[WIP] OSDOCS-15575 added a new assembly and updated topic map #96769
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
openshift-ci
bot
added
the
size/S
|
🤖 Tue Oct 21 13:05:55 - Prow CI generated the docs preview: |
wgabor0427
force-pushed
the
OSDOCS-15575
branch
3 times, most recently
from
a2b2407 to
0ee8d81
Compare
|
/label merge-review-needed |
openshift-ci
bot
added
the
merge-review-needed
lahinson
added
merge-review-in-progress
|
Hi @wgabor0427 - Please make sure that QE has approved your PR before you submit it for merge review. Thanks! |
|
/lgtm |
wgabor0427
force-pushed
the
OSDOCS-15575
branch
from
0ee8d81 to
7f8b2ad
Compare
openshift-ci
bot
added
size/L
wgabor0427
force-pushed
the
OSDOCS-15575
branch
from
7f8b2ad to
9c33bb4
Compare
wgabor0427
changed the title
openshift-ci
bot
added
the
do-not-merge/work-in-progress
wgabor0427
force-pushed
the
OSDOCS-15575
branch
2 times, most recently
from
09cea55 to
dd903e3
Compare
1 task
wgabor0427
force-pushed
the
OSDOCS-15575
branch
2 times, most recently
from
58e16f9 to
176910b
Compare
wgabor0427
changed the title
wgabor0427
force-pushed
the
OSDOCS-15575
branch
6 times, most recently
from
9226aef to
b6d420a
Compare
sabre1041
suggested changes
Aug 21, 2025
| <2> Set to `ClusterIssuer` if issuer is cluster-scoped. The default is `Issuer`. | ||
| <3> The API group of the issuer. The default is `cert-manager.io`. | ||
| <4> The namespace where the `CertificateRequest` is created. The default is `zero-trust-workload-identity-manager`. | ||
| <5> The name of a Secret containing the `kubeconfig` to connect to the clsuter where `cert-manager` is running. If empy, an in-cluster configuration is used. |
There was a problem hiding this comment.
Suggested change
| <5> The name of a Secret containing the `kubeconfig` to connect to the clsuter where `cert-manager` is running. If empy, an in-cluster configuration is used. | |
| <5> The name of a Secret containing the `kubeconfig` to connect to the cluster where `cert-manager` is running. If empty, an in-cluster configuration is used. |
| $ oc get certificaterequests -n <namespace> | ||
| ---- | ||
|
|
||
| . Run the following command ot inspect a specific `CertificateRequest`. Review the `Status` section to confirm the certificate has been signed and that the certificate data is present. |
There was a problem hiding this comment.
Suggested change
| . Run the following command ot inspect a specific `CertificateRequest`. Review the `Status` section to confirm the certificate has been signed and that the certificate data is present. | |
| . Run the following command to inspect a specific `CertificateRequest`. Review the `Status` section to confirm the certificate has been signed and that the certificate data is present. |
|
|
||
| The cert-manager plugin enables the SPIRE server to dynamically request and receive intermediate signing certificates from cert-manager. The plugin automates the management of the SPIRE server intermediate signing certificates by integrating with cert-manager. | ||
|
|
||
| When a SPIRE server needs a new certificate, the cert-manager plugin creates a `CertificateRequest` custom resource in the configured Kubernetes namespace. The namespace has the Certificate Signing Request (CSR) generated by the SPIRE server. The cert-manager plugin processes the `CertificateRequest` and an associated `Issuer` signs the CSR. The signed intermediate certificate and the full Certificate Authority (CA) bundle are available in the `CertificateRequest` status. These signed credentials are available to the SPIRE server and used as its upstream signing authority. No newline at end of file |
There was a problem hiding this comment.
Should OpenShift be used instead of Kubernetes?
There was a problem hiding this comment.
I think that's a good idea
|
|
||
| The cert-manager plugin enables the SPIRE server to dynamically request and receive intermediate signing certificates from cert-manager. The plugin automates the management of the SPIRE server intermediate signing certificates by integrating with cert-manager. | ||
|
|
||
| When a SPIRE server needs a new certificate, the cert-manager plugin creates a `CertificateRequest` custom resource in the configured Kubernetes namespace. The namespace has the Certificate Signing Request (CSR) generated by the SPIRE server. The cert-manager plugin processes the `CertificateRequest` and an associated `Issuer` signs the CSR. The signed intermediate certificate and the full Certificate Authority (CA) bundle are available in the `CertificateRequest` status. These signed credentials are available to the SPIRE server and used as its upstream signing authority. No newline at end of file |
There was a problem hiding this comment.
Suggested change
| When a SPIRE server needs a new certificate, the cert-manager plugin creates a `CertificateRequest` custom resource in the configured Kubernetes namespace. The namespace has the Certificate Signing Request (CSR) generated by the SPIRE server. The cert-manager plugin processes the `CertificateRequest` and an associated `Issuer` signs the CSR. The signed intermediate certificate and the full Certificate Authority (CA) bundle are available in the `CertificateRequest` status. These signed credentials are available to the SPIRE server and used as its upstream signing authority. | |
| When a SPIRE server needs a new certificate, the cert-manager plugin creates a `CertificateRequest` custom resource in the configured Kubernetes namespace. The namespace includes the Certificate Signing Request (CSR) generated by the SPIRE server. The cert-manager plugin processes the `CertificateRequest` and an associated `Issuer` signs the CSR. The signed intermediate certificate and the full Certificate Authority (CA) bundle are available in the `CertificateRequest` status. These signed credentials are available to the SPIRE server and used as its upstream signing authority. |
|
|
||
| .Prerequisites | ||
|
|
||
| * Access to a Kubernetes cluster where the SPIRE server runs. |
There was a problem hiding this comment.
Suggested change
| * Access to a Kubernetes cluster where the SPIRE server runs. | |
| * Access to a OpenShift cluster where the SPIRE server runs. |
| <3> Name of the Kubernetes secret containing the client private key in PEM format. | ||
| <4> The name of the Vault role to authenticate against. | ||
|
|
||
| .. Configure the `tokenAuth` authentication in the `UpstreamAuthority` section of the `spireserver.yaml` file. This method uses a static Vault token. |
There was a problem hiding this comment.
Suggested change
| .. Configure the `tokenAuth` authentication in the `UpstreamAuthority` section of the `spireserver.yaml` file. This method uses a static Vault token. | |
| .. Configure the `tokenAuth` authentication in the `upstreamAuthority` section of the `spireserver.yaml` file. This method uses a static Vault token. |
| <2> The `AppRole` ID used for authentication. | ||
| <3> the `AppRole` SecretID used for authentication. | ||
|
|
||
| . Configure the `k8sAuth` authentication in the `UpstreamAuthority` section of the `spireserver.yaml` file. This method uses a Kubernetes ServiceAccount token for authentication. |
There was a problem hiding this comment.
Suggested change
| . Configure the `k8sAuth` authentication in the `UpstreamAuthority` section of the `spireserver.yaml` file. This method uses a Kubernetes ServiceAccount token for authentication. | |
| . Configure the `k8sAuth` authentication in the `upstreamAuthority` section of the `spireserver.yaml` file. This method uses a Kubernetes ServiceAccount token for authentication. |
| <4> The name used for the Mutual Transport Layer Security (mTLS) authentication with the Vault server. | ||
|
|
||
| . Configure one of the authentication methods: | ||
| .. Configure the `certAuth` authentication in the `UpstreamAuthority` section of the `spireserver.yaml` file. This method uses a client certificate and private key for authentication. |
There was a problem hiding this comment.
Suggested change
| .. Configure the `certAuth` authentication in the `UpstreamAuthority` section of the `spireserver.yaml` file. This method uses a client certificate and private key for authentication. | |
| .. Configure the `certAuth` authentication in the `upstreamAuthority` section of the `spireserver.yaml` file. This method uses a client certificate and private key for authentication. |
| @@ -0,0 +1,140 @@ | |||
| // Module included in the following assemblies: | |||
| // | |||
| // * security/zero_trust_workload_identity_manager/zero-trust-manager.adoc | |||
There was a problem hiding this comment.
There are a lot of assumptions that the Vault server has been configured a certain way. Is there any other guidance that we will be providing for our customers?
There was a problem hiding this comment.
I do not know that. Yuedong would have to confirm
| :FeatureName: Zero Trust Workload Identity Manager | ||
| include::snippets/technology-preview.adoc[] | ||
|
|
||
| Upstream authority plugins are components that allow the SPIRE server to integrate with an existing Public Key Infrastructure (PKI) to obtain intermediate signing certificates. The SPIRE server then uses these intermediate certificates to cryptographically sign the {svid-full} that it issues to workloads. The plugins also allow the SPIRE server to use a pre-existing root of trust, rather than establishing a new, isolated one. |
There was a problem hiding this comment.
Suggested change
| Upstream authority plugins are components that allow the SPIRE server to integrate with an existing Public Key Infrastructure (PKI) to obtain intermediate signing certificates. The SPIRE server then uses these intermediate certificates to cryptographically sign the {svid-full} that it issues to workloads. The plugins also allow the SPIRE server to use a pre-existing root of trust, rather than establishing a new, isolated one. | |
| Upstream authority plugins are components that allow the SPIRE server to integrate with an existing Public Key Infrastructure (PKI) to obtain intermediate signing certificates. The SPIRE server then uses these intermediate certificates to cryptographically sign the {svid-full} that it issues to workloads. The plugins also allow the SPIRE server to use a pre-existing root of trust, rather than establishing a new, isolated root of trust. |
wgabor0427
force-pushed
the
OSDOCS-15575
branch
4 times, most recently
from
36ee519 to
7125277
Compare
wgabor0427
force-pushed
the
OSDOCS-15575
branch
2 times, most recently
from
2a0b127 to
892f2e1
Compare
wgabor0427
changed the title
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
The This is because your PR targets the If the update in your PR does NOT apply to version 4.21 onward, please re-target this PR to go directly into the appropriate version branch or branches (enterprise-4.x) instead of main. |
openshift-merge-robot
added
the
needs-rebase
wgabor0427
force-pushed
the
OSDOCS-15575
branch
from
892f2e1 to
e90e7d7
Compare
openshift-merge-robot
removed
the
needs-rebase
|
/retest |
wgabor0427
force-pushed
the
OSDOCS-15575
branch
from
09c5999 to
903b32e
Compare
|
@wgabor0427: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/lgtm |
|
/retest |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Version(s):
4.19+
Issue:
Link to docs preview:
https://96769--ocpdocs-pr.netlify.app/openshift-enterprise/latest/security/zero_trust_workload_identity_manager/zero-trust-manager-upstream-authority.html
QE review:
Additional information: