Merge pull request #94572 from snarayan-redhat/features_and_components

snarayan-redhat · web-flow · commit 9b1095e203ef · 2025-06-16T23:12:00.000+05:30
[enterprise-4.18] OSDOCS#14692: About components and features
diff --git a/_attributes/common-attributes.adoc b/_attributes/common-attributes.adoc
@@ -380,4 +380,4 @@ endif::openshift-origin[]
 :zero-trust-full: Zero Trust Workload Identity Manager
 :spiffe-full: Secure Production Identity Framework for Everyone (SPIFFE)
 :svid-full: SPIFFE Verifiable Identity Document (SVID)
-:spire-full: SPIFFE Runtime Environment
+:spire-full: SPIFFE Runtime Environment
diff --git a/_topic_maps/_topic_map.yml b/_topic_maps/_topic_map.yml
@@ -1243,6 +1243,8 @@ Topics:
     File: zero-trust-manager-install
   - Name: Uninstalling Zero Trust Workload Identity Manager
     File: zero-trust-manager-uninstall
+  - Name: Zero Trust Workload Identity Manager components and features
+    File: zero-trust-manager-features
 - Name: Viewing audit logs
   File: audit-log-view
 - Name: Configuring the audit log policy
diff --git a/modules/zero-trust-manager-about-components.adoc b/modules/zero-trust-manager-about-components.adoc
@@ -0,0 +1,28 @@
+// Module included in the following assemblies:
+//
+// * security/zero_trust_workload_identity_manager/zer-trust-manager-features.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="zero-trust-manager-about-features_{context}"]
+= {zero-trust-full} components
+
+The following components are available as part of the initial release of {zero-trust-full}.
+
+[id="spiffe-csi-driver_{context}"]
+== SPIFFE CSI Driver
+
+The SPIFFE Container Storage Interface (CSI) is a plugin that helps pods securely obtain their {svid-full} by delivering the Workload API socket into the pod. The SPIFFE CSI driver is deployed as a daemonset on the cluster ensuring that a driver instance runs on each node. The driver uses the ephemeral inline volume capability of Kubernetes allowing pods to request volumes directly provided by the SPIFFE CSI driver. This simplifies their use by applications that need temporary storage.
+
+When the pod starts, the Kubelet calls the SPIFFE CSI driver to provision and mount a volume into the pod's containers. The SPIFFE CSI driver mounts a directory that contains the SPIFFE Workload API into the pod. Applications in the pod then communicate with the Workload API to obtain their SVIDs. The driver guarantees that each SVID is unique.
+
+[id="spire-oidc-federation_{context}"]
+== SPIRE OpenID Connect Discovery Provider
+
+The SPIRE OpenID Connect Discovery Provider is a standalone component that makes SPIRE-issued JWT-SVIDs compatible with standard OpenID Connect (OIDC) users by exposing a open ID configuration endpoint and a JWKS URI for token verification. It is essential for integrating SPIRE-based workload identity with systems that require OIDC-compliant tokens, especially, external APIs. While SPIRE primarily issues identities for workloads, additional workload-related claims can be embedded into JWT-SVIDs through the configuration of SPIRE, which these claims to be included in the token and verified by OIDC-compliant clients.
+
+[id="spire-controller-manager_{context}"]
+== SPIRE Controller Manager
+
+The SPIRE Controller Manager uses custom resource definitions (CRDs) to facilitate the registration of workloads. To facilitate workload registration, the SPIRE Controller Manager registers controllers against pods and CRDs. When changes are detected on these resources, a workload reconciliation process is triggered. This process determines which SPIRE entries should exist based on the existing pods and CRDs. The reconciliation process creates, updates, and deletes entries on the SPIRE server as appropriate.
+
+The SPIRE Controller Manager is designed to be deployed on the same pod as the SPIRE server. The manager communicates with the SPIRE server API using a private UNIX Domain Socket within a shared volume.
diff --git a/modules/zero-trust-manager-about-features.adoc b/modules/zero-trust-manager-about-features.adoc
@@ -0,0 +1,12 @@
+// Module included in the following assemblies:
+//
+// * security/zero_trust_workload_identity_manager/zer-trust-manager-features.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="ztwim_features_{context}"]
+= {zero-trust-full} features
+
+[id="spire-telemetry_{context}"]
+== SPIRE server and agent telemetry
+
+SPIRE server and agent telemetry provide insight into the health of the SPIRE deployment. The metrics are in the format provided by the Prometheus Operator. The metrics exposed help in understanding server health & lifecycle, spire component performance, attestation and SVID issuance and plugin statistics.
diff --git a/security/zero_trust_workload_identity_manager/zero-trust-manager-features.adoc b/security/zero_trust_workload_identity_manager/zero-trust-manager-features.adoc
@@ -0,0 +1,12 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="zero-trust-manager-features"]
+= Zero Trust Workload Identity Manager components and features
+
+include::_attributes/common-attributes.adoc[]
+:context: zero-trust-manager-features
+
+// SPIFFE SPIRE components
+include::modules/zero-trust-manager-about-components.adoc[leveloffset=+1]
+
+//SPIRE features
+include::modules/zero-trust-manager-about-features.adoc[leveloffset=+1]
