operand resources are deployed within that same namespace. All secrets and ConfigMaps referenced by the Custom Resources (CRs) must also exist in that custom namespace. -The {zero-trust-full} is not installed in {product-title} by default. You can install the {zero-trust-full} by using either the web console or CLI. +[IMPORTANT] +==== +The Operator installation is not supported in the `openshift-*` namespaces and the `default` namespace. +==== - -== Installing the {zero-trust-full} // Installing the {zero-trust-full} using the web console -include::modules/zero-trust-manager-install-console.adoc[leveloffset=+2] +include::modules/zero-trust-manager-install-console.adoc[leveloffset=+1] // Installing the {zero-trust-full} using CLI -include::modules/zero-trust-manager-install-cli.adoc[leveloffset=+2] +include::modules/zero-trust-manager-install-cli.adoc[leveloffset=+1] diff --git a/security/zero_trust_workload_identity_manager/zero-trust-manager-monitoring.adoc b/security/zero_trust_workload_identity_manager/zero-trust-manager-monitoring.adoc index 3f1d4a767781..804bcd25bf2b 100644 --- a/security/zero_trust_workload_identity_manager/zero-trust-manager-monitoring.adoc +++ b/security/zero_trust_workload_identity_manager/zero-trust-manager-monitoring.adoc @@ -37,4 +37,7 @@ include::modules/zero-trust-manager-query-metrics.adoc[leveloffset=+1] [role="_additional-resources"] .Additional resources -* xref:../../observability/monitoring/accessing-metrics/accessing-metrics-as-an-administrator.adoc#accessing-metrics[Accessing metrics] \ No newline at end of file +* xref:../../observability/monitoring/accessing-metrics/accessing-metrics-as-an-administrator.adoc#accessing-metrics[Accessing metrics] + +// available metrics +include::modules/zero-trust-manager-available-metrics.adoc[leveloffset=+1] \ No newline at end of file diff --git a/security/zero_trust_workload_identity_manager/zero-trust-manager-oidc-federation.adoc b/security/zero_trust_workload_identity_manager/zero-trust-manager-oidc-federation.adoc index aefbc0193d62..93efd6c036f3 100644 --- a/security/zero_trust_workload_identity_manager/zero-trust-manager-oidc-federation.adoc +++ b/security/zero_trust_workload_identity_manager/zero-trust-manager-oidc-federation.adoc @@ -10,10 +10,6 @@ toc::[] {zero-trust-full} integrates with OpenID Connect (OIDC) by allowing a SPIRE server to act as an OIDC provider. This enables workloads to request and receive verifiable JSON Web Tokens - SPIFFE Verifiable Identity Documents (JWT-SVIDs) from the local SPIRE agent. External systems, such as cloud providers, can then use the OIDC discovery endpoint exposed by the SPIRE server to retrieve public keys. -:FeatureName: Zero Trust Workload Identity Manager for Red{nbsp}Hat OpenShift - -include::snippets/technology-preview.adoc[] - The following providers are verified to work with SPIRE OIDC federation: * Azure Entra ID diff --git a/security/zero_trust_workload_identity_manager/zero-trust-manager-overview.adoc b/security/zero_trust_workload_identity_manager/zero-trust-manager-overview.adoc index 976cf2f707cc..5525ac8eb4eb 100644 --- a/security/zero_trust_workload_identity_manager/zero-trust-manager-overview.adoc +++ b/security/zero_trust_workload_identity_manager/zero-trust-manager-overview.adoc @@ -7,38 +7,22 @@ include::_attributes/common-attributes.adoc[] toc::[] -:FeatureName: Zero Trust Workload Identity Manager -include::snippets/technology-preview.adoc[] +[role="_abstract"] +The {zero-trust-full} is an {product-title} Operator that manages the lifecycle of SPIFFE Runtime Environment (SPIRE) components. It enables workload identity management based on the Secure Production Identity Framework for Everyone (SPIFFE) standard, providing cryptographically verifiable identities (SVIDs) to workloads running in {product-title} clusters. -The {zero-trust-full} leverages {spiffe-full} and the SPIFFE Runtime Environment (SPIRE) to provide a comprehensive identity management solution for distributed systems. SPIFFE and SPIRE provide a standardized approach to workload identity, allowing workloads to communicate with other services whether on the same cluster, or in another environment. +The following are components of the {zero-trust-full} architecture: -{zero-trust-full} replaces long-lived, manually managed secrets with cryptographically verifiable identities. It provides strong authentication ensuring workloads that are communicating with each other are who they claim to be. SPIRE automates the issuing, rotating, and revoking of a {svid-full}, reducing the workload of developers and administrators managing secrets. - -SPIFFE can work across diverse infrastructures including on-premise, cloud, and hybrid environments. SPIFFE identities are cryptographically enabled providing a basis for auditing and compliance. - -The following are components of the {zero-trust-full} architecture: - -//SPIFFE +// about spiffe include::modules/zero-trust-manager-about-spiffe.adoc[leveloffset=+1] -//SPIRE -include::modules/zero-trust-manager-about-spire.adoc[leveloffset=+1] - -//SPIRE Agent -include::modules/zero-trust-manager-about-agent.adoc[leveloffset=+1] -//Attestation -include::modules/zero-trust-manager-about-attestation.adoc[leveloffset=+1] - -//== Zero Trust Workload Identity Manager components and features +// about spire +include::modules/zero-trust-manager-about-spire.adoc[leveloffset=+1] -// SPIFFE SPIRE components -include::modules/zero-trust-manager-about-components.adoc[leveloffset=+1] -//SPIRE features -include::modules/zero-trust-manager-about-features.adoc[leveloffset=+1] +// about agent +include::modules/zero-trust-manager-about-agent.adoc[leveloffset=+1] -// -//How it works -include::modules/zero-trust-manager-how-it-works.adoc[leveloffset=+1] +// about attestation +include::modules/zero-trust-manager-about-attestation.adoc[leveloffset=+1] diff --git a/security/zero_trust_workload_identity_manager/zero-trust-manager-uninstall.adoc b/security/zero_trust_workload_identity_manager/zero-trust-manager-uninstall.adoc index 0c2f2987daa6..4f9bba8a1713 100644 --- a/security/zero_trust_workload_identity_manager/zero-trust-manager-uninstall.adoc +++ b/security/zero_trust_workload_identity_manager/zero-trust-manager-uninstall.adoc @@ -6,10 +6,6 @@ include::_attributes/common-attributes.adoc[] toc::[] -:FeatureName: Zero Trust Workload Identity Manager - -include::snippets/technology-preview.adoc[] - You can remove the {zero-trust-full} from {product-title} by uninstalling the Operator and removing its related resources. // Uninstalling the {zero-trust-full}