OSDOCS-15110 incorporated edits

[wgabor0427]

Version(s):
4.18+

Issue:
https://issues.redhat.com/browse/OSDOCS-15110

Link to docs preview:
https://95399--ocpdocs-pr.netlify.app/openshift-enterprise/latest/security/zero_trust_workload_identity_manager/zero-trust-manager-configuration.html
https://95399--ocpdocs-pr.netlify.app/openshift-enterprise/latest/security/zero_trust_workload_identity_manager/zero-trust-manager-features.html
https://95399--ocpdocs-pr.netlify.app/openshift-enterprise/latest/security/zero_trust_workload_identity_manager/zero-trust-manager-install.html
https://95399--ocpdocs-pr.netlify.app/openshift-enterprise/latest/security/zero_trust_workload_identity_manager/zero-trust-manager-monitoring.html
https://95399--ocpdocs-pr.netlify.app/openshift-enterprise/latest/security/zero_trust_workload_identity_manager/zero-trust-manager-overview.html
https://95399--ocpdocs-pr.netlify.app/openshift-enterprise/latest/security/zero_trust_workload_identity_manager/zero-trust-manager-uninstall.html

QE review:

• QE has approved this change.

Additional information:

[ocpdocs-previewbot]

🤖 Thu Sep 04 12:21:02 - Prow CI generated the docs preview:

https://95399--ocpdocs-pr.netlify.app/
https://95399--ocpdocs-pr.netlify.app/openshift-enterprise/latest/security/zero_trust_workload_identity_manager/zero-trust-manager-configuration.html
https://95399--ocpdocs-pr.netlify.app/openshift-enterprise/latest/security/zero_trust_workload_identity_manager/zero-trust-manager-install.html
https://95399--ocpdocs-pr.netlify.app/openshift-enterprise/latest/security/zero_trust_workload_identity_manager/zero-trust-manager-monitoring.html
https://95399--ocpdocs-pr.netlify.app/openshift-enterprise/latest/security/zero_trust_workload_identity_manager/zero-trust-manager-overview.html
https://95399--ocpdocs-pr.netlify.app/openshift-enterprise/latest/security/zero_trust_workload_identity_manager/zero-trust-manager-release-notes.html
https://95399--ocpdocs-pr.netlify.app/openshift-enterprise/latest/security/zero_trust_workload_identity_manager/zero-trust-manager-uninstall.html

[snarayan-redhat]

Left one suggestion. Rest look good.

[snarayan-redhat]

Suggested change

	. Delete the `ZeroTrustWorkloadIdentityManager`` cluster by running the following command:
	. Delete the `ZeroTrustWorkloadIdentityManager` cluster by running the following command:

[wgabor0427]

Done

[snarayan-redhat]

we can have a parent step Uninstall the operand objects... and then have each of these as sub steps.

same applies to all instances below

[wgabor0427]

Done

[snarayan-redhat]

Suggested change

	. Delete the `SpireOIDCDiscoveryProvider`` cluster by running the following command:
	. Delete the `SpireOIDCDiscoveryProvider` cluster by running the following command:

[wgabor0427]

Done

[snarayan-redhat]

Suggested change

	. Delete the SPIRE server Custom Resource Definitions (CRD) by running the following command:
	. Delete the SPIRE server custom resource definitions (CRD) by running the following command:

[wgabor0427]

Done

[wgabor0427]

/merge-review-needed

[lunarwhite]

@snarayan-redhat Any specific reason to use server instead of Server? I think we should keep the consistency - use "server, agent" or "Server, Agent", both capitalized or both not.

[snarayan-redhat]

@wgabor0427 I believe you concluded based on some discussion with an engineer, right?

[wgabor0427]

@lunarwhite When I looked in the file, it was already lowercase, unless Shuba fixed it.

[snarayan-redhat]

@wgabor0427 I think @lunarwhite is suggesting that both agent and server be kept similar. Currently it's Agent and server. Let's keep both lowercase if it wasn't a guideline-driven decision.

[lunarwhite]

Sorry for the frequent changes in requirements. I think it's more appropriate to keep it capitalized Agent Server. This is because "SPIRE Server/Agent" often appears as a proper noun, just like it's used in the upstream documentation https://spiffe.io/docs/latest/spire-about/spire-concepts/

[wgabor0427]

Done

[lunarwhite]

Suggested change

	.. Delete the cluster-wide cluster role by running the following command:
	.. Delete the cluster role by running the following command:

[wgabor0427]

Fixed

[wgabor0427]

Done

[lunarwhite]

Suggested change

	.. Delete the cluster-wide role binding by running the following command:
	.. Delete the cluster role binding by running the following command:

[wgabor0427]

Fixed

[wgabor0427]

@lunarwhite @snarayan-redhat I've changed all instances of server and agent to lowercase. It can be peer-reviewed again

[lunarwhite]

@wgabor0427 Could you please address my legacy comment first before moving forward

For Uninstalling section, could you open a PR to change the "Procedure 1"'s commands order on enterprise-4.18 branch to be the same as main branch?

That's what https://issues.redhat.com/browse/OCPBUGS-57776 is reporting, the fix has been patched to 4.19, 4,20, main branches, but not 4.18 yet. Without fixing it first, this PR's auto cherrypick would still fail on 4.18 branch.

[wgabor0427]

@lunarwhite Since https://issues.redhat.com/browse/OCPBUGS-57776 has been closed, can we move forward with this.

[lunarwhite]

Thanks for your work. Left some suggestions

[lunarwhite]

I think it may not be very user-friendly to have each command in separated blocks. Because for this operator, the uninstallation commands would be quite lengthy. If we keep them separated, users need to do a lot more copy-paste.

We already grouped these commands by resources type, so I think current middle ground is acceptable, for both UX and documentation conventions. What do you think?

[wgabor0427]

@lunarwhite I'm not sure what to do about this. Let me check around and see if there is something similar somewhere

[wgabor0427]

We can only have one command per block so we cannot group the commands.

[lunarwhite]

Sorry for the frequent changes in requirements. I think it's more appropriate to keep it capitalized Agent Server. This is because "SPIRE Server/Agent" often appears as a proper noun, just like it's used in the upstream documentation https://spiffe.io/docs/latest/spire-about/spire-concepts/

[lunarwhite]

Suggested change

	== Zero Trust Workload Identity Manager components and features
	// SPIFFE SPIRE components
	include::modules/zero-trust-manager-about-components.adoc[leveloffset=+1]
	//SPIRE features
	include::modules/zero-trust-manager-about-features.adoc[leveloffset=+1]
	== Zero Trust Workload Identity Manager Workflow
	// SPIFFE SPIRE components
	include::modules/zero-trust-manager-about-components.adoc[leveloffset=+1]
	//SPIRE features
	include::modules/zero-trust-manager-about-features.adoc[leveloffset=+1]

It seems that we don't need "==" headline in this file

[wgabor0427]

I need to have "==" in the title or I get an error that I cannot have level 0 sections

[lunarwhite]

Thanks for your patience. Left minor suggestions otherwise I think it's in good shape now!

[lunarwhite]

Suggested change

A SPIRE Server is responsible for managing and issuing SPIFFE identities within a trust domain. It stores registration entries (selectors that determine under what conditions a SPIFFE ID should be issued) and signing keys. The SPIRE Server works in conjunction with the SPIRE Agent to perform node attestion via node plugins. For more information, see link:https://spiffe.io/docs/latest/spire-about/spire-concepts/#all-about-the-server[About the SPIRE server].

A SPIRE Server is responsible for managing and issuing SPIFFE identities within a trust domain. It stores registration entries (selectors that determine under what conditions a SPIFFE ID should be issued) and signing keys. The SPIRE Server works in conjunction with the SPIRE Agent to perform node attestion via node plugins. For more information, see link:https://spiffe.io/docs/latest/spire-about/spire-concepts/#all-about-the-server[About the SPIRE Server].

[lunarwhite]

Suggested change

The SPIRE Controller Manager uses custom resource definitions (CRDs) to facilitate the registration of workloads. To facilitate workload registration, the SPIRE Controller Manager registers controllers against pods and CRDs. When changes are detected on these resources, a workload reconciliation process is triggered. This process determines which SPIRE entries should exist based on the existing pods and CRDs. The reconciliation process creates, updates, and deletes entries on the SPIRE server as appropriate.

The SPIRE Controller Manager uses custom resource definitions (CRDs) to facilitate the registration of workloads. To facilitate workload registration, the SPIRE Controller Manager registers controllers against pods and CRDs. When changes are detected on these resources, a workload reconciliation process is triggered. This process determines which SPIRE entries should exist based on the existing pods and CRDs. The reconciliation process creates, updates, and deletes entries on the SPIRE Server as appropriate.

[lunarwhite]

Suggested change

== Zero Trust Workload Identity Manager components and features

[wgabor0427]

I need to have "==" in the title or I get an error that I cannot have level 0 sections

[ShaunaDiaz]

@wgabor0427 these two comments are to remove the headings; do you want to update before merge?

[lunarwhite]

Suggested change

== Zero Trust Workload Identity Manager workflow

[lunarwhite]

This line of change is still helpful. Apart from that, could we keep them in this file as-is for now? As I said https://github.com/openshift/openshift-docs/pull/95399/files#r2214848484, maybe separate each single command would not be a user-friendly idea.

cc @anirudhAgniRedhat @ldhananj in case you have any suggestions

[wgabor0427]

We can only have one command per step. We cannot combine commands.

[lunarwhite]

Hi @wgabor0427, any updates on this PR? I think we could proceed with merge once my last group of comments are addressed. This can go as part of 0.2.0 release

[lunarwhite]

/lgtm

[lunarwhite]

/label peer-review-needed

[openshift-ci]

@lunarwhite: The label(s) /label peer-review-needed cannot be applied. These labels are supported: acknowledge-critical-fixes-only, platform/aws, platform/azure, platform/baremetal, platform/google, platform/libvirt, platform/openstack, ga, tide/merge-method-merge, tide/merge-method-rebase, tide/merge-method-squash, px-approved, docs-approved, qe-approved, ux-approved, no-qe, downstream-change-needed, rebase/manual, cluster-config-api-changed, run-integration-tests, approved, backport-risk-assessed, bugzilla/valid-bug, cherry-pick-approved, cloud-experts, cnv, dev-tools, distributed-tracing, ims, jira/valid-bug, merge-review-in-progress, merge-review-needed, mtc, multi-arch, oadp, ok-to-test, rhacs, rhv, sd-docs, serverless, service-mesh, sme-review-done, sme-review-needed, stability-fix-approved, staff-eng-approved, telco. Is this label configured under labels -> additional_labels or labels -> restricted_labels in plugin.yaml?

In response to this:

/label peer-review-needed

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[lunarwhite]

/label merge-review-needed

[wgabor0427]

/label merge-review-needed

[wgabor0427]

/label merge-review-needed

[openshift-ci]

New changes are detected. LGTM label has been removed.

[openshift-ci]

@wgabor0427: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[ShaunaDiaz]

/cherrypick enterprise-4.20

[ShaunaDiaz]

/cherrypick enterprise-4.19

[ShaunaDiaz]

/cherrypick enterprise-4.18

[openshift-cherrypick-robot]

@ShaunaDiaz: new pull request created: #98501

In response to this:

/cherrypick enterprise-4.20

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-cherrypick-robot]

@ShaunaDiaz: new pull request created: #98502

In response to this:

/cherrypick enterprise-4.19

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-cherrypick-robot]

@ShaunaDiaz: #95399 failed to apply on top of branch "enterprise-4.18":

Applying: OSDOCS_15110 deleted headings in assembly
.git/rebase-apply/patch:186: new blank line at EOF.
+
warning: 1 line adds whitespace errors.
Using index info to reconstruct a base tree...
M	_topic_maps/_topic_map.yml
M	modules/zero-trust-manager-about-agent.adoc
M	modules/zero-trust-manager-about-attestation.adoc
M	modules/zero-trust-manager-about-components.adoc
M	modules/zero-trust-manager-about-spire.adoc
M	modules/zero-trust-manager-how-it-works.adoc
M	modules/zero-trust-manager-install-cli.adoc
M	modules/zero-trust-manager-install-console.adoc
M	modules/zero-trust-manager-oidc-config.adoc
M	modules/zero-trust-manager-spiffe-csidriver-config.adoc
M	modules/zero-trust-manager-spire-agent-config.adoc
M	modules/zero-trust-manager-spire-server-config.adoc
M	modules/zero-trust-manager-uninstall-console.adoc
M	modules/zero-trust-manager-uninstall-resources.adoc
M	security/zero_trust_workload_identity_manager/zero-trust-manager-configuration.adoc
M	security/zero_trust_workload_identity_manager/zero-trust-manager-overview.adoc
M	security/zero_trust_workload_identity_manager/zero-trust-manager-release-notes.adoc
Falling back to patching base and 3-way merge...
Auto-merging security/zero_trust_workload_identity_manager/zero-trust-manager-release-notes.adoc
Auto-merging security/zero_trust_workload_identity_manager/zero-trust-manager-overview.adoc
Auto-merging security/zero_trust_workload_identity_manager/zero-trust-manager-configuration.adoc
Auto-merging modules/zero-trust-manager-uninstall-resources.adoc
Auto-merging modules/zero-trust-manager-uninstall-console.adoc
CONFLICT (content): Merge conflict in modules/zero-trust-manager-uninstall-console.adoc
Auto-merging modules/zero-trust-manager-spire-server-config.adoc
Auto-merging modules/zero-trust-manager-spire-agent-config.adoc
Auto-merging modules/zero-trust-manager-spiffe-csidriver-config.adoc
Auto-merging modules/zero-trust-manager-oidc-config.adoc
Auto-merging modules/zero-trust-manager-install-console.adoc
CONFLICT (content): Merge conflict in modules/zero-trust-manager-install-console.adoc
Auto-merging modules/zero-trust-manager-install-cli.adoc
Auto-merging modules/zero-trust-manager-how-it-works.adoc
CONFLICT (content): Merge conflict in modules/zero-trust-manager-how-it-works.adoc
Auto-merging modules/zero-trust-manager-about-spire.adoc
CONFLICT (content): Merge conflict in modules/zero-trust-manager-about-spire.adoc
Auto-merging modules/zero-trust-manager-about-components.adoc
CONFLICT (content): Merge conflict in modules/zero-trust-manager-about-components.adoc
Auto-merging modules/zero-trust-manager-about-attestation.adoc
CONFLICT (content): Merge conflict in modules/zero-trust-manager-about-attestation.adoc
Auto-merging modules/zero-trust-manager-about-agent.adoc
CONFLICT (content): Merge conflict in modules/zero-trust-manager-about-agent.adoc
Auto-merging _topic_maps/_topic_map.yml
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config advice.mergeConflict false"
Patch failed at 0001 OSDOCS_15110 deleted headings in assembly

In response to this:

/cherrypick enterprise-4.18

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.