From af35d90b7200458861048b4cb991a29eb8c5b869 Mon Sep 17 00:00:00 2001
From: Shubha Narayanan <snarayan@snarayan-thinkpadp1gen4i.remote.csb>
Date: Tue, 7 Oct 2025 18:34:45 +0530
Subject: [PATCH] Removed zero trust files

---
 .../zero-trust-manager-config-vault-oidc.adoc |  19 -
 .../zero-trust-manager-install-entraid.adoc   | 446 ------------------
 2 files changed, 465 deletions(-)
 delete mode 100644 modules/zero-trust-manager-config-vault-oidc.adoc
 delete mode 100644 modules/zero-trust-manager-install-entraid.adoc

diff --git a/modules/zero-trust-manager-config-vault-oidc.adoc b/modules/zero-trust-manager-config-vault-oidc.adoc
deleted file mode 100644
index 3214a91ca133..000000000000
--- a/modules/zero-trust-manager-config-vault-oidc.adoc
+++ /dev/null
@@ -1,19 +0,0 @@
-// Module included in the following assemblies:
-//
-// * security/zero_trust_workload_identity_manageer/zero-trust-manager-oidc-federation.adoc
-
-:_mod-docs-content-type: CONCEPT
-[id="zero-trust-manager-config-vault-oidc_{context}"]
-= How to configure the Vault OpenID Connect
-
-The Vault OpenID Connect (OIDC) allows a SPIRE-identified workload to authenticate against a federated Vault server. The SPIRE Server issues JSON Web Token SPIFFE Verifiable Identity Documents (JWT-SVIDs) to workloads and the workloads then present the JWT-SVID to Vault to authenticate and retrieve the secrets it is authorized to access.
-
-The steps to configure Vault OIDC are:
-
-* Install Vault
-
-* Initialize Vault
-
-
-
-
diff --git a/modules/zero-trust-manager-install-entraid.adoc b/modules/zero-trust-manager-install-entraid.adoc
deleted file mode 100644
index c145b318abd2..000000000000
--- a/modules/zero-trust-manager-install-entraid.adoc
+++ /dev/null
@@ -1,446 +0,0 @@
-// Module included in the following assemblies:
-//
-// * security/zero_trust_workload_identity_manageer/zero-trust-manager-oidc-federation.adoc
-
-:_mod-docs-content-type: PROCEDURE
-[id="zero-trust-manager-install-entraid_{context}"]
-= Configuring the Entra ID
-
-You need to configure the Entra ID so that the SPIRE server can automatically provide software workloads with short-lived, verifiable identities right within your infrastructure. The steps to do this include:
-
-* Installing an Operator
-
-* Deploying the operands
-
-* Exposing the SPIFFE OIDC Discovery Provider service
-
-* Verifying the OIDC endpoint can be accessed securely via HTTPS
-
-== Installing the Operator
-
-.Prerequisites
-
-* Access to a Kubernetes cluster where the SPIRE server runs.
-
-* cert-manager is installed and running within the Kubernetes cluster. For more information about installing cert-manager, see link:https://docs.redhat.com/en/documentation/openshift_container_platform/4.19/html-single/security_and_compliance/index#cert-manager-operator-install[Installing the cert-manager Operator for Red{nbsp}Hat OpenShift].
-
-* A pre-configured cert-manager `Issuer` capable of signing intermediate Certificate Authority (CA) certificates.
-
-.Procedure
-
-. Log in to your OpenShift Cluster by running the following command:
-+
-[source,terminal]
-----
-$ oc login --token=<your_token> --server=<your_server_url>
-----
-
-. Apply the Operator manifest. Copy the entire command block provided and paste it directly into your terminal. Press *Enter*.
-+
-[source,yaml]
-----
-oc apply -f - <<EOF
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: zero-trust-workload-identity-manager
----
-apiVersion: operators.coreos.com/v1
-kind: OperatorGroup <1>
-metadata:
-  name: zero-trust-workload-identity-manager-og
-  namespace: zero-trust-workload-identity-manager <2>
-spec:
-  upgradeStrategy: Default
----
-apiVersion: operators.coreos.com/v1alpha1
-kind: Subscription
-metadata:
-  name: openshift-zero-trust-workload-identity-manager
-  namespace: zero-trust-workload-identity-manager
-spec:
-  source: redhat-operators <3>
-  sourceNamespace: openshift-marketplace
-  name: openshift-zero-trust-workload-identity-manager
-  channel: tech-preview-v0.1
-EOF
-----
-+
-<1> Used to manage operator updates.
-<2> Used to isolate the Operator.
-<3> Used by the Operator Lifecycle Manager (OLM) to find the Operator in the  `redhat-operators` catalog and install it.
-
-.Verification
-
-Verify that the subscription is created and is progressing by running the following command:
-+
-[source,terminal]
-----
-$ oc get subscription -n zero-trust-workload-identity-manager
-----
-
-.Example output
-[source, terminal]
-----
-NAME                                              PACKAGE                                           SOURCE               CHANNEL
-openshift-zero-trust-workload-identity-manager    openshift-zero-trust-workload-identity-manager    redhat-operators     tech-preview-v0.2
-----
-
-== Deploying SPIRE operands
-
-The SPIRE Server, Agent, Container Storage Interface (CSI) Driver, and OIDC Discovery Provider operands need to be deployed so that {zero-trust-full} can use SPIFFE IDs.
-
-.Procedure
-
-. Get the application domain by running the following command:
-+
-[source,terminal]
-----
-$ export APP_DOMAIN=apps.$(oc get dns cluster -o jsonpath='{ .spec.baseDomain }')
-----
-
-. Define the JWT issuer endpoint for the OIDC provider, which is used for issuing JWT-SVIDs:
-+
-[source,terminal]
-----
-$ export JWT_ISSUER_ENDPOINT=oidc-discovery.${APP_DOMAIN}
-----
-
-. Define a unique name for your cluster configuration:
-+
-[source,terminal]
-----
-$ export CLUSTER_NAME=test01
-----
-
-. Apply the configuration manifests for the SPIRE components. Copy the entire command block provided and paste it directory into your terminal. Press *Enter* to run.
-+
-[source,yaml]
-----
-oc apply -f - <<EOF
-apiVersion: operator.openshift.io/v1alpha1
-kind: SpireServer
-metadata:
-  name: cluster
-spec:
-  trustDomain: $APP_DOMAIN
-  clusterName: $CLUSTER_NAME
-  caSubject:
-    commonName: $APP_DOMAIN
-    country: "US"
-    organization: "RH"
-  persistence:
-    type: pvc
-    size: "2Gi"
-    accessMode: ReadWriteOncePod
-  datastore:
-    databaseType: sqlite3
-    connectionString: "/run/spire/data/datastore.sqlite3"
-    maxOpenConns: 100
-    maxIdleConns: 2
-    connMaxLifetime: 3600
-  jwtIssuer: https://$JWT_ISSUER_ENDPOINT
----
-apiVersion: operator.openshift.io/v1alpha1
-kind: SpireAgent
-metadata:
-  name: cluster
-spec:
-  trustDomain: $APP_DOMAIN
-  clusterName: $CLUSTER_NAME
-  nodeAttestor:
-    k8sPSATEnabled: "true"
-  workloadAttestors:
-    k8sEnabled: "true"
-    workloadAttestorsVerification:
-      type: "auto"
----
-apiVersion: operator.openshift.io/v1alpha1
-kind: SpiffeCSIDriver
-metadata:
-  name: cluster
-spec: {}
----
-apiVersion: operator.openshift.io/v1alpha1
-kind: SpireOIDCDiscoveryProvider
-metadata:
-  name: cluster
-spec:
-  trustDomain: $APP_DOMAIN
-  jwtIssuer: $JWT_ISSUER_ENDPOINT
-EOF
-----
-
-.Verification
-
-. Check the SPIRE server status by running the following command:
-+
-[source,terminal]
-----
-$ oc rollout status statefulset/spire-server -n zero-trust-workload-identity-manager --timeout=2m
-----
-
-. Check the SPIRE agent status by running the following command:
-+
-[source,terminal]
-----
-$ oc rollout status statefulset/spire-agent -n zero-trust-workload-identity-manager --timeout=2m
-----
-
-. Check the SPIFFE CSI driver status by running the following command:
-+
-[source,terminal]
-----
-$ oc rollout status daemonset/spire-spiffe-csi-driver -n zero-trust-workload-identity-manager --timeout=2m
-----
-
-. Check the OIDC Discovery Provider status by running the following command:
-+
-[source,terminal]
-----
-$ oc wait --for=condition=Available deployment/spire-spiffe-oidc-discovery-provider -n zero-trust-workload-identity-manager --timeout=2m
-----
-
-== Exposing the SPIFFE OIDC Discovery Provider service
-
-.Procedure
-
-. Retrieve the SPIRE Certificate Authority (CA) bundle from the `spire-bundle` ConfigMap and save it to a local file named 'spire-ca-bundle.crt'.
-+
-[source,terminal]
-----
-$ oc get configmap spire-bundle \
-  -n zero-trust-workload-identity-manager \
-  -o jsonpath='{.data.bundle\.crt}' > ./spire-ca-bundle.crt
-----
-
-. Create a Secret from the CA bundle:
-+
-[source,terminal]
-----
-$ oc create secret generic \
-  -n zero-trust-workload-identity-manager \
-  spire-bundle --from-file=tls.crt=spire-ca-bundle.crt
-----
-
-. Set the TLS Secret name:
-+
-[source,terminal]
-----
-$ export TLS_SECRET_NAME=spire-spiffe-oidc-discovery-provider-tls
-----
-
-. Configure one of the options below to expose the SPIFFE OIDC Discovery Provider:
-
-.. Create an Ingress with cert-manager Annotations
-
-... Apply the Ingress manifest. Copy the entire command block provided and paste it directory into your terminal. Press *Enter* to run.
-+
-[source,yaml]
-----
-oc apply -f - <<EOF
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: oidc-discovery-provider-certmanager-anno
-  namespace: zero-trust-workload-identity-manager
-  annotations:
-    route.openshift.io/termination: reencrypt
-    route.openshift.io/destination-ca-certificate-secret: spire-bundle
-    cert-manager.io/issuer: letsencrypt-http01
-    cert-manager.io/common-name: $JWT_ISSUER_ENDPOINT
-spec:
-  rules:
-    - host: $JWT_ISSUER_ENDPOINT
-      http:
-        paths:
-          - pathType: ImplementationSpecific
-            backend:
-              service:
-                name: spire-spiffe-oidc-discovery-provider
-                port:
-                  number: 443
-  tls:
-    - hosts:
-        - $JWT_ISSUER_ENDPOINT
-      secretName: $TLS_SECRET_NAME
-  ingressClassName: openshift-default
-EOF
-----
-
-... Confirm that `cert-manager` has successfully issued the certificate and that the Secret is ready by running the following command:
-+
-[source,terminal]
-----
-$ oc wait --for=condition=Ready certificate/$TLS_SECRET_NAME -n zero-trust-workload-identity-manager --timeout=5m
-----
-
-.. Manually create a Certificate and an Ingress
-
-... Define and apply the `cert-manager` certificate resource. Copy the entire command block provided and paste it directory into your terminal. Press *Enter* to run.
-+
-[source,yaml]
-----
-oc apply -f - <<EOF
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: $TLS_SECRET_NAME
-  namespace: zero-trust-workload-identity-manager
-spec:
-  secretName: $TLS_SECRET_NAME
-  commonName: $JWT_ISSUER_ENDPOINT
-  dnsNames:
-    - $JWT_ISSUER_ENDPOINT
-  usages:
-    - server auth
-  issuerRef:
-    kind: Issuer
-    name: letsencrypt-http01
-EOF
-----
-
-... Run the following command to check if the certificate is provisioned and its status is `Ready`:
-+
-[source,terminal]
-----
-$ oc wait --for=condition=Ready certificate/$TLS_SECRET_NAME -n zero-trust-workload-identity-manager --timeout=5m
-----
-
-... Apply the Ingress manifest. Copy the entire command block provided and paste it directory into your terminal. Press *Enter* to run.
-+
-[source,yaml]
-----
-oc apply -f - <<EOF
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: oidc-discovery-provider-bring-your-own-tls
-  namespace: zero-trust-workload-identity-manager
-  annotations:
-    route.openshift.io/destination-ca-certificate-secret: spire-bundle
-    route.openshift.io/termination: reencrypt
-spec:
-  rules:
-    - host: $JWT_ISSUER_ENDPOINT
-      http:
-        paths:
-          - pathType: ImplementationSpecific
-            backend:
-              service:
-                name: spire-spiffe-oidc-discovery-provider
-                port:
-                  number: 443
-  tls:
-    - hosts:
-        - $JWT_ISSUER_ENDPOINT
-      secretName: $TLS_SECRET_NAME
-EOF
-----
-
-.. Directly create a certificate and a route
-
-... Define and apply the `cert-manager` certificate resource. Copy the entire command block provided and paste it directory into your terminal. Press *Enter* to run.
-+
-[source,yaml]
-----
-oc apply -f - <<EOF
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: $TLS_SECRET_NAME
-  namespace: zero-trust-workload-identity-manager
-spec:
-  secretName: $TLS_SECRET_NAME
-  commonName: $JWT_ISSUER_ENDPOINT
-  dnsNames:
-    - $JWT_ISSUER_ENDPOINT
-  usages:
-    - server auth
-  issuerRef:
-    kind: Issuer
-    name: letsencrypt-http01
-EOF
-----
-
-... Wait for the certificate state to be `Ready`.
-+
-[source,terminal]
-----
-$ c wait --for=condition=Ready certificate/$TLS_SECRET_NAME -n zero-trust-workload-identity-manager --timeout=5m
-----
-
-... Create a `Role` and `RoleBinding` to grant the OpenShift router `ServiceAccount` permission to read the TLS secret created by `cert-manager`.
-+
-[source,terminal]
-----
-# Create the Role
-$ oc create role secret-reader \
-  --verb=get,list,watch \
-  --resource=secrets \
-  --resource-name=$TLS_SECRET_NAME \
-  -n zero-trust-workload-identity-manager
-
-# Bind the Role to the router ServiceAccount
-$ oc create rolebinding secret-reader-binding \
-  --role=secret-reader \
-  --serviceaccount=openshift-ingress:router \
-  -n zero-trust-workload-identity-manager
-----
-
-... Create the route.
-+
-[source,terminal]
-----
-$ oc create route reencrypt spiffe-oidc-discovery \
-  -n zero-trust-workload-identity-manager \
-  --hostname=$JWT_ISSUER_ENDPOINT \
-  --dest-ca-cert=./spire-ca-bundle.crt \
-  --service=spire-spiffe-oidc-discovery-provider \
-  --port https
-----
-
-... Link the external certificate to reference the externally managed TLS secret using the `externalCertificate` field.
-+
-[source,terminal]
-----
-$ oc patch route spiffe-oidc-discovery \
-  -p '{"spec":{"tls":{"externalCertificate":{"name":"'"$TLS_SECRET_NAME"'"}}}}' \
-  -n zero-trust-workload-identity-manager \
-  --type=merge
-----
-
-.Verification
-
-Verify that the OIDC Discovery endpoint is publicly accessible, the TLS certificate is valid, and the OIDC provider is serving its configuration correctly.
-
-. Run the following command and ensure that the `$JWT_ISSUER_ENDPOINT` environment variable has the hostname you configured in the earlier steps.
-+
-[source,terminal]
-----
-$ curl https://$JWT_ISSUER_ENDPOINT/.well-known/openid-configuration
-----
-
-.Example output
-+
-[source,JSON]
-----
-{
-  "issuer": "https://$JWT_ISSUER_ENDPOINT",
-  "jwks_uri": "https://$JWT_ISSUER_ENDPOINT/keys",
-  "authorization_endpoint": "",
-  "response_types_supported": [
-    "id_token"
-  ],
-  "subject_types_supported": [],
-  "id_token_signing_alg_values_supported": [
-    "RS256",
-    "ES256",
-    "ES384"
-  ]
-}
-----
-
-
-
-