ZTWIM deploying operands

Author: snarayan-redhat

_topic_maps/_topic_map.yml

@@ -1263,10 +1263,14 @@ Topics:
   Topics:
   - Name: Zero Trust Workload Identity Manager overview
     File: zero-trust-manager-overview
+  - Name: Zero Trust Workload Identity Manager features
+    File: zero-trust-manager-features
   - Name: Installing Zero Trust Workload Identity Manager
     File: zero-trust-manager-install
   - Name: Uninstalling Zero Trust Workload Identity Manager
     File: zero-trust-manager-uninstall
+  - Name: Deploying Zero Trust Workload Identity Manager operands
+    File: zero-trust-manager-configuration
 ---
 Name: Authentication and authorization
 Dir: authentication

modules/zero-trust-manager-about-components.adoc

@@ -0,0 +1,30 @@
+// Module included in the following assemblies:
+//
+// * security/zero_trust_workload_identity_manager/zer-trust-manager-features.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="zero-trust-manager-about-features_{context}"]
+= {zero-trust-full} components
+
+The following components are available as part of the initial release of {zero-trust-full}.
+
+[id="spiffe-csi-driver_{context}"]
+== SPIFFE CSI Driver
+
+The SPIFFE Container Storage Interface (CSI) is a plugin that helps pods securely obtain their {svid-full} by delivering the Workload API socket into the pod. The SPIFFE CSI driver is deployed as a daemonset on the cluster ensuring that a driver instance runs on each node. The driver uses the ephemeral inline volume capability of Kubernetes allowing pods to request volumes directly provided by the SPIFFE CSI driver. This simplifies their use by applications that need temporary storage.
+
+When the pod starts, the Kubelet calls the SPIFFE CSI driver to provision and mount a volume into the pod's containers. The SPIFFE CSI driver mounts a directory that contains the SPIFFE Workload API into the pod. Applications in the pod then communicate with the Workload API to obtain their SVIDs. The driver guarantees that each SVID is unique.
+
+[id="spire-oidc-federation_{context}"]
+== SPIRE OpenID Connect Discovery Provider
+
+The SPIRE OpenID Connect Discovery Provider is a standalone component that makes SPIRE-issued JWT-SVIDs compatible with standard OpenID Connect (OIDC) users by exposing a open ID configuration endpoint and a JWKS URI for token verification. It is essential for integrating SPIRE-based workload identity with systems that require OIDC-compliant tokens, especially, external APIs. While SPIRE primarily issues identities for workloads, additional workload-related claims can be embedded into JWT-SVIDs through the configuration of SPIRE, which these claims to be included in the token and verified by OIDC-compliant clients.
+
+[id="spire-controller-manager_{context}"]
+== SPIRE Controller Manager
+
+The SPIRE Controller Manager uses custom resource definitions (CRDs) to facilitate the registration of workloads. To facilitate workload registration, the SPIRE Controller Manager registers controllers against pods and CRDs. When changes are detected on these resources, a workload reconciliation process is triggered. This process determines which SPIRE entries should exist based on the existing pods and CRDs. The reconciliation process creates, updates, and deletes entries on the SPIRE server as appropriate.
+
+The SPIRE Controller Manager is designed to be deployed on the same pod as the SPIRE server. The manager communicates with the SPIRE server API using a private UNIX Domain Socket within a shared volume.
+
+

modules/zero-trust-manager-about-features.adoc

@@ -0,0 +1,12 @@
+// Module included in the following assemblies:
+//
+// * security/zero_trust_workload_identity_manager/zer-trust-manager-features.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="ztwim_features_{context}"]
+= {zero-trust-full} features
+
+[id="spire-telemetry_{context}"]
+== SPIRE server and agent telemetry
+
+SPIRE server and agent telemetry provide insight into the health of the SPIRE deployment. The metrics are in the format provided by the Prometheus Operator. The metrics exposed help in understanding server health & lifecycle, spire component performance, attestation and SVID issuance and plugin statistics.

modules/zero-trust-manager-oidc-config.adoc

@@ -0,0 +1,75 @@
+// Module included in the following assemblies:
+//
+// * security/zero_trust_workload_identity_manageer/zero-trust-manager-configuration.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="zero-trust-manager-oidc-config_{context}"]
+= Deploying the SPIRE OpenID Connect Discovery Provider
+
+You can configure the `SpireOIDCDiscoveryProvider` custom resource (CR) to deploy and configure the SPIRE OpenID Connect (OIDC) Discovery Provider.
+
+.Prerequisites
+
+* You have access to the cluster as a user with the `cluster-admin` role.
+
+* You have installed {zero-trust-full} in the cluster.
+
+.Procedure
+
+. Create the `SpireOIDCDiscoveryProvider` CR:
+
+.. Create a YAML file that defines the `SpireOIDCDiscoveryProvider` CR, for example, `SpireOIDCDiscoveryProvider.yaml`:
++
+.Example `SpireOIDCDiscoveryProvider.yaml`
++
+[source,yaml]
+----
+apiVersion: operator.openshift.io/v1alpha1
+kind: SpireOIDCDiscoveryProvider
+metadata:
+  name: cluster
+spec:
+  trustDomain: <trust_domain> #<1>
+  agentSocketPath: 'spire-agent.sock' #<2>
+  jwtIssuer: <jwt_issuer_domain> #<3>
+----
+<1> The trust domain to be used for the SPIFFE identifiers.
+<2> The name of the SPIRE agent unix socket.
+<3> The JSON Web Token (JWT) issuer domain. The default value is set to the value specified in `oidc-discovery.$trustDomain`.
+
+.. Apply the configuration by running the following command:
++
+[source, terminal]
+----
+$ oc apply -f SpireOIDCDiscoveryProvider.yaml
+----
+
+.Verification
+
+. Verify that the deployment of OIDC Discovery Provider is ready and available by running the following command:
++
+[source,terminal]
+----
+$ oc get deployment -l app.kubernetes.io/name=spiffe-oidc-discovery-provider -n zero-trust-workload-identity-manager
+----
++
+.Example output
+[source,terminal]
+----
+NAME                                    READY  UP-TO-DATE  AVAILABLE  AGE
+spire-spiffe-oidc-discovery-provider    1/1    1           1          2m58s
+----
+
+. Verify that the status of OIDC Discovery Provider pods is `Running` by running the following command:
++
+[source,terminal]
+----
+$ oc get po -l app.kubernetes.io/name=spiffe-oidc-discovery-provider -n zero-trust-workload-identity-manager
+----
++
+.Example output
+[source,terminal]
+----
+NAME                                                    READY   STATUS    RESTARTS   AGE
+spire-spiffe-oidc-discovery-provider-64586d599f-lcc94   2/2     Running   0          7m15s
+----

modules/zero-trust-manager-spiffe-csidriver-config.adoc

@@ -0,0 +1,73 @@
+// Module included in the following assemblies:
+//
+// * security/zero_trust_workload_identity_manageer/zero-trust-manager-configuration.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="zero-trust-manager-spire-csidriver-config_{context}"]
+= Deploying the SPIFFE Container Storage Interface driver
+
+You can configure the `SpiffeCSIDriver` custom resource (CR) to deploy and configure a SPIRE agent.
+
+.Prerequisites
+
+* You have access to the cluster as a user with the `cluster-admin` role.
+
+* You have installed {zero-trust-full} in the cluster.
+
+.Procedure
+
+. Create the `SpiffeCSIDriver` CR:
+
+.. Create a YAML file that defines the `SpiffeCSIDriver` CR object, for example, `SpiffeCSIDriver.yaml`:
++
+.Example `SpiffeCSIDriver.yaml`
++
+[source,yaml]
+----
+apiVersion: operator.openshift.io/v1alpha1
+kind: SpiffeCSIDriver
+metadata:
+  name: cluster
+spec:
+  agentSocketPath: '/run/spire/agent-sockets/spire-agent.sock' #<1>
+----
+<1> The UNIX socket path to the SPIRE agent.
+
+.. Apply the configuration by running the following command:
++
+[source, terminal]
+----
+$ oc apply -f SpiffeCSIDriver.yaml
+----
+
+.Verification
+
+. Verify that the daemon set of the SPIFFE CSI driver is ready and available by running the following command:
++
+[source,terminal]
+----
+$ oc get daemonset -l app.kubernetes.io/name=spiffe-csi-driver -n zero-trust-workload-identity-manager
+----
++
+.Example output
+[source,terminal]
+----
+NAME                      DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR   AGE
+spire-spiffe-csi-driver   3         3         3       3            3           <none>          114s
+----
+
+. Verify that the status of SPIFFE Container Storage Interface (CSI) Driver pods is `Running` by running the following command:
++
+[source,terminal]
+----
+$ oc get po -l app.kubernetes.io/name=spiffe-csi-driver -n zero-trust-workload-identity-manager
+----
++
+.Example output
+[source,terminal]
+----
+NAME                            READY   STATUS    RESTARTS   AGE
+spire-spiffe-csi-driver-gpwcp   2/2     Running   0          2m37s
+spire-spiffe-csi-driver-rrbrd   2/2     Running   0          2m37s
+spire-spiffe-csi-driver-w6s6q   2/2     Running   0          2m37s
+----

modules/zero-trust-manager-spire-agent-config.adoc

@@ -0,0 +1,84 @@
+// Module included in the following assemblies:
+//
+// * security/zero_trust_workload_identity_manageer/zero-trust-manager-configuration.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="zero-trust-manager-spire-agent-config_{context}"]
+= Deploying the SPIRE agent
+
+You can configure the `SpireAgent` custom resource (CR) to deploy and configure a SPIRE agent.
+
+.Prerequisites
+
+* You have access to the cluster as a user with the `cluster-admin` role.
+
+* You have installed {zero-trust-full} in the cluster.
+
+.Procedure
+
+. Create the `SpireAgent` CR:
+
+.. Create a YAML file that defines the `SpireAgent` CR, for example, `SpireAgent.yaml`:
++
+.Example `SpireAgent.yaml`
++
+[source,yaml]
+----
+apiVersion: operator.openshift.io/v1alpha1
+kind: SpireAgent
+metadata:
+  name: cluster
+spec:
+  trustDomain: <trust_domain> #<1>
+  clusterName: <cluster_name> #<2>
+  nodeAttestor:
+    k8sPSATEnabled: "true" #<3>
+  workloadAttestors:
+    k8sEnabled: "true" #<4>
+    workloadAttestorsVerification:
+      type: "auto" #<5>
+----
+<1> The trust domain to be used for the SPIFFE identifiers.
+<2> The name of your cluster.
+<3> Enable or disable the projected service account token (PSAT) Kubernetes node attestor. The valid options are `true` and `false`.
+<4> Enable or disable the Kubernetes workload attestor. The valid options are `true` and `false`.
+<5> The type of verification to be done against kubelet. Valid options are `auto`, `hostCert`, `apiServerCA`, `skip`. The `auto` option initially attempts to use `hostCert`, and then falls back to `apiServerCA`.
+
+.. Apply the configuration by running the following command:
++
+[source, terminal]
+----
+$ oc apply -f SpireAgent.yaml
+----
+
+.Verification
+
+. Verify that the daemon set of the SPIRE agent is ready and available by running the following command
++
+[source,terminal]
+----
+$ oc get daemonset -l app.kubernetes.io/name=agent -n zero-trust-workload-identity-manager
+----
++
+.Example output
+[source,terminal]
+----
+NAME          DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR   AGE
+spire-agent   3         3         3       3            3           <none>          10m
+----
+
+. Verify that the status of SPIRE agent pods is `Running` by running the following command:
++
+[source,terminal]
+----
+$ oc get po -l app.kubernetes.io/name=agent -n zero-trust-workload-identity-manager
+----
++
+.Example output
+[source,terminal]
+----
+NAME                READY   STATUS    RESTARTS   AGE
+spire-agent-dp4jb   1/1     Running   0          12m
+spire-agent-nvwjm   1/1     Running   0          12m
+spire-agent-vtvlk   1/1     Running   0          12m
+----