Merge pull request #94342 from wgabor0427/OSDOCS-14526

snarayan-redhat · web-flow · commit 1e722de34439 · 2025-06-23T16:37:29.000+05:30
OSDOCS-14526 created configuration section
diff --git a/_topic_maps/_topic_map.yml b/_topic_maps/_topic_map.yml
@@ -1269,6 +1269,8 @@ Topics:
     File: zero-trust-manager-install
   - Name: Uninstalling Zero Trust Workload Identity Manager
     File: zero-trust-manager-uninstall
+  - Name: Deploying Zero Trust Workload Identity Manager operands
+    File: zero-trust-manager-configuration
 ---
 Name: Authentication and authorization
 Dir: authentication
diff --git a/modules/zero-trust-manager-oidc-config.adoc b/modules/zero-trust-manager-oidc-config.adoc
@@ -0,0 +1,75 @@
+// Module included in the following assemblies:
+//
+// * security/zero_trust_workload_identity_manageer/zero-trust-manager-configuration.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="zero-trust-manager-oidc-config_{context}"]
+= Deploying the SPIRE OpenID Connect Discovery Provider
+
+You can configure the `SpireOIDCDiscoveryProvider` custom resource (CR) to deploy and configure the SPIRE OpenID Connect (OIDC) Discovery Provider.
+
+.Prerequisites
+
+* You have access to the cluster as a user with the `cluster-admin` role.
+
+* You have installed {zero-trust-full} in the cluster.
+
+.Procedure
+
+. Create the `SpireOIDCDiscoveryProvider` CR:
+
+.. Create a YAML file that defines the `SpireOIDCDiscoveryProvider` CR, for example, `SpireOIDCDiscoveryProvider.yaml`:
++
+.Example `SpireOIDCDiscoveryProvider.yaml`
++
+[source,yaml]
+----
+apiVersion: operator.openshift.io/v1alpha1
+kind: SpireOIDCDiscoveryProvider
+metadata:
+  name: cluster
+spec:
+  trustDomain: <trust_domain> #<1>
+  agentSocketPath: 'spire-agent.sock' #<2>
+  jwtIssuer: <jwt_issuer_domain> #<3>
+----
+<1> The trust domain to be used for the SPIFFE identifiers.
+<2> The name of the SPIRE agent unix socket.
+<3> The JSON Web Token (JWT) issuer domain. The default value is set to the value specified in `oidc-discovery.$trustDomain`.
+
+.. Apply the configuration by running the following command:
++
+[source, terminal]
+----
+$ oc apply -f SpireOIDCDiscoveryProvider.yaml
+----
+
+.Verification
+
+. Verify that the deployment of OIDC Discovery Provider is ready and available by running the following command:
++
+[source,terminal]
+----
+$ oc get deployment -l app.kubernetes.io/name=spiffe-oidc-discovery-provider -n zero-trust-workload-identity-manager
+----
++
+.Example output
+[source,terminal]
+----
+NAME                                    READY  UP-TO-DATE  AVAILABLE  AGE
+spire-spiffe-oidc-discovery-provider    1/1    1           1          2m58s
+----
+
+. Verify that the status of OIDC Discovery Provider pods is `Running` by running the following command:
++
+[source,terminal]
+----
+$ oc get po -l app.kubernetes.io/name=spiffe-oidc-discovery-provider -n zero-trust-workload-identity-manager
+----
++
+.Example output
+[source,terminal]
+----
+NAME                                                    READY   STATUS    RESTARTS   AGE
+spire-spiffe-oidc-discovery-provider-64586d599f-lcc94   2/2     Running   0          7m15s
+----
diff --git a/modules/zero-trust-manager-spiffe-csidriver-config.adoc b/modules/zero-trust-manager-spiffe-csidriver-config.adoc
@@ -0,0 +1,73 @@
+// Module included in the following assemblies:
+//
+// * security/zero_trust_workload_identity_manageer/zero-trust-manager-configuration.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="zero-trust-manager-spire-csidriver-config_{context}"]
+= Deploying the SPIFFE Container Storage Interface driver
+
+You can configure the `SpiffeCSIDriver` custom resource (CR) to deploy and configure a SPIRE agent.
+
+.Prerequisites
+
+* You have access to the cluster as a user with the `cluster-admin` role.
+
+* You have installed {zero-trust-full} in the cluster.
+
+.Procedure
+
+. Create the `SpiffeCSIDriver` CR:
+
+.. Create a YAML file that defines the `SpiffeCSIDriver` CR object, for example, `SpiffeCSIDriver.yaml`:
++
+.Example `SpiffeCSIDriver.yaml`
++
+[source,yaml]
+----
+apiVersion: operator.openshift.io/v1alpha1
+kind: SpiffeCSIDriver
+metadata:
+  name: cluster
+spec:
+  agentSocketPath: '/run/spire/agent-sockets/spire-agent.sock' #<1>
+----
+<1> The UNIX socket path to the SPIRE agent.
+
+.. Apply the configuration by running the following command:
++
+[source, terminal]
+----
+$ oc apply -f SpiffeCSIDriver.yaml
+----
+
+.Verification
+
+. Verify that the daemon set of the SPIFFE CSI driver is ready and available by running the following command:
++
+[source,terminal]
+----
+$ oc get daemonset -l app.kubernetes.io/name=spiffe-csi-driver -n zero-trust-workload-identity-manager
+----
++
+.Example output
+[source,terminal]
+----
+NAME                      DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR   AGE
+spire-spiffe-csi-driver   3         3         3       3            3           <none>          114s
+----
+
+. Verify that the status of SPIFFE Container Storage Interface (CSI) Driver pods is `Running` by running the following command:
++
+[source,terminal]
+----
+$ oc get po -l app.kubernetes.io/name=spiffe-csi-driver -n zero-trust-workload-identity-manager
+----
++
+.Example output
+[source,terminal]
+----
+NAME                            READY   STATUS    RESTARTS   AGE
+spire-spiffe-csi-driver-gpwcp   2/2     Running   0          2m37s
+spire-spiffe-csi-driver-rrbrd   2/2     Running   0          2m37s
+spire-spiffe-csi-driver-w6s6q   2/2     Running   0          2m37s
+----
diff --git a/modules/zero-trust-manager-spire-agent-config.adoc b/modules/zero-trust-manager-spire-agent-config.adoc
@@ -0,0 +1,84 @@
+// Module included in the following assemblies:
+//
+// * security/zero_trust_workload_identity_manageer/zero-trust-manager-configuration.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="zero-trust-manager-spire-agent-config_{context}"]
+= Deploying the SPIRE agent
+
+You can configure the `SpireAgent` custom resource (CR) to deploy and configure a SPIRE agent.
+
+.Prerequisites
+
+* You have access to the cluster as a user with the `cluster-admin` role.
+
+* You have installed {zero-trust-full} in the cluster.
+
+.Procedure
+
+. Create the `SpireAgent` CR:
+
+.. Create a YAML file that defines the `SpireAgent` CR, for example, `SpireAgent.yaml`:
++
+.Example `SpireAgent.yaml`
++
+[source,yaml]
+----
+apiVersion: operator.openshift.io/v1alpha1
+kind: SpireAgent
+metadata:
+  name: cluster
+spec:
+  trustDomain: <trust_domain> #<1>
+  clusterName: <cluster_name> #<2>
+  nodeAttestor:
+    k8sPSATEnabled: "true" #<3>
+  workloadAttestors:
+    k8sEnabled: "true" #<4>
+    workloadAttestorsVerification:
+      type: "auto" #<5>
+----
+<1> The trust domain to be used for the SPIFFE identifiers.
+<2> The name of your cluster.
+<3> Enable or disable the projected service account token (PSAT) Kubernetes node attestor. The valid options are `true` and `false`.
+<4> Enable or disable the Kubernetes workload attestor. The valid options are `true` and `false`.
+<5> The type of verification to be done against kubelet. Valid options are `auto`, `hostCert`, `apiServerCA`, `skip`. The `auto` option initially attempts to use `hostCert`, and then falls back to `apiServerCA`.
+
+.. Apply the configuration by running the following command:
++
+[source, terminal]
+----
+$ oc apply -f SpireAgent.yaml
+----
+
+.Verification
+
+. Verify that the daemon set of the SPIRE agent is ready and available by running the following command
++
+[source,terminal]
+----
+$ oc get daemonset -l app.kubernetes.io/name=agent -n zero-trust-workload-identity-manager
+----
++
+.Example output
+[source,terminal]
+----
+NAME          DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR   AGE
+spire-agent   3         3         3       3            3           <none>          10m
+----
+
+. Verify that the status of SPIRE agent pods is `Running` by running the following command:
++
+[source,terminal]
+----
+$ oc get po -l app.kubernetes.io/name=agent -n zero-trust-workload-identity-manager
+----
++
+.Example output
+[source,terminal]
+----
+NAME                READY   STATUS    RESTARTS   AGE
+spire-agent-dp4jb   1/1     Running   0          12m
+spire-agent-nvwjm   1/1     Running   0          12m
+spire-agent-vtvlk   1/1     Running   0          12m
+----
diff --git a/modules/zero-trust-manager-spire-server-config.adoc b/modules/zero-trust-manager-spire-server-config.adoc
@@ -0,0 +1,112 @@
+// Module included in the following assemblies:
+//
+// * security/zero_trust_workload_identity_manageer/zero-trust-manager-configuration.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="zero-trust-manager-spire-server-config_{context}"]
+= Deploying the SPIRE server
+
+You can configure the `SpireServer` custom resource (CR) to deploy and configure a SPIRE server.
+
+.Prerequisites
+
+* You have access to the cluster as a user with the `cluster-admin` role.
+
+* You have installed {zero-trust-full} in the cluster.
+
+.Procedure
+
+. Create the `SpireServer` CR:
+
+.. Create a YAML file that defines the `SpireServer` CR, for example, `SpireServer.yaml`:
++
+.Example `SpireServer.yaml`
++
+[source,yaml]
+----
+apiVersion: operator.openshift.io/v1alpha1
+kind: SpireServer
+metadata:
+  name: cluster
+spec:
+  trustDomain: <trust_domain> #<1>
+  clusterName: <cluster_name> #<2>
+  caSubject:
+    commonName: example.org #<3>
+    country: "US" #<4>
+    organization: "RH" #<5>
+  persistence:
+    type: pvc #<6>
+    size: "5Gi" #<7>
+    accessMode: ReadWriteOnce #<8>
+  datastore:
+    databaseType: sqlite3
+    connectionString: "/run/spire/data/datastore.sqlite3"
+    maxOpenConns: 100 #<9>
+    maxIdleConns: 2 #<10>
+    connMaxLifetime: 3600 #<11>
+  jwtIssuer: <jwt_issuer_domain> #<12>
+----
+<1> The trust domain to be used for the SPIFFE identifiers.
+<2> The name of your cluster.
+<3> The common name for SPIRE server CA.
+<4> The country for SPIRE server CA.
+<5> The organization for SPIRE server CA.
+<6> The type of volume to be used for persistence. The valid options are `pvc` and `hostPath`.
+<7> The size of volume to be used for persistence
+<8> The access mode to be used for persistence. The valid options are `ReadWriteOnce`, `ReadWriteOncePod`, and `ReadWriteMany`.
+<9> The maximum number of open database connections.
+<10> The maximum number of idle connections in the pool.
+<11> The maximum amount of time a connection can be reused. To specify an unlimited time, you can set the value to `0`.
+<12> The JSON Web Token (JWT) issuer domain. The default value is set to the value specified in `oidc-discovery.$trustDomain`.
+
+.. Apply the configuration by running the following command:
++
+[source, terminal]
+----
+$ oc apply -f SpireServer.yaml
+----
+
+.Verification
+
+. Verify that the stateful set of SPIRE server is ready and available by running the following command:
++
+[source,terminal]
+----
+$ oc get statefulset -l app.kubernetes.io/name=server -n zero-trust-workload-identity-manager
+----
++
+.Example output
+[source,terminal]
+----
+NAME            READY   AGE
+spire-server    1/1     65s
+----
+
+. Verify that the status of SPIRE server pod is `Running` by running the following command:
++
+[source,terminal]
+----
+$ oc get po -l app.kubernetes.io/name=server -n zero-trust-workload-identity-manager
+----
++
+.Example output
+[source,terminal]
+----
+NAME               READY   STATUS    RESTARTS        AGE
+spire-server-0     2/2     Running   1 (108s ago)    111s
+----
+
+. Verify that the persistent volume claim (PVC) is bound, by running the following command:
++
+[source,terminal]
+----
+$ oc get pvc -l app.kubernetes.io/name=server -n zero-trust-workload-identity-manager
+----
++
+.Example output
+[source,terminal]
+----
+NAME                        STATUS    VOLUME                                     CAPACITY   ACCESS MODES  STORAGECLASS  VOLUMEATTRIBUTECLASS  AGE
+spire-data-spire-server-0   Bound     pvc-27a36535-18a1-4fde-ab6d-e7ee7d3c2744   5Gi        RW0           gp3-csi       <unset>               22m
+----
diff --git a/security/zero_trust_workload_identity_manager/zero-trust-manager-configuration.adoc b/security/zero_trust_workload_identity_manager/zero-trust-manager-configuration.adoc
@@ -0,0 +1,35 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="zero-trust-manager-configuration"]
+= Deploying Zero Trust Workload Identity Manager operands
+
+include::_attributes/common-attributes.adoc[]
+:context: zero-trust-manager-configuration
+
+toc::[]
+
+:FeatureName: Zero Trust Workload Identity Manager
+include::snippets/technology-preview.adoc[]
+
+You can deploy the following operands by creating the respective custom resources (CRs). You must deploy the operands in the following sequence to ensure successful installation.
+
+. SPIRE Server
+
+. SPIRE Agent
+
+. SPIFFE CSI driver
+
+. SPIRE OIDC discovery provider
+
+// Deploying and configuring SPIRE server
+include::modules/zero-trust-manager-spire-server-config.adoc[leveloffset=+1]
+
+// Deploying and configuring SPIRE agent
+include::modules/zero-trust-manager-spire-agent-config.adoc[leveloffset=+1]
+
+// Deploying and configuring SPIFFE CSI Driver
+include::modules/zero-trust-manager-spiffe-csidriver-config.adoc[leveloffset=+1]
+
+// Deploying and configuring OIDC Discovery Provider
+include::modules/zero-trust-manager-oidc-config.adoc[leveloffset=+1]
+
+
