From 6c49598c1d19fe8d6f671a837a766e0afc55226e Mon Sep 17 00:00:00 2001 From: William Gabor Date: Wed, 10 Dec 2025 10:30:58 -0500 Subject: [PATCH] OSDOCS-17644 updated module --- _topic_maps/_topic_map.yml | 2 + modules/zero-trust-manager-proxy-support.adoc | 144 ++++++++++++++++++ .../zero-trust-manager-proxy.adoc | 17 +++ 3 files changed, 163 insertions(+) create mode 100644 modules/zero-trust-manager-proxy-support.adoc create mode 100644 security/zero_trust_workload_identity_manager/zero-trust-manager-proxy.adoc diff --git a/_topic_maps/_topic_map.yml b/_topic_maps/_topic_map.yml index 5146cc9811bd..9b45b682eebd 100644 --- a/_topic_maps/_topic_map.yml +++ b/_topic_maps/_topic_map.yml @@ -1238,6 +1238,8 @@ Topics: File: zero-trust-manager-release-notes - Name: Installing Zero Trust Workload Identity Manager File: zero-trust-manager-install + - Name: Configuring the egress proxy + File: zero-trust-manager-proxy - Name: Deploying Zero Trust Workload Identity Manager operands File: zero-trust-manager-configuration - Name: Configuring Zero Trust Workload Identity Manager OIDC Federation diff --git a/modules/zero-trust-manager-proxy-support.adoc b/modules/zero-trust-manager-proxy-support.adoc new file mode 100644 index 000000000000..2d1bf8a5dfb2 --- /dev/null +++ b/modules/zero-trust-manager-proxy-support.adoc @@ -0,0 +1,144 @@ +// Module included in the following assemblies: +// +// * security/cert_manager_operator/cert-manager-operator-proxy.adoc + +:_mod-docs-content-type: PROCEDURE +[id="zero-trust-manager-proxy-support_{context}"] += Injecting a custom CA certificate for the {zero-trust-full} + +[role="_abstract"] +Inject certificate authority (CA) certificates into the {zero-trust-full} to support proxying HTTPS connections. This configuration helps ensure that the Identity Manager can communicate securely when you enable a cluster-wide proxy. + +.Prerequisites + +* You have access to the cluster as a user with the `cluster-admin` role. + +* You have enabled the cluster-wide proxy for {product-title}. + +* You have installed {zero-trust-full} 1.0.0 or later. + +* You have deployed the SPIRE Server, SPIRE Agent, SPIFFEE CSI Driver, and the SPIRE OIDC Discovery Provider operands in the cluster. + +.Procedure + +. Create a config map in the `zero-trust-workload-identity-manager` namespace by running the following command: ++ +[source,terminal] +---- +$ oc create configmap trusted-ca -n zero-trust-workload-identity-manager +---- + +. Inject the CA bundle that is trusted by {product-title} into the config map by running the following command: ++ +[source,terminal] +---- +$ oc label cm trusted-ca config.openshift.io/inject-trusted-cabundle=true -n zero-trust-workload-identity-manager +---- + +. Update the subscription for the {zero-trust-full} to use the config map by running the following command: ++ +[source,terminal] +---- +$ oc -n zero-trust-workload-identity-manager patch subscription openshift-zero-trust-workload-identity-manager --type='merge' -p '{"spec":{"config":{"env":[{"name":"TRUSTED_CA_BUNDLE_CONFIGMAP","value":"trusted-ca"}]}}}' +---- + +.Verification + +. Verify that the operands have finished rolling out by running the following command: ++ +[source,terminal] +---- +$ oc rollout status deployment/zero-trust-workload-identity-manager-controller-manager -n zero-trust-workload-identity-manager && \ +---- ++ +[source,terminal] +---- +$ oc rollout status statefulset/spireserver -n zero-trust-workload-identity-manager && \ +---- ++ +[source,terminal] +---- +$ oc rollout status daemonset/spire-agent -n zero-trust-workload-identity-manager && \ +---- ++ +[source,terminal] +---- +$ oc rollout status deployment/spire-spiffe-oidc-discovery-provider -n zero-trust-workload-identity-manager +---- ++ +.Example output +[source,terminal] +---- +deployment "zero-trust-workload-identity-manager-controller-manager" successfully rolled out +statefulset "spire-server" successfully rolled out +daemonset "spire-agent" successfully rolled out +deployment "spire-spiffe-oidc-discovery-provider" successfully rolled out +---- + +. Verify that the CA bundle was mounted as a volume by running the following command: ++ +[source,terminal] +---- +$ oc get deployment zero-trust-workload-identity-manager -n zero-trust-workload-identity-manager -o=jsonpath={.spec.template.spec.'containers[0].volumeMounts'} +---- ++ +[source,terminal] +---- +$ oc get statefulset spire-server -n zero-trust-workload-identity-manager -o jsonpath='{.spec.template.spec.containers[*].volumeMounts[?(@.name=="trusted-ca-bundle")]}' +---- ++ +[source,terminal] +---- +$ oc get daemonset spire-agent -n zero-trust-workload-identity-manager -o jsonpath='{.spec.template.spec.containers[*].volumeMounts[?(@.name=="trusted-ca-bundle")]}' +---- ++ +[source,terminal] +---- +$ oc get daemonset spire-spiffe-csi-driver -n zero-trust-workload-identity-manager -o jsonpath='{.spec.template.spec.containers[*].volumeMounts[?(@.name=="trusted-ca-bundle")]}' +---- ++ +.Example output +[source,terminal] +---- +[{{"mountPath":"/etc/pki/ca-trust/extracted/pem","name":"trusted-ca-bundle","readOnly":true}}] +---- + +. Verify that the source of the CA bundle is the `trusted-ca` config map by running the following command: ++ +[source,terminal] +---- +$ oc get deployment zero-trust-workload-identity-manager -n zero-trust-workload-identity-manager -o=jsonpath={.spec.template.spec.volumes} +---- ++ +[source,terminal] +---- +$ oc get statefulset spire-server -n zero-trust-workload-identity-manager -o=jsonpath='{.spec.template.spec.volumes}' | jq '.[] | select(.name=="trusted-ca-bundle")' +---- ++ +[source,terminal] +---- +$ oc get daemonset spire-agent -n zero-trust-workload-identity-manager -o=jsonpath='{.spec.template.spec.volumes}' | jq '.[] | select(.name=="trusted-ca-bundle")' +---- ++ +[source,terminal] +---- +$ oc get deployment spire-spiffe-oidc-discovery-provider -n zero-trust-workload-identity-manager -o=jsonpath='{.spec.template.spec.volumes}' | jq '.[] | select(.name=="trusted-ca-bundle")' +---- ++ +.Example output +[source,terminal] +---- +{ + "configMap": { + "defaultMode": 420, + "items": [ + { + "key": "ca-bundle.crt", + "path": "tls-ca-bundle.pem" + } + ], + "name": "trusted-ca" + }, + "name": "trusted-ca-bundle" +} +---- diff --git a/security/zero_trust_workload_identity_manager/zero-trust-manager-proxy.adoc b/security/zero_trust_workload_identity_manager/zero-trust-manager-proxy.adoc new file mode 100644 index 000000000000..003e03f81ac4 --- /dev/null +++ b/security/zero_trust_workload_identity_manager/zero-trust-manager-proxy.adoc @@ -0,0 +1,17 @@ +:_mod-docs-content-type: ASSEMBLY +[id="zero-trust-manager-proxy"] += Configuring the egress proxy for the {zero-trust-full} +include::_attributes/common-attributes.adoc[] +:context: zero-trust-manager-proxy + +[role="_abstract"] +Operator Lifecycle Manager (OLM) automatically configures managed Operators with proxy settings when you use a cluster-wide egress proxy. To support proxying HTTPS connections, you can inject certificate authority (CA) certificates into the {zero-trust-full}. + +// Injecting a custom CA certificate for the {cert-manager-operator} +include::modules/zero-trust-manager-proxy-support.adoc[leveloffset=+1] + +[role="_additional-resources"] +[id="zero-trust-manager-proxy_additional-resources"] +== Additional resources + +* xref:../../operators/admin/olm-configuring-proxy-support.adoc#olm-configuring-proxy-support[Configuring proxy support in Operator Lifecycle Manager]