openshift · wgabor0427 · Dec 1, 2025
diff --git a/_topic_maps/_topic_map.yml b/_topic_maps/_topic_map.yml
@@ -1234,6 +1234,8 @@ Topics:
   Topics:
   - Name: Zero Trust Workload Identity Manager overview
     File: zero-trust-manager-overview
+  - Name: Zero Trust Workload Identity Manager components
+    File: zero-trust-manager-components
   - Name: Zero Trust Workload Identity Manager release notes
     File: zero-trust-manager-release-notes
   - Name: Installing Zero Trust Workload Identity Manager
@@ -3685,8 +3687,6 @@ Topics:
     Topics:
     - Name: OADP 1.5 release notes
       File: oadp-1-5-release-notes
-    - Name: Upgrading OADP 1.4 to 1.5
-      File: oadp-upgrade-notes-1-5
   - Name: OADP performance
     Dir: oadp-performance
     Topics:

diff --git a/modules/zero-trust-manager-about-components.adoc b/modules/zero-trust-manager-about-components.adoc
diff --git a/modules/zero-trust-manager-about-controller-manager.adoc b/modules/zero-trust-manager-about-controller-manager.adoc
@@ -0,0 +1,12 @@
+// Module included in the following assemblies:
+//
+// * security/zero_trust_workload_identity_manager/zer-trust-manager-features.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="zero-trust-manager-about-controller-manager_{context}"]
+= SPIRE Controller Manager
+
+The SPIRE Controller Manager uses custom resource definitions (CRDs) to facilitate the registration of workloads. To facilitate workload registration, the SPIRE Controller Manager registers controllers against pods and CRDs. When changes are detected on these resources, a workload reconciliation process is triggered. This process determines which SPIRE entries should exist based on the existing pods and CRDs. The reconciliation process creates, updates, and deletes entries on the SPIRE Server as appropriate.
+
+The SPIRE Controller Manager is designed to be deployed on the same pod as the SPIRE Server. The manager communicates with the SPIRE Server API using a private UNIX Domain Socket within a shared volume.
+
diff --git a/modules/zero-trust-manager-about-csi-driver.adoc b/modules/zero-trust-manager-about-csi-driver.adoc
@@ -0,0 +1,12 @@
+// Module included in the following assemblies:
+//
+// * security/zero_trust_workload_identity_manager/zer-trust-manager-features.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="zero-trust-manager-about-csi-driver_{context}"]
+= SPIFFE CSI Driver
+
+The SPIFFE Container Storage Interface (CSI) is a plugin that helps pods securely obtain their {svid-full} by delivering the Workload API socket into the pod. The SPIFFE CSI driver is deployed as a daemonset on the cluster ensuring that a driver instance runs on each node. The driver uses the ephemeral inline volume capability of Kubernetes allowing pods to request volumes directly provided by the SPIFFE CSI driver. This simplifies their use by applications that need temporary storage.
+
+When the pod starts, the Kubelet calls the SPIFFE CSI driver to provision and mount a volume into the pod's containers. The SPIFFE CSI driver mounts a directory that contains the SPIFFE Workload API into the pod. Applications in the pod then communicate with the Workload API to obtain their SVIDs. The driver guarantees that each SVID is unique.
+
diff --git a/modules/zero-trust-manager-about-oidc-provider.adoc b/modules/zero-trust-manager-about-oidc-provider.adoc
@@ -0,0 +1,9 @@
+// Module included in the following assemblies:
+//
+// * security/zero_trust_workload_identity_manager/zer-trust-manager-features.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="zero-trust-manager-about-oidc-provider_{context}"]
+= SPIRE OpenID Connect Discovery Provider
+
+The SPIRE OpenID Connect Discovery Provider is a standalone component that makes SPIRE-issued JWT-SVIDs compatible with standard OpenID Connect (OIDC) users by exposing a open ID configuration endpoint and a JWKS URI for token verification. It is essential for integrating SPIRE-based workload identity with systems that require OIDC-compliant tokens, especially, external APIs. While SPIRE primarily issues identities for workloads, additional workload-related claims can be embedded into JWT-SVIDs through the configuration of SPIRE, which these claims to be included in the token and verified by OIDC-compliant clients.
diff --git a/modules/zero-trust-manager-cluster-requirements.adoc b/modules/zero-trust-manager-cluster-requirements.adoc
@@ -0,0 +1,19 @@
+// Module included in the following assemblies:
+//
+// * security/zero_trust_workload_identity_manageer/zero-trust-manager-prepare-environment.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="zero-trust-manager-cluster-requirements_{context}"]
+= Reviewing cluster requirements
+
+[role="_abstract"]
+Prepare your {product-title} cluster by verifying version compatibility and validating that the administrator has access permissions. You must also configure persistent storage and Domain Name Service (DNS) resolution to support SPIRE Server and OIDC discovery endpoints.
+
+* {product-title} 4.14 or later
+
+* Cluster administrator access
+
+* Persistent storage available (for SPIRE Server)
+
+* DNS resolution for OIDC discovery endpoints
+
diff --git a/modules/zero-trust-manager-install-console.adoc b/modules/zero-trust-manager-install-console.adoc
@@ -6,7 +6,7 @@
 [id="zero-trust-manager-install-console_{context}"]
 = Installing the {zero-trust-full} by using the web console
 
-You can use the web console to install the {zero-trust-full}.
+Use the OperatorHub in the {product-title} web console to install the {zero-trust-full}. This process streamlines deployment and helps ensure the Operator is installed in the correct namespace with the appropriate installation mode.
 
 .Prerequisites
 
@@ -18,46 +18,26 @@ You can use the web console to install the {zero-trust-full}.
 
 . Log in to the {product-title} web console.
 
-. Go to *Ecosystem* -> *Software Catalog*.
+. Go to *Operators* -> *OperatorHub*.
 
-. Enter *{zero-trust-full}* into the filter box.
+. Search for *{zero-trust-full}*
 
-. Select the *{zero-trust-full}*
+. Select the installation mode and target namespace.
 
-. Select the {zero-trust-full} version from *Version* drop-down list, and click *Install*.
-
-. On the *Install Operator* page:
-
-.. Update the *Update channel*, if necessary. The channel defaults to *tech-preview-v0.1*, which installs the latest Technology Preview v0.1 release of the {zero-trust-full}.
-
-.. Choose the *Installed Namespace* for the Operator. The default Operator namespace is `zero-trust-workload-identity-manager`.
-+
-If the `zero-trust-workload-identity-manager` namespace does not exist, it is created for you.
-
-.. Select an *Update approval* strategy.
-+
-* The *Automatic* strategy allows Operator Lifecycle Manager (OLM) to automatically update the Operator when a new version is available.
-+
-* The *Manual* strategy requires a user with appropriate credentials to approve the Operator update.
-
-.. Click *Install*.
+. Click *Install*.
 
 .Verification
 
-* Navigate to *Ecosystem* -> *Installed Operators*.
-
-** Verify that *{zero-trust-full}* is listed with a *Status* of *Succeeded* in the `zero-trust-workload-identity-manager` namespace.
-
-** Verify that {zero-trust-full} controller manager deployment is ready and available by running the following command:
+. To check the Operator pod status, run the following command:
 +
 [source,terminal]
 ----
-$ oc get deployment -l name=zero-trust-workload-identity-manager -n zero-trust-workload-identity-manager
+$ oc get pods -n zero-trust-workload-identity-manager
 ----
+
+. To check the Operator logs, run the following command:
 +
-.Example output
 [source,terminal]
 ----
-NAME                                                            READY   UP-TO-DATE    AVAILABLE  AGE
-zero-trust-workload-identity-manager-controller-manager-6c4djb  1/1     1             1          43m
+oc logs -f deployment/zero-trust-workload-identity-manager -n zero-trust-workload-identity-manager
 ----
diff --git a/modules/zero-trust-manager-network-requirements.adoc b/modules/zero-trust-manager-network-requirements.adoc
@@ -0,0 +1,38 @@
+// Module included in the following assemblies:
+//
+// * security/zero_trust_workload_identity_manageer/zero-trust-manager-prepare-environment.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="zero-trust-manager-network-requirements_{context}"]
+= Reviewing network requirements
+
+[role="_abstract"]
+Configure the necessary network ports to enable communication between the SPIRE Server, agents, and the OIDC provider. Opening these ports allows for agent-to-server traffic, webhook server access, and federation bundle endpoint access.
+
+[cols="1,1,1,1", options="header"]
+|====
+|Component
+|Port
+|Protocol
+|Description
+
+|SPIRE Server
+|8081
+|gRPC
+|Agent-to-Server communication
+
+|SPIRE Server
+|8443
+|HTTPS
+|Federation bundle endpoint
+
+|OIDC Provider
+|443
+|HTTPS
+|OIDC discovery endpoint
+
+|SPIRE Controller Manager
+|9443
+|HTTPS
+|Webhook server
+|====
diff --git a/modules/zero-trust-manager-server-agent-telemetry.adoc b/modules/zero-trust-manager-server-agent-telemetry.adoc
@@ -0,0 +1,9 @@
+// Module included in the following assemblies:
+//
+// * security/zero_trust_workload_identity_manager/zer-trust-manager-features.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="zero-trust-manager-server-agent-telemetry_{context}"]
+= SPIRE Server and Agent telemetry
+
+SPIRE Server and Agent telemetry provide insight into the health of the SPIRE deployment. The metrics are in the format provided by the Prometheus Operator. The metrics exposed help in understanding server health & lifecycle, SPIRE component performance, attestation and SVID issuance, and plugin statistics.
diff --git a/modules/zero-trust-manager-storage-requirements.adoc b/modules/zero-trust-manager-storage-requirements.adoc
@@ -0,0 +1,17 @@
+// Module included in the following assemblies:
+//
+// * security/zero_trust_workload_identity_manageer/zero-trust-manager-prepare-environment.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="zero-trust-manager-storage-requirements_{context}"]
+= Provisioning storage requirements
+
+[role="_abstract"]
+Provision persistent storage volumes to support the SPIRE Server data. While a minimum volume size works for testing, production environments usually require larger volumes or an external database to support high availability deployments.
+
+* Minimum 1Gi persistent volume for SPIRE Server
+
+* Recommended 5Gi for production with SQLite
+
+* External database for high availability deployments
+
diff --git a/security/zero_trust_workload_identity_manager/zero-trust-manager-components.adoc b/security/zero_trust_workload_identity_manager/zero-trust-manager-components.adoc
@@ -0,0 +1,26 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="zero-trust-manager-components"]
+= Zero Trust Workload Identity Manager components
+
+include::_attributes/common-attributes.adoc[]
+:context: zero-trust-manager-components
+
+toc::[]
+
+[role="_abstract"]
+Review the components available in the initial release of Zero Trust Workload Identity Manager to understand the architecture. These components provide the foundation for identifying and securing your workloads.
+
+// about csi driver
+include::modules/zero-trust-manager-about-csi-driver.adoc[leveloffset=+1]
+
+// about oidc provider
+include::modules/zero-trust-manager-about-oidc-provider.adoc[leveloffset=+1]
+
+// about controller manager
+include::modules/zero-trust-manager-about-controller-manager.adoc[leveloffset=+1]
+
+// about controller manager
+include::modules/zero-trust-manager-server-agent-telemetry.adoc[leveloffset=+1]
+
+// about controller manager
+include::modules/zero-trust-manager-how-it-works.adoc[leveloffset=+1]
diff --git a/...rity/zero_trust_workload_identity_manager/zero-trust-manager-configuration.adoc b/...rity/zero_trust_workload_identity_manager/zero-trust-manager-configuration.adoc
@@ -7,9 +7,6 @@ include::_attributes/common-attributes.adoc[]
 
 toc::[]
 
-:FeatureName: Zero Trust Workload Identity Manager
-include::snippets/technology-preview.adoc[]
-
 You can deploy the following operands by creating the respective custom resources (CRs). You must deploy the operands in the following sequence to ensure successful installation.
 
 . SPIRE Server

diff --git a/security/zero_trust_workload_identity_manager/zero-trust-manager-install.adoc b/security/zero_trust_workload_identity_manager/zero-trust-manager-install.adoc
@@ -7,17 +7,24 @@ include::_attributes/common-attributes.adoc[]
 
 toc::[]
 
-:FeatureName: Zero Trust Workload Identity Manager for Red{nbsp}Hat OpenShift
+[role="_abstract"]
+Install {zero-trust-full} to help ensure secure communication between your workloads. You can install the {zero-trust-full} by using either the web console or CLI.
 
-include::snippets/technology-preview.adoc[]
+If you install the Operator into a custom namespace (for example, `my-custom-namespace`), all managed operand resources are deployed within that same namespace. All secrets and ConfigMaps referenced by the Custom Resources (CRs) must also exist in that custom namespace.
 
-The {zero-trust-full} is not installed in {product-title} by default. You can install the {zero-trust-full} by using either the web console or CLI.
+[IMPORTANT]
+====
+The Operator installation is not supported in the `openshift-*` namespaces and the `default` namespace.
+====
 
+[NOTE]
+====
+A minimum of 1Gi persistent volume is required to install the SPIRE Server.
+====
 
-== Installing the {zero-trust-full}
 // Installing the {zero-trust-full} using the web console
-include::modules/zero-trust-manager-install-console.adoc[leveloffset=+2]
+include::modules/zero-trust-manager-install-console.adoc[leveloffset=+1]
 
 // Installing the {zero-trust-full} using CLI
-include::modules/zero-trust-manager-install-cli.adoc[leveloffset=+2]
+include::modules/zero-trust-manager-install-cli.adoc[leveloffset=+1]
 
diff --git a/...ty/zero_trust_workload_identity_manager/zero-trust-manager-oidc-federation.adoc b/...ty/zero_trust_workload_identity_manager/zero-trust-manager-oidc-federation.adoc
@@ -10,10 +10,6 @@ toc::[]
 
 {zero-trust-full} integrates with OpenID Connect (OIDC) by allowing a SPIRE server to act as an OIDC provider. This enables workloads to request and receive verifiable JSON Web Tokens - SPIFFE Verifiable Identity Documents (JWT-SVIDs) from the local SPIRE agent. External systems, such as cloud providers, can then use the OIDC discovery endpoint exposed by the SPIRE server to retrieve public keys.
 
-:FeatureName: Zero Trust Workload Identity Manager for Red{nbsp}Hat OpenShift
-
-include::snippets/technology-preview.adoc[]
-
 The following providers are verified to work with SPIRE OIDC federation:
 
 * Azure Entra ID

diff --git a/security/zero_trust_workload_identity_manager/zero-trust-manager-overview.adoc b/security/zero_trust_workload_identity_manager/zero-trust-manager-overview.adoc
@@ -7,38 +7,22 @@ include::_attributes/common-attributes.adoc[]
 
 toc::[]
 
-:FeatureName: Zero Trust Workload Identity Manager
-include::snippets/technology-preview.adoc[]
+[role="_abstract"]
+The Zero Trust Workload Identity Manager is an {product-title} Operator that manages the lifecycle of SPIFFE Runtime Environment (SPIRE) components. It enables workload identity management based on the Secure Production Identity Framework for Everyone (SPIFFE) standard, providing cryptographically verifiable identities (SVIDs) to workloads running in {product-title} clusters.
 
-The {zero-trust-full} leverages {spiffe-full} and the SPIFFE Runtime Environment (SPIRE) to provide a comprehensive identity management solution for distributed systems. SPIFFE and SPIRE provide a standardized approach to workload identity, allowing workloads to communicate with other services whether on the same cluster, or in another environment.
+The following are  components of the {zero-trust-full} architecture:
 
-{zero-trust-full} replaces long-lived, manually managed secrets with cryptographically verifiable identities. It provides strong authentication ensuring workloads that are communicating with each other are who they claim to be. SPIRE automates the issuing, rotating, and revoking of a {svid-full}, reducing the workload of developers and administrators managing secrets.
-
-SPIFFE can work across diverse infrastructures including on-premise, cloud, and hybrid environments. SPIFFE identities are cryptographically enabled providing a basis for auditing and compliance.
-
-The following are components of the {zero-trust-full} architecture:
-
-//SPIFFE
+// about spiffe
 include::modules/zero-trust-manager-about-spiffe.adoc[leveloffset=+1]
 
-//SPIRE
-include::modules/zero-trust-manager-about-spire.adoc[leveloffset=+1]
-
-//SPIRE Agent
-include::modules/zero-trust-manager-about-agent.adoc[leveloffset=+1]
 
-//Attestation
-include::modules/zero-trust-manager-about-attestation.adoc[leveloffset=+1]
-
-//== Zero Trust Workload Identity Manager components and features
+// about spire
+include::modules/zero-trust-manager-about-spire.adoc[leveloffset=+1]
 
-// SPIFFE SPIRE components
-include::modules/zero-trust-manager-about-components.adoc[leveloffset=+1]
 
-//SPIRE features
-include::modules/zero-trust-manager-about-features.adoc[leveloffset=+1]
+// about agent
+include::modules/zero-trust-manager-about-agent.adoc[leveloffset=+1]
 
-//
-//How it works
-include::modules/zero-trust-manager-how-it-works.adoc[leveloffset=+1]
 
+// about attestation
+include::modules/zero-trust-manager-about-attestation.adoc[leveloffset=+1]
diff --git a/security/zero_trust_workload_identity_manager/zero-trust-manager-uninstall.adoc b/security/zero_trust_workload_identity_manager/zero-trust-manager-uninstall.adoc
@@ -6,10 +6,6 @@ include::_attributes/common-attributes.adoc[]
 
 toc::[]
 
-:FeatureName: Zero Trust Workload Identity Manager
-
-include::snippets/technology-preview.adoc[]
-
 You can remove the {zero-trust-full} from {product-title} by uninstalling the Operator and removing its related resources.
 
 // Uninstalling the {zero-trust-full}