Added basic docs for Layered Zero Trust

gaurav-nelson · gaurav-nelson · commit f3626023c896 · 2025-09-12T17:39:15.000+10:00
diff --git a/content/patterns/layered-zero-trust/_index.adoc b/content/patterns/layered-zero-trust/_index.adoc
@@ -2,7 +2,7 @@
 title: Layered Zero Trust
 date: 2025-06-11
 tier: sandbox
-summary: Layered Zero Trust demonstrates how to operationalize Zero Trust security principles when using products in the Red Hat Portfolio
+summary: Layered Zero Trust demonstrates how to operationalize Zero Trust security principles when using products in the Red Hat Portfolio.
 rh_products:
 - Red Hat OpenShift Container Platform
 industries:
@@ -12,23 +12,24 @@ links:
   install: https://github.com/validatedpatterns/layered-zero-trust/?tab=readme-ov-file#getting-started
   bugs: https://github.com/validatedpatterns/layered-zero-trust/issues
   feedback: https://docs.google.com/forms/d/e/1FAIpQLScI76b6tD1WyPu2-d_9CCVDr3Fu5jYERthqLKJDUGwqBg7Vcg/viewform
+ci: layeredzerotrust
 ---
 
 
 :toc:
 :imagesdir: /images
-:_content-type: ASSEMBLY
+:_mod-docs-content-type: ASSEMBLY
 include::modules/comm-attributes.adoc[]
 
 [id="about-lzt-pattern"]
 = About the Layered Zero Trust pattern
 
 link:https://www.redhat.com/en/topics/security/what-is-zero-trust[Zero trust] is an approach to designing security architectures based on the premise that every interaction begins in an untrusted state.
-The Layered Zero Trust pattern describes how to implement a zero trust architecture in a Red Hat OpenShift Container Platform environment.
+The Layered Zero Trust pattern describes how to implement a zero trust architecture in a {rh-ocp} environment.
 The pattern identifies specific transactions between an actor and a resource within the environment.
 For these transactions, you can identify the context and implement policy enforcement.
 
-Because of the breadth and diversity of possible interactions between components in OpenShift Container Platform, this pattern is presented as a set of abstract, stackable layers.
+Because of the breadth and diversity of possible interactions between components in {ocp}, this pattern is presented as a set of abstract, stackable layers.
 These layers provide the prerequisite capabilities that are needed to implement appropriate enforcement points.
 For each instance, this pattern describes the associated actors, transactions, and the zero trust policy that you can implement within the platform. To provide context for users, this pattern uses relevant business use cases and traces them to the associated implementation components.
 
@@ -51,48 +52,48 @@ In contrast, the Zero Trust architecture operates from the assumption that a bre
 It focuses on preventing further compromise by establishing well-defined security boundaries and enforcing a deny-all default access control stance.
 The pattern emphasizes significant automation and grants access dynamically, based on policies, with a least-privilege, as-needed approach.
 Instead of relying on signatures, it explicitly enumerates allowed actors and monitors their behavior, which is a more effective way to contain malicious activity.
-Zero Trust architectures incorporate contextual information and user behavior analytics to inform access decisions, proactively preventing lateral movement in the event of a compromise.
+Zero Trust architectures incorporate contextual information and user behavior analytics to inform access decisions, proactively preventing lateral movement in case of a compromise.
 
 [id="about-solution"]
 == About the solution
 
-The Layered Zero Trust pattern implements a layered zero trust architecture that demonstrates workload identity management, secure communication, and secret management capabilities.
+The Layered Zero Trust pattern implements a layered zero trust architecture that shows workload identity management, secure communication, and secret management capabilities.
 
-The solution integrates multiple Red Hat components to provide:
+The solution integrates many Red{nbsp}Hat components to offer:
 
 * Workload identity using Secure Production Identity Framework for Everyone (SPIFFE) and SPIFFE Runtime Environment (SPIRE) standards.
 * Secure secret management through HashiCorp Vault.
-* Identity and access management by using the Red Hat build of Keycloak (RHBK).
+* Identity and access management by using the Red{nbsp}Hat build of Keycloak (RHBK).
 * Certificate management for secure communications.
 * External secret management integration.
 
 [id="architecture"]
 === Architecture
 
-The Layered Zero Trust pattern architecture consists of multiple components that work together to provide a secure environment for applications and workloads.
+The Layered Zero Trust pattern architecture consists of many components that work together to offer a secure environment for applications and workloads.
 
 The pattern consists of the following key components:
 
 . Zero Trust Workload Identity Manager: Implements workload identity using SPIFFE/SPIRE.
 . HashiCorp Vault: Provides secure secret storage and management.
-. Red Hat build of Keycloak (RHBK): Manages identity and access for users and services.
+. Red{nbsp}Hat build of Keycloak (RHBK): Manages identity and access for users and services.
 . OpenShift Cert Manager: Manages the lifecycle of certificates for secure communication.
 . External Secrets Operator: Synchronizes secrets from external systems into the cluster.
-. QTodo application: Serves as a Quarkus-based application to demonstrate zero trust principles.
+. QTodo application: Serves as a Quarkus-based application to show zero trust principles.
 . PostgreSQL database: Provides the backend database for the demonstration application.
 
 [id="sidecar-pattern"]
 ==== Sidecar pattern
 
 The sidecar pattern is a deployment model where a separate container or process, called a sidecar, runs alongside a main application to handle auxiliary tasks.
-In an OpenShift environment, this is simplified through the use of pods, which ensure the sidecar and main application share the same lifecycle.
+In an {ocp} environment, this is simplified through the use of pods, which ensure the sidecar and main application share the same lifecycle.
 This approach is highly beneficial for Zero Trust architectures because it allows for the centralized enforcement of security policies, such as authentication, authorization, traffic encryption (mTLS), rate limiting, auditing, and logging, without requiring developers to build this logic into every microservice.
 It separates concerns, simplifies development, and allows security policies to be updated independently of the main application.
 
 While sidecars are often criticized for adding complexity and resource usage, the text argues these are often misconceptions:
 
-* *Complexity*: Sidecars simplify the main application by offloading tasks, and modern platforms like OpenShift are designed to manage them efficiently.
-* *Resource Usage*: The resource cost of a sidecar is often minimal compared to the overhead of integrating security logic into every application.
+* *Complexity*: Sidecars simplify the main application by offloading tasks, and modern platforms, such as {ocp}, are designed to manage them efficiently.
+* *Resource Usage*: The resource cost of a sidecar is often minimal compared to the additional CPU and memory required to integrate security logic into every application.
 * *Debugging*: Sidecars can simplify debugging by isolating logs and metrics from the main application, making it easier to pinpoint the source of a policy failure.
 
 The Layered Zero Trust pattern makes extensive use of the sidecar approach to achieve its goals by offloading critical security functions from the main application.
@@ -106,10 +107,10 @@ The following technologies are used in this solution:
 
 * *Zero Trust Workload Identity Manager*: Implements workload identity using SPIFFE/SPIRE.
 * *HashiCorp Vault*: Provides secure secret storage and management.
-* *Red Hat build of Keycloak (RHBK)*: Manages identity and access for users and services.
-* *Red Hat OpenShift GitOps*: a GitOps continuous delivery (CD) solution based on ArgoCD
+* *Red{nbsp}Hat build of Keycloak (RHBK)*: Manages identity and access for users and services.
+* *{rh-gitops}*: A GitOps continuous delivery (CD) solution based on ArgoCD
 * *OpenShift Cert Manager*: Manages the lifecycle of certificates for secure communication.
 * *External Secrets Operator*: Synchronizes secrets from external systems into the cluster.
 * *Compliance Operator*: Provides ability to scan and remediate cluster hardening based on profiles
-* *QTodo application*: Serves as a sample Quarkus-based application to demonstrate zero trust principles.
+* *QTodo application*: Serves as a sample Quarkus-based application to show zero trust principles.
 * *PostgreSQL database*: Provides the backend database for the demonstration application.
diff --git a/content/patterns/layered-zero-trust/lzt-getting-started.adoc b/content/patterns/layered-zero-trust/lzt-getting-started.adoc
@@ -6,19 +6,19 @@ aliases: /layered-zero-trust/lzt-getting-started/
 
 :toc:
 :imagesdir: /images
-:_content-type: ASSEMBLY
+:_mod-docs-content-type: ASSEMBLY
 include::modules/comm-attributes.adoc[]
 
 [id="lzt-deploying-lzt-pattern"]
 = Deploying the Layered Zero Trust pattern
 
-Follow the instructions in this section to configure and deploy the Layered Zero Trust pattern.
+Follow these instructions to configure and deploy the Layered Zero Trust pattern.
 
 .Prerequisites
 
-* An OpenShift cluster with publicly signed certificates for Ingress
+* An {ocp} cluster with publicly signed certificates for Ingress
 * A GitHub account and a token for it with repositories permissions, to read from and write to your forks.
-* Access to podman (or docker) for execution of the container images used by `pattern.sh` script for provisioning.
+* Access to Podman (or Docker) for execution of the container images used by `pattern.sh` script for provisioning.
 * Useful additions:
 
 ** The Helm binary, for instructions, see link:https://helm.sh/docs/intro/install/[Installing Helm]
@@ -29,22 +29,20 @@ Follow the instructions in this section to configure and deploy the Layered Zero
 
 Follow these instructions for setting up the project repository:
 
-. Fork the layered-zero-trust repository from GitHub. You must fork the
-repository because your fork is updated as part of the GitOps and DevOps
-processes.
+. Fork the layered-zero-trust repository from GitHub. You must fork the repository because your fork is updated as part of the GitOps and DevOps processes.
 . Clone your forked repository.
 +
 [source,terminal]
 ----
-$ git clone git@github.com:<your-username>/layered-zero-trust.git
+$ git clone git@github.com:<your_username>/layered-zero-trust.git
 ----
 
 . Go to your repository: Ensure you are in the root directory of your
 Git repository by using the following command:
 +
 [source,terminal]
 ----
-$ cd </path/to/your/repository>
+$ cd </path_to_your_repository>
 ----
 
 . Set up upstream remote repository:
@@ -66,8 +64,8 @@ Example output:
 +
 [source,terminal]
 ----
-origin  git@github.com:<your-username>/layered-zero-trust.git (fetch)
-origin  git@github.com:<your-username>/layered-zero-trust.git (push)
+origin  git@github.com:<your_username>/layered-zero-trust.git (fetch)
+origin  git@github.com:<your_username>/layered-zero-trust.git (push)
 upstream    https://github.com/validatedpatterns/layered-zero-trust.git (fetch)
 upstream    https://github.com/validatedpatterns/layered-zero-trust.git (push)
 ----
@@ -82,12 +80,9 @@ $ cp values-secret.yaml.template ~/values-secret-layered-zero-trust.yaml
 +
 [NOTE]
 ====
-To prevent your secrets from being pushed to your Git repository,
-the command places the `values-secret.yaml` file in your home directory.
-This file is derived from the `values-secrets.yaml.template` file, which
-is located in the pattern’s top-level directory. When creating new
-patterns, you should add your secrets to the `values-secret.yaml` file
-in your home directory.
+To prevent pushing secrets to your Git repository, the command places the `values-secret.yaml` file in your home directory.
+You derive this file from the `values-secrets.yaml.template` file located in the pattern's top-level directory.
+When you create new patterns, add your secrets to the `values-secret.yaml` file in your home directory.
 ====
 
 . Create a new feature branch, for example `my-branch` from the `main`
@@ -103,15 +98,14 @@ the Helm values files and then commit the changes.
 +
 [source,terminal]
 ----
-$ git add <files-you-changed>
+$ git add <files_you_changed>
 $ git commit -m "Pattern customization"
 ----
 +
 [NOTE]
 ====
-The following configuration files define the behavior and settings
-of the various components in the Layered Zero Trust pattern. You can
-customize these files to fit your specific deployment needs.
+The following configuration files define the behavior and settings of the various components in the Layered Zero Trust pattern.
+You can customize these files to fit your specific deployment needs.
 
 * `values-global.yaml`: Global pattern configuration
 * `values-hub.yaml`: Hub cluster specific configuration
@@ -129,17 +123,17 @@ $ git push origin my-branch
 [id="deploying-cluster-using-patternsh-file"]
 == Deploying the pattern by using the pattern.sh file
 
-Deploy the Layered Zero Trust pattern using the `pattern.sh` script.
+Deploy the Layered Zero Trust pattern by using the `pattern.sh` script.
 
-. Login to your OpenShift cluster:
+. Login to your {ocp} cluster:
 
 .. By using the `oc` CLI:
-* Get an API token by visiting `pass:[https://oauth-openshift.apps.<your-cluster>.<domain>/oauth/token/request]`.
+* Get an API token by visiting `pass:[https://oauth-openshift.apps.<your_cluster>.<domain>/oauth/token/request]`.
 * Log in with the retrieved token:
 +
 [source,terminal]
 ----
-$ oc login --token=<retrieved-token> --server=https://api.<your-cluster>.<domain>:6443
+$ oc login --token=<retrieved_token> --server=https://api.<your_cluster>.<domain>:6443
 ----
 
 .. By using KUBECONFIG:
@@ -159,13 +153,9 @@ $ ./pattern.sh make install
 [id="lzt-verify-deployment"]
 === Verify the deployment
 
-You can use the OpenShift console and ArgoCD applications to verify the
-deployment.
+You can use the {ocp} console and ArgoCD applications to verify the deployment.
 
-. In the OpenShift web console, navigate to Operators → Installed
-Operators page.
-. Check that Red Hat OpenShift GitOps Operator is installed in the
-openshift-operators namespace and its status is Succeeded.
-. Use the Application Launcher within the OpenShift console to confirm
-that all applications have synchronized successfully to both Hub and
-Cluster Argo CD instances.
+. In the {ocp} web console, navigate to the *Operators* → *Installed Operators* page.
+. Check that {rh-gitops} Operator is installed in the
+`openshift-operators` namespace and its status is Succeeded.
+. Use the Application Launcher within the {ocp} console to confirm that all applications have synchronized successfully to both Hub and Cluster Argo CD instances.
