ZTWIM components and features

Author: wgabor0427

_attributes/common-attributes.adoc

@@ -384,8 +384,7 @@ endif::openshift-origin[]
 :ai-first: artificial intelligence (AI)
 //RHEL AI attribute listed with RHEL family
 //zero trust workload identity manager
-:zero-trust-full: Zero Trust Workload Identity Manager for Red{nbsp}Hat OpenShift
-:zero-trust-short: Zero Trust Workload Identity Manager
+:zero-trust-full: Zero Trust Workload Identity Manager
 :spiffe-full: Secure Production Identity Framework for Everyone (SPIFFE)
 :svid-full: SPIFFE Verifiable Identity Document (SVID)
 :spire-full: SPIFFE Runtime Environment

_topic_maps/_topic_map.yml

@@ -1266,12 +1266,14 @@ Topics:
   - Name: Disaster recovery considerations
     File: nbde-disaster-recovery-considerations
     Distros: openshift-enterprise,openshift-origin
-- Name: zero trust workload identity manager for Red Hat OpenShift
+- Name: Zero Trust Workload Identity Manager
   Dir: zero_trust_workload_identity_manager
   Distros: openshift-enterprise
   Topics:
-  - Name: zero trust workload identity manager for Red Hat OpenShift overview
+  - Name: Zero Trust Workload Identity Manager overview
     File: zero-trust-manager-overview
+  - Name: Zero Trust Workload Identity Manager features
+    File: zero-trust-manager-features
 ---
 Name: Authentication and authorization
 Dir: authentication

modules/zero-trust-manager-about-components.adoc

@@ -0,0 +1,30 @@
+// Module included in the following assemblies:
+//
+// * security/zero_trust_workload_identity_manager/zer-trust-manager-features.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="zero-trust-manager-about-features_{context}"]
+= {zero-trust-full} components
+
+The following components are available as part of the initial release of {zero-trust-full}.
+
+[id="spiffe-csi-driver_{context}"]
+== SPIFFE CSI Driver
+
+The SPIFFE Container Storage Interface (CSI) is a plugin that helps pods securely obtain their {svid-full} by delivering the Workload API socket into the pod. The SPIFFE CSI driver is deployed as a daemonset on the cluster ensuring that a driver instance runs on each node. The driver uses the ephemeral inline volume capability of Kubernetes allowing pods to request volumes directly provided by the SPIFFE CSI driver. This simplifies their use by applications that need temporary storage.
+
+When the pod starts, the Kubelet calls the SPIFFE CSI driver to provision and mount a volume into the pod's containers. The SPIFFE CSI driver mounts a directory that contains the SPIFFE Workload API into the pod. Applications in the pod then communicate with the Workload API to obtain their SVIDs. The driver guarantees that each SVID is unique.
+
+[id="spire-oidc-federation_{context}"]
+== SPIRE OpenID Connect Discovery Provider
+
+The SPIRE OpenID Connect Discovery Provider is a standalone component that makes SPIRE-issued JWT-SVIDs compatible with standard OpenID Connect (OIDC) users by exposing a open ID configuration endpoint and a JWKS URI for token verification. It is essential for integrating SPIRE-based workload identity with systems that require OIDC-compliant tokens, especially, external APIs. While SPIRE primarily issues identities for workloads, additional workload-related claims can be embedded into JWT-SVIDs through the configuration of SPIRE, which these claims to be included in the token and verified by OIDC-compliant clients.
+
+[id="spire-controller-manager_{context}"]
+== SPIRE Controller Manager
+
+The SPIRE Controller Manager uses custom resource definitions (CRDs) to facilitate the registration of workloads. To facilitate workload registration, the SPIRE Controller Manager registers controllers against pods and CRDs. When changes are detected on these resources, a workload reconciliation process is triggered. This process determines which SPIRE entries should exist based on the existing pods and CRDs. The reconciliation process creates, updates, and deletes entries on the SPIRE server as appropriate.
+
+The SPIRE Controller Manager is designed to be deployed on the same pod as the SPIRE server. The manager communicates with the SPIRE server API using a private UNIX Domain Socket within a shared volume.
+
+

modules/zero-trust-manager-about-features.adoc

@@ -0,0 +1,12 @@
+// Module included in the following assemblies:
+//
+// * security/zero_trust_workload_identity_manager/zer-trust-manager-features.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="ztwim_features_{context}"]
+= {zero-trust-full} features
+
+[id="spire-telemetry_{context}"]
+== SPIRE server and agent telemetry
+
+SPIRE server and agent telemetry provide insight into the health of the SPIRE deployment. The metrics are in the format provided by the Prometheus Operator. The metrics exposed help in understanding server health & lifecycle, spire component performance, attestation and SVID issuance and plugin statistics.

security/zero_trust_workload_identity_manager/zero-trust-manager-features.adoc

@@ -0,0 +1,18 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="zero-trust-manager-features"]
+= Zero Trust Workload Identity Manager components and features
+
+include::_attributes/common-attributes.adoc[]
+:context: zero-trust-manager-features
+
+// SPIFFE SPIRE components
+include::modules/zero-trust-manager-about-components.adoc[leveloffset=+1]
+
+//SPIRE features
+include::modules/zero-trust-manager-about-features.adoc[leveloffset=+1]
+
+
+
+
+
+

security/zero_trust_workload_identity_manager/zero-trust-manager-overview.adoc

@@ -1,13 +1,13 @@
 :_mod-docs-content-type: ASSEMBLY
 [id="zero-trust-manager-overview"]
-= zero trust workload identity manager for Red{nbsp}Hat OpenShift overview
+= Zero Trust Workload Identity Manager overview
 
 include::_attributes/common-attributes.adoc[]
 :context: zero-trust-manager-overview
 
 toc::[]
 
-:FeatureName: zero trust workload identity manager for Red{nbsp}Hat OpenShift
+:FeatureName: zero trust workload identity manager
 
 include::snippets/technology-preview.adoc[]