diff --git a/_topic_maps/_topic_map.yml b/_topic_maps/_topic_map.yml index 557126e94692..c3708ac243fa 100644 --- a/_topic_maps/_topic_map.yml +++ b/_topic_maps/_topic_map.yml @@ -1227,8 +1227,6 @@ Topics: File: zero-trust-manager-overview - Name: Zero Trust Workload Identity Manager release notes File: zero-trust-manager-release-notes - - Name: Zero Trust Workload Identity Manager components and features - File: zero-trust-manager-features - Name: Installing Zero Trust Workload Identity Manager File: zero-trust-manager-install - Name: Deploying Zero Trust Workload Identity Manager operands diff --git a/modules/zero-trust-manager-about-agent.adoc b/modules/zero-trust-manager-about-agent.adoc index df914e7a5819..3b725ae976cc 100644 --- a/modules/zero-trust-manager-about-agent.adoc +++ b/modules/zero-trust-manager-about-agent.adoc @@ -4,9 +4,9 @@ :_mod-docs-content-type: CONCEPT [id="zero-trust-manager-about-agent_{context}"] -= SPIRE agent += SPIRE Agent The SPIRE Agent is responsible for workload attestation, ensuring that workloads receive a verified identity when requesting authentication through the SPIFFE Workload API. It accomplishes this by using configured workload attestor plugins. In Kubernetes environments, the Kubernetes workload attestor plugin is used. -SPIRE and the SPIRE agent perform node attestation via node plugins. The plugins are used to verify the identity of the node on which the agent is running. For more information, see link:https://spiffe.io/docs/latest/spire-about/spire-concepts/#all-about-the-agent[About the SPIRE Agent]. +SPIRE and the SPIRE Agent perform node attestation via node plugins. The plugins are used to verify the identity of the node on which the agent is running. For more information, see link:https://spiffe.io/docs/latest/spire-about/spire-concepts/#all-about-the-agent[About the SPIRE Agent]. diff --git a/modules/zero-trust-manager-about-attestation.adoc b/modules/zero-trust-manager-about-attestation.adoc index 58d15f6b6b85..36009998d588 100644 --- a/modules/zero-trust-manager-about-attestation.adoc +++ b/modules/zero-trust-manager-about-attestation.adoc @@ -7,9 +7,10 @@ = Attestation -Attestation is the process by which the identity of nodes and workloads are verified before SPIFFE IDs and SVIDs are issued. The SPIRE server gathers attributes of both the workload and node that the SPIRE Agent runs on, and then compares them to a set of selectors defined when the workload was registered. If the comparison is successful, the entities are provided with credentials. This ensures that only legitimate and expected entities within the trust domain receive cryptographic identities. The two main types of attestation in SPIFFE/SPIRE are: +Attestation is the process by which the identity of nodes and workloads are verified before SPIFFE IDs and SVIDs are issued. The SPIRE Server gathers attributes of both the workload and node that the SPIRE Agent runs on, and then compares them to a set of selectors defined when the workload was registered. If the comparison is successful, the entities are provided with credentials. This ensures that only legitimate and expected entities within the trust domain receive cryptographic identities. The two main types of attestation in SPIFFE/SPIRE are: -* Node attestation: verifies the identity of a machine or a node on a system, before a SPIRE agent running on that node can be trusted to request identities for workloads. -* Workload attestation: verifies the identity of an application or service running on an attested node before the SPIRE agent on that node can provide it with a SPIFFE ID and SVID. +* Node attestation: verifies the identity of a machine or a node on a system, before a SPIRE Agent running on that node can be trusted to request identities for workloads. + +* Workload attestation: verifies the identity of an application or service running on an attested node before the SPIRE Agent on that node can provide it with a SPIFFE ID and SVID. For more information, see link:https://spiffe.io/docs/latest/spire-about/spire-concepts/#attestation[Attestation]. \ No newline at end of file diff --git a/modules/zero-trust-manager-about-components.adoc b/modules/zero-trust-manager-about-components.adoc index acb583bbb979..bc73512210a7 100644 --- a/modules/zero-trust-manager-about-components.adoc +++ b/modules/zero-trust-manager-about-components.adoc @@ -23,8 +23,8 @@ The SPIRE OpenID Connect Discovery Provider is a standalone component that makes [id="spire-controller-manager_{context}"] == SPIRE Controller Manager -The SPIRE Controller Manager uses custom resource definitions (CRDs) to facilitate the registration of workloads. To facilitate workload registration, the SPIRE Controller Manager registers controllers against pods and CRDs. When changes are detected on these resources, a workload reconciliation process is triggered. This process determines which SPIRE entries should exist based on the existing pods and CRDs. The reconciliation process creates, updates, and deletes entries on the SPIRE server as appropriate. +The SPIRE Controller Manager uses custom resource definitions (CRDs) to facilitate the registration of workloads. To facilitate workload registration, the SPIRE Controller Manager registers controllers against pods and CRDs. When changes are detected on these resources, a workload reconciliation process is triggered. This process determines which SPIRE entries should exist based on the existing pods and CRDs. The reconciliation process creates, updates, and deletes entries on the SPIRE Server as appropriate. -The SPIRE Controller Manager is designed to be deployed on the same pod as the SPIRE server. The manager communicates with the SPIRE server API using a private UNIX Domain Socket within a shared volume. +The SPIRE Controller Manager is designed to be deployed on the same pod as the SPIRE Server. The manager communicates with the SPIRE Server API using a private UNIX Domain Socket within a shared volume. diff --git a/modules/zero-trust-manager-about-features.adoc b/modules/zero-trust-manager-about-features.adoc index e1344554f1e2..96c61006ed06 100644 --- a/modules/zero-trust-manager-about-features.adoc +++ b/modules/zero-trust-manager-about-features.adoc @@ -7,6 +7,6 @@ = {zero-trust-full} features [id="spire-telemetry_{context}"] -== SPIRE server and agent telemetry +== SPIRE Server and Agent telemetry -SPIRE server and agent telemetry provide insight into the health of the SPIRE deployment. The metrics are in the format provided by the Prometheus Operator. The metrics exposed help in understanding server health & lifecycle, spire component performance, attestation and SVID issuance and plugin statistics. \ No newline at end of file +SPIRE Server and Agent telemetry provide insight into the health of the SPIRE deployment. The metrics are in the format provided by the Prometheus Operator. The metrics exposed help in understanding server health & lifecycle, SPIRE component performance, attestation and SVID issuance, and plugin statistics. \ No newline at end of file diff --git a/modules/zero-trust-manager-about-spire.adoc b/modules/zero-trust-manager-about-spire.adoc index 029108348382..000be505c055 100644 --- a/modules/zero-trust-manager-about-spire.adoc +++ b/modules/zero-trust-manager-about-spire.adoc @@ -4,7 +4,7 @@ :_mod-docs-content-type: CONCEPT [id="zero-trust-manager-about-spire_{context}"] -= SPIRE server += SPIRE Server -A SPIRE server is responsible for managing and issuing SPIFFE identities within a trust domain. It stores registration entries (selectors that determine under what conditions a SPIFFE ID should be issued) and signing keys. The SPIRE server works in conjunction with the SPIRE agent to perform node attestion via node plugins. For more information, see link:https://spiffe.io/docs/latest/spire-about/spire-concepts/#all-about-the-server[About the SPIRE server]. \ No newline at end of file +A SPIRE Server is responsible for managing and issuing SPIFFE identities within a trust domain. It stores registration entries (selectors that determine under what conditions a SPIFFE ID should be issued) and signing keys. The SPIRE Server works in conjunction with the SPIRE Agent to perform node attestion via node plugins. For more information, see link:https://spiffe.io/docs/latest/spire-about/spire-concepts/#all-about-the-server[About the SPIRE Server]. \ No newline at end of file diff --git a/modules/zero-trust-manager-enable-metrics-agent.adoc b/modules/zero-trust-manager-enable-metrics-agent.adoc index 3c6a750a02db..a57d78c1b8da 100644 --- a/modules/zero-trust-manager-enable-metrics-agent.adoc +++ b/modules/zero-trust-manager-enable-metrics-agent.adoc @@ -4,22 +4,25 @@ :_mod-docs-content-type: PROCEDURE [id="zero-trust-manager-enable-metrics-agent_{context}"] -= Configuring metrics collection for SPIRE agent by using a Service Monitor += Configuring metrics collection for SPIRE Agent by using a Service Monitor -The SPIRE Agent operand exposes metrics by default on port `9402` at the `/metrics` endpoint. You can configure metrics collection for the SPIRE Agent by creating a `ServiceMonitor` custom resource (CR), which enables Prometheus Operator to collect custom metrics. +The SPIRE Agent operand exposes metrics by default on port `9402` at the `/metrics` endpoint. You can configure metrics collection for the SPIRE Agent by creating a `ServiceMonitor` custom resource (CR), which enables the Prometheus Operator to collect custom metrics. .Prerequisites * You have access to the cluster as a user with the `cluster-admin` cluster role. + * You have installed the {zero-trust-full}. + * You have deployed the SPIRE Agent operand in the cluster. + * You have enabled the user workload monitoring. .Procedure . Create the `ServiceMonitor` CR: -.. Create the YAML file that defines `ServiceMonitor` CR: +.. Create the YAML file that defines the `ServiceMonitor` CR: + .Example `servicemonitor-spire-agent.yaml` file [source,yaml] diff --git a/modules/zero-trust-manager-enable-metrics-server.adoc b/modules/zero-trust-manager-enable-metrics-server.adoc index cf13b96d6894..249c07775733 100644 --- a/modules/zero-trust-manager-enable-metrics-server.adoc +++ b/modules/zero-trust-manager-enable-metrics-server.adoc @@ -4,22 +4,25 @@ :_mod-docs-content-type: PROCEDURE [id="zero-trust-manager-enable-metrics-server_{context}"] -= Configuring metrics collection for SPIRE server by using a Service Monitor += Configuring metrics collection for SPIRE Server by using a Service Monitor -The SPIRE Server operand exposes metrics by default on port `9402` at the `/metrics` endpoint. You can configure metrics collection for the SPIRE Server by creating a `ServiceMonitor` custom resource (CR) that enables Prometheus Operator to collect custom metrics. +The SPIRE Server operand exposes metrics by default on port `9402` at the `/metrics` endpoint. You can configure metrics collection for the SPIRE Server by creating a `ServiceMonitor` custom resource (CR) that enables the Prometheus Operator to collect custom metrics. .Prerequisites * You have access to the cluster as a user with the `cluster-admin` cluster role. + * You have installed the {zero-trust-full}. + * You have deployed the SPIRE Server operand in the cluster. + * You have enabled the user workload monitoring. .Procedure . Create the `ServiceMonitor` CR: -.. Create the YAML file that defines `ServiceMonitor` CR: +.. Create the YAML file that defines the `ServiceMonitor` CR: + .Example `servicemonitor-spire-server` file [source,yaml] @@ -68,3 +71,4 @@ $ service=spire-server ---- . Confirm that the *Status* column shows `Up` for the `spire-server-metrics` entry. + diff --git a/modules/zero-trust-manager-how-it-works.adoc b/modules/zero-trust-manager-how-it-works.adoc index 4cb354cacf34..f7b8a0c2f6af 100644 --- a/modules/zero-trust-manager-how-it-works.adoc +++ b/modules/zero-trust-manager-how-it-works.adoc @@ -4,40 +4,40 @@ :_mod-docs-content-type: CONCEPT [id="zero-trust-manager-how-it-works_{context}"] -== {zero-trust-full} workflow += About the {zero-trust-full} workflow The following is a high-level workflow of the {zero-trust-full} within the Red{nbsp}Hat OpenShift cluster. -. The SPIRE, SPIRE agent, SPIFFE CSI Driver, and the SPIRE OIDC Discovery Provider operands are deployed and managed by {zero-trust-full} via associated Customer Resource Definitions (CRDs). +. The SPIRE, SPIRE Agent, SPIFFE CSI Driver, and the SPIRE OIDC Discovery Provider operands are deployed and managed by {zero-trust-full} via associated customer resource definitions (CRDs). . Watches are then registered for relevant Kubernetes resources and the necessary SPIRE CRDs are applied to the cluster. . The CR for the ZeroTrustWorkloadIdentityManager resource named `cluster` is deployed and managed by a controller. -. To deploy the SPIRE server, SPIRE agent, SPIFFE CSI Driver, and SPIRE OIDC Discovery Provider, you need to create a custom resource of a each certain type and name it `cluster`. The custom resource types are as follows: +. To deploy the SPIRE Server, SPIRE Agent, SPIFFE CSI Driver, and SPIRE OIDC Discovery Provider, you need to create a custom resource of a each certain type and name it `cluster`. The custom resource types are as follows: -* SPIRE server - `SpireServer` +* SPIRE Server - `SpireServer` -* SPIRE agent - `SpireAgent` +* SPIRE Agent - `SpireAgent` * SPIFFE CSI Driver - `SpiffeCSIDriver` * SPIRE OIDC discovery provider - `SpireOIDCDiscoveryProvider` -. When a node starts, the SPIRE agent initializes, and connects to the SPIRE server. +. When a node starts, the SPIRE Agent initializes, and connects to the SPIRE Server. -. The agent begins the node attestation process. The agent collects information on the node's identity such as label name and namespace. The agent securely provides the information it gathered through the attestation to the SPIRE server. +. The SPIRE Agent begins the node attestation process. The agent collects information on the node's identity such as label name and namespace. The agent securely provides the information it gathered through the attestation to the SPIRE Server. -. The SPIRE server then evaluates this information against its configured attestation policies and registration entries. If successful, the server generates an agent SVID and the Trust Bundle (CA Certificate) and securely sends this back to the agent. +. The SPIRE Server then evaluates this information against its configured attestation policies and registration entries. If successful, the server generates an agent SVID and the Trust Bundle (CA Certificate) and securely sends this back to the SPIRE Agent. . A workload starts on the node and needs a secure identity. The workload connects to the agent's Workload API and requests a SVID. -. The agent receives the request and begins a workload attestation to gather information about the workload. +. The SPIRE Agent receives the request and begins a workload attestation to gather information about the workload. -. After the agent gathers the information, the information is sent to the SPIRE server and the server checks its configured registration entries. +. After the SPIRE Agent gathers the information, the information is sent to the SPIRE Server and the server checks its configured registration entries. -. The agent receives the workload SVID and Trust Bundle and passes it on to the workload. The workload can now present their SVIDs to other SPIFFE-aware devices to communicate with them. +. The SPIRE Agent receives the workload SVID and Trust Bundle and passes it on to the workload. The workload can now present their SVIDs to other SPIFFE-aware devices to communicate with them. [role="_additional-resources"] diff --git a/modules/zero-trust-manager-install-cli.adoc b/modules/zero-trust-manager-install-cli.adoc index a094d095f8f5..60baf8737079 100644 --- a/modules/zero-trust-manager-install-cli.adoc +++ b/modules/zero-trust-manager-install-cli.adoc @@ -73,7 +73,7 @@ $ oc create -f subscription.yaml .Verification -. Verify that the OLM subscription is created by running the following command: +* Verify that the OLM subscription is created by running the following command: + [source, terminal] ---- @@ -87,7 +87,7 @@ NAME PACKAGE openshift-zero-trust-workload-identity-manager zero-trust-workload-identity-manager redhat-operators tech-preview-v0.1 ---- -. Verify whether the Operator is successfully installed by running the following command: +* Verify whether the Operator is successfully installed by running the following command: + [source, terminal] ---- @@ -101,7 +101,7 @@ NAME DISPLAY zero-trust-workload-identity-manager.v0.1.0 Zero Trust Workload Identity Manager 0.1.0 Succeeded ---- -. Verify that the {zero-trust-full} controller manager is ready by running the following command: +* Verify that the {zero-trust-full} controller manager is ready by running the following command: + [source, terminal] ---- diff --git a/modules/zero-trust-manager-install-console.adoc b/modules/zero-trust-manager-install-console.adoc index 0b30606dccc1..fcf272abb984 100644 --- a/modules/zero-trust-manager-install-console.adoc +++ b/modules/zero-trust-manager-install-console.adoc @@ -11,6 +11,7 @@ You can use the web console to install the {zero-trust-full}. .Prerequisites * You have access to the cluster with `cluster-admin` privileges. + * You have access to the {product-title} web console. .Procedure @@ -26,7 +27,9 @@ You can use the web console to install the {zero-trust-full}. . Select the {zero-trust-full} version from *Version* drop-down list, and click *Install*. . On the *Install Operator* page: + .. Update the *Update channel*, if necessary. The channel defaults to *tech-preview-v0.1*, which installs the latest Technology Preview v0.1 release of the {zero-trust-full}. + .. Choose the *Installed Namespace* for the Operator. The default Operator namespace is `zero-trust-workload-identity-manager`. + If the `zero-trust-workload-identity-manager` namespace does not exist, it is created for you. @@ -41,9 +44,11 @@ If the `zero-trust-workload-identity-manager` namespace does not exist, it is cr .Verification -. Navigate to *Operators* -> *Installed Operators*. -. Verify that *{zero-trust-full}* is listed with a *Status* of *Succeeded* in the `zero-trust-workload-identity-manager` namespace. -. Verify that {zero-trust-full} controller manager deployment is ready and available by running the following command: +* Navigate to *Operators* -> *Installed Operators*. + +** Verify that *{zero-trust-full}* is listed with a *Status* of *Succeeded* in the `zero-trust-workload-identity-manager` namespace. + +** Verify that {zero-trust-full} controller manager deployment is ready and available by running the following command: + [source,terminal] ---- diff --git a/modules/zero-trust-manager-oidc-config.adoc b/modules/zero-trust-manager-oidc-config.adoc index 99cfb58c8c91..e8f3a15c19b9 100644 --- a/modules/zero-trust-manager-oidc-config.adoc +++ b/modules/zero-trust-manager-oidc-config.adoc @@ -34,7 +34,7 @@ spec: jwtIssuer: #<3> ---- <1> The trust domain to be used for the SPIFFE identifiers. -<2> The name of the SPIRE agent unix socket. +<2> The name of the SPIRE Agent unix socket. <3> The JSON Web Token (JWT) issuer domain. The default value is set to the value specified in `oidc-discovery.$trustDomain`. .. Apply the configuration by running the following command: diff --git a/modules/zero-trust-manager-query-metrics.adoc b/modules/zero-trust-manager-query-metrics.adoc index 78d5b177090d..476e57e590df 100644 --- a/modules/zero-trust-manager-query-metrics.adoc +++ b/modules/zero-trust-manager-query-metrics.adoc @@ -11,8 +11,11 @@ As a cluster administrator, or as a user with view access to all namespaces, you .Prerequisites * You have access to the cluster as a user with the `cluster-admin` role. + * You have installed the {zero-trust-full}. + * You have deployed the SPIRE Server and SPIRE Agent operands in the cluster. + * You have enabled monitoring and metrics collection by creating `ServiceMonitor` objects. .Procedure diff --git a/modules/zero-trust-manager-spiffe-csidriver-config.adoc b/modules/zero-trust-manager-spiffe-csidriver-config.adoc index da186bf6f91a..1a1afdc7aa4b 100644 --- a/modules/zero-trust-manager-spiffe-csidriver-config.adoc +++ b/modules/zero-trust-manager-spiffe-csidriver-config.adoc @@ -6,7 +6,7 @@ [id="zero-trust-manager-spire-csidriver-config_{context}"] = Deploying the SPIFFE Container Storage Interface driver -You can configure the `SpiffeCSIDriver` custom resource (CR) to deploy and configure a SPIRE agent. +You can configure the `SpiffeCSIDriver` custom resource (CR) to deploy and configure a SPIFFE Container Storage Interface (CSI) driver. .Prerequisites @@ -31,7 +31,7 @@ metadata: spec: agentSocketPath: '/run/spire/agent-sockets/spire-agent.sock' #<1> ---- -<1> The UNIX socket path to the SPIRE agent. +<1> The UNIX socket path to the SPIRE Agent. .. Apply the configuration by running the following command: + @@ -42,7 +42,7 @@ $ oc apply -f SpiffeCSIDriver.yaml .Verification -. Verify that the daemon set of the SPIFFE CSI driver is ready and available by running the following command: +* Verify that the daemon set of the SPIFFE CSI driver is ready and available by running the following command: + [source,terminal] ---- @@ -56,7 +56,7 @@ NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE N spire-spiffe-csi-driver 3 3 3 3 3 114s ---- -. Verify that the status of SPIFFE Container Storage Interface (CSI) Driver pods is `Running` by running the following command: +* Verify that the status of SPIFFE Container Storage Interface (CSI) Driver pods is `Running` by running the following command: + [source,terminal] ---- diff --git a/modules/zero-trust-manager-spire-agent-config.adoc b/modules/zero-trust-manager-spire-agent-config.adoc index dc3e746e362e..663b9bbd17e6 100644 --- a/modules/zero-trust-manager-spire-agent-config.adoc +++ b/modules/zero-trust-manager-spire-agent-config.adoc @@ -4,9 +4,9 @@ :_mod-docs-content-type: PROCEDURE [id="zero-trust-manager-spire-agent-config_{context}"] -= Deploying the SPIRE agent += Deploying the SPIRE Agent -You can configure the `SpireAgent` custom resource (CR) to deploy and configure a SPIRE agent. +You can configure the `SpireAgent` custom resource (CR) to deploy and configure a SPIRE Agent. .Prerequisites @@ -42,7 +42,7 @@ spec: <2> The name of your cluster. <3> Enable or disable the projected service account token (PSAT) Kubernetes node attestor. The valid options are `true` and `false`. <4> Enable or disable the Kubernetes workload attestor. The valid options are `true` and `false`. -<5> The type of verification to be done against kubelet. Valid options are `auto`, `hostCert`, `apiServerCA`, `skip`. The `auto` option initially attempts to use `hostCert`, and then falls back to `apiServerCA`. +<5> The type of verification to be done against the kubelet. Valid options are `auto`, `hostCert`, `apiServerCA`, `skip`. The `auto` option initially attempts to use `hostCert`, and then falls back to `apiServerCA`. .. Apply the configuration by running the following command: + @@ -53,7 +53,7 @@ $ oc apply -f SpireAgent.yaml .Verification -. Verify that the daemon set of the SPIRE agent is ready and available by running the following command +* Verify that the daemon set of the SPIRE Agent is ready and available by running the following command: + [source,terminal] ---- @@ -67,7 +67,7 @@ NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR spire-agent 3 3 3 3 3 10m ---- -. Verify that the status of SPIRE agent pods is `Running` by running the following command: +* Verify that the status of SPIRE Agent pods is `Running` by running the following command: + [source,terminal] ---- diff --git a/modules/zero-trust-manager-spire-server-config.adoc b/modules/zero-trust-manager-spire-server-config.adoc index eb1964d03d16..5fa8b8c53f4b 100644 --- a/modules/zero-trust-manager-spire-server-config.adoc +++ b/modules/zero-trust-manager-spire-server-config.adoc @@ -4,9 +4,9 @@ :_mod-docs-content-type: PROCEDURE [id="zero-trust-manager-spire-server-config_{context}"] -= Deploying the SPIRE server += Deploying the SPIRE Server -You can configure the `SpireServer` custom resource (CR) to deploy and configure a SPIRE server. +You can configure the `SpireServer` custom resource (CR) to deploy and configure a SPIRE Server. .Prerequisites @@ -49,11 +49,11 @@ spec: ---- <1> The trust domain to be used for the SPIFFE identifiers. <2> The name of your cluster. -<3> The common name for SPIRE server CA. -<4> The country for SPIRE server CA. -<5> The organization for SPIRE server CA. -<6> The type of volume to be used for persistence. The valid options are `pvc` and `hostPath`. -<7> The size of volume to be used for persistence +<3> The common name for SPIRE Server CA. +<4> The country for SPIRE Server CA. +<5> The organization for SPIRE Server CA. +<6> The volume type to be used for persistence. The valid options are `pvc` and `hostPath`. +<7> The volume size to be used for persistence <8> The access mode to be used for persistence. The valid options are `ReadWriteOnce`, `ReadWriteOncePod`, and `ReadWriteMany`. <9> The maximum number of open database connections. <10> The maximum number of idle connections in the pool. @@ -69,7 +69,7 @@ $ oc apply -f SpireServer.yaml .Verification -. Verify that the stateful set of SPIRE server is ready and available by running the following command: +* Verify that the stateful set of SPIRE Server is ready and available by running the following command: + [source,terminal] ---- @@ -83,7 +83,7 @@ NAME READY AGE spire-server 1/1 65s ---- -. Verify that the status of SPIRE server pod is `Running` by running the following command: +* Verify that the status of the SPIRE Server pod is `Running` by running the following command: + [source,terminal] ---- @@ -97,7 +97,7 @@ NAME READY STATUS RESTARTS AGE spire-server-0 2/2 Running 1 (108s ago) 111s ---- -. Verify that the persistent volume claim (PVC) is bound, by running the following command: +* Verify that the persistent volume claim (PVC) is bound, by running the following command: + [source,terminal] ---- diff --git a/modules/zero-trust-manager-uninstall-console.adoc b/modules/zero-trust-manager-uninstall-console.adoc index 13095698aec7..18bd8a29f5e3 100644 --- a/modules/zero-trust-manager-uninstall-console.adoc +++ b/modules/zero-trust-manager-uninstall-console.adoc @@ -11,13 +11,19 @@ You can uninstall the {zero-trust-full} by using the web console. .Prerequisites * You have access to the cluster with `cluster-admin` privileges. + * You have access to the {product-title} web console. + * The {zero-trust-full} is installed. .Procedure . Log in to the {product-title} web console. + . Uninstall the {zero-trust-full}. + .. Go to *Operators* -> *Installed Operators*. + .. Click the *Options* menu next to the *{zero-trust-full}* entry, and then click *Uninstall Operator*. + .. In the confirmation dialog, click *Uninstall*. diff --git a/modules/zero-trust-manager-uninstall-resources.adoc b/modules/zero-trust-manager-uninstall-resources.adoc index fd5b202e82dc..3e5e059d2a20 100644 --- a/modules/zero-trust-manager-uninstall-resources.adoc +++ b/modules/zero-trust-manager-uninstall-resources.adoc @@ -14,59 +14,147 @@ After you have uninstalled the {zero-trust-full}, you have the option to delete .Procedure -. Uninstall the operand objects by running each of the following commands: +. Uninstall the operands by running each of the following commands: + +.. Delete the `ZeroTrustWorkloadIdentityManager` cluster by running the following command: + [source,terminal] ---- $ oc delete ZeroTrustWorkloadIdentityManager cluster +---- + +.. Delete the `SpireOIDCDiscoveryProvider` cluster by running the following command: ++ +[source,terminal] +---- $ oc delete SpireOIDCDiscoveryProvider cluster +---- + +.. Delete the `SpiffeCSIDriver` cluster by running the following command: ++ +[source,terminal] +---- $ oc delete SpiffeCSIDriver cluster +---- + +.. Delete the `SpireAgent` cluster by running the following command: ++ +[source,terminal] +---- $ oc delete SpireAgent cluster +---- + +.. Delete the `SpireServer` cluster by running the following command: ++ +[source,terminal] +---- $ oc delete SpireServer cluster ---- -. Delete the Persistent Volume Claim (PVC) and services by running each of the following commands: +.. Delete the Persistent Volume Claim (PVC) by running the following command: + [source,terminal] ---- $ oc delete pvc -l=app.kubernetes.io/managed-by=zero-trust-workload-identity-manager +---- + +.. Delete the CSI Driver by running the following command: ++ +[source,terminal] +---- $ oc delete csidriver -l=app.kubernetes.io/managed-by=zero-trust-workload-identity-manager +---- + +.. Delete the service by running the following command: ++ +[source,terminal] +---- $ oc delete service -l=app.kubernetes.io/managed-by=zero-trust-workload-identity-manager ---- -. Delete the namespace by running the following command: +.. Delete the namespace by running the following command: + [source,terminal] ---- $ oc delete ns zero-trust-workload-identity-manager ---- -. Delete the cluster-wide role-based access control (RBAC) by running each of the following commands: +.. Delete the cluster role binding by running the following command: + [source,terminal] ---- $ oc delete clusterrolebinding -l=app.kubernetes.io/managed-by=zero-trust-workload-identity-manager +---- + +.. Delete the cluster role by running the following command: ++ +[source,terminal] +---- $ oc delete clusterrole -l=app.kubernetes.io/managed-by=zero-trust-workload-identity-manager ---- -. Delete the admission wehhook configuration by running each of the following command: +.. Delete the admission wehhook configuration by running the following command: + [source,terminal] ---- $ oc delete validatingwebhookconfigurations -l=app.kubernetes.io/managed-by=zero-trust-workload-identity-manager ---- -. Delete the Custom Resource Definitions (CRDs) by running each of the following commands: +. Delete the custom resource definitions (CRDs) by running each of the following commands: + +.. Delete the SPIRE Server CRD by running the following command: + [source,terminal] ---- $ oc delete crd spireservers.operator.openshift.io +---- + +.. Delete the SPIRE Agent CRD by running the following command: ++ +[source,terminal] +---- $ oc delete crd spireagents.operator.openshift.io +---- + +.. Delete the SPIFFEE CSI Drivers CRD by running the following command: ++ +[source,terminal] +---- $ oc delete crd spiffecsidrivers.operator.openshift.io +---- + +.. Delete the SPIRE OIDC Discovery Provider CRD by running the following command: ++ +[source,terminal] +---- $ oc delete crd spireoidcdiscoveryproviders.operator.openshift.io +---- + +.. Delete the SPIRE and SPIFFE cluster federated trust domains CRD by running the following command: ++ +[source,terminal] +---- $ oc delete crd clusterfederatedtrustdomains.spire.spiffe.io +---- + +.. Delete the cluster SPIFFE IDs CRD by running the following command: ++ +[source,terminal] +---- $ oc delete crd clusterspiffeids.spire.spiffe.io +---- + +.. Delete the SPIRE and SPIFFE cluster static entries CRD by running the following command: ++ +[source,terminal] +---- $ oc delete crd clusterstaticentries.spire.spiffe.io +---- + +.. Delete the {zero-trust-full} CRD by running the following command: ++ +[source,terminal] +---- $ oc delete crd zerotrustworkloadidentitymanagers.operator.openshift.io ---- diff --git a/security/zero_trust_workload_identity_manager/zero-trust-manager-configuration.adoc b/security/zero_trust_workload_identity_manager/zero-trust-manager-configuration.adoc index b523cb0428e2..5f9580e8e39b 100644 --- a/security/zero_trust_workload_identity_manager/zero-trust-manager-configuration.adoc +++ b/security/zero_trust_workload_identity_manager/zero-trust-manager-configuration.adoc @@ -20,10 +20,10 @@ You can deploy the following operands by creating the respective custom resource . SPIRE OIDC discovery provider -// Deploying and configuring SPIRE server +// Deploying and configuring SPIRE Server include::modules/zero-trust-manager-spire-server-config.adoc[leveloffset=+1] -// Deploying and configuring SPIRE agent +// Deploying and configuring SPIRE Agent include::modules/zero-trust-manager-spire-agent-config.adoc[leveloffset=+1] // Deploying and configuring SPIFFE CSI Driver diff --git a/security/zero_trust_workload_identity_manager/zero-trust-manager-overview.adoc b/security/zero_trust_workload_identity_manager/zero-trust-manager-overview.adoc index 63194f8ef772..976cf2f707cc 100644 --- a/security/zero_trust_workload_identity_manager/zero-trust-manager-overview.adoc +++ b/security/zero_trust_workload_identity_manager/zero-trust-manager-overview.adoc @@ -24,13 +24,21 @@ include::modules/zero-trust-manager-about-spiffe.adoc[leveloffset=+1] //SPIRE include::modules/zero-trust-manager-about-spire.adoc[leveloffset=+1] -//SPIRE agent +//SPIRE Agent include::modules/zero-trust-manager-about-agent.adoc[leveloffset=+1] - //Attestation include::modules/zero-trust-manager-about-attestation.adoc[leveloffset=+1] +//== Zero Trust Workload Identity Manager components and features + +// SPIFFE SPIRE components +include::modules/zero-trust-manager-about-components.adoc[leveloffset=+1] + +//SPIRE features +include::modules/zero-trust-manager-about-features.adoc[leveloffset=+1] + +// //How it works include::modules/zero-trust-manager-how-it-works.adoc[leveloffset=+1] diff --git a/security/zero_trust_workload_identity_manager/zero-trust-manager-release-notes.adoc b/security/zero_trust_workload_identity_manager/zero-trust-manager-release-notes.adoc index 4aed841812e9..ac0f8ba4459b 100644 --- a/security/zero_trust_workload_identity_manager/zero-trust-manager-release-notes.adoc +++ b/security/zero_trust_workload_identity_manager/zero-trust-manager-release-notes.adoc @@ -35,7 +35,7 @@ This initial release of {zero-trust-full} is a Technology Preview. This version * Telemetry is supported only through Prometheus. -* High availability (HA) configuration for SPIRE servers or the OpenID Connect (OIDC) Discovery provider is not supported. +* High availability (HA) configuration for SPIRE Servers or the OpenID Connect (OIDC) Discovery provider is not supported. * External datastore is not supported. This version uses the internal `sqlite` datastore deployed by SPIRE.