OSDOCS-17626 updated zero-trust release notes for GA

wgabor0427 · wgabor0427 · commit 495feef85c7a · 2025-12-09T11:47:04.000-05:00
diff --git a/security/zero_trust_workload_identity_manager/zero-trust-manager-release-notes.adoc b/security/zero_trust_workload_identity_manager/zero-trust-manager-release-notes.adoc
@@ -11,8 +11,190 @@ The {zero-trust-full} leverages Secure Production Identity Framework for Everyon
 
 These release notes track the development of {zero-trust-full}.
 
-:FeatureName: Zero Trust Workload Identity Manager
-include::snippets/technology-preview.adoc[]
+[id="zero-trust-manager-release-notes-1-0-0"]
+== {zero-trust-full} 1.0.0 (General Availability)
+
+Issued: 2025-12-17
+
+This release of the {zero-trust-full} introduces new capabilities focused on enterprise readiness, security, and operational flexibility. Key features include SPIRE federation support for cross-cluster identity, PostgreSQL database support for production persistence, and enhanced security controls implemented through stricter Security Context Constraints (SCCs) and comprehensive API validation.
+
+{zero-trust-full} supports the following components and versions:
+
+[cols="1,1",options="header"]
+|===
+| Component
+| Version
+
+| SPIRE Server
+| 1.13.3
+
+| SPIRE Agent
+| 1.13.3
+
+| SPIRE Controller Manager
+| 0.6.3
+
+| SPIRE OIDC Discovery Provider
+| 1.13.3
+
+| SPIFFE CSI Driver
+| 0.2.8
+|===
+
+[id="zero-trust-manager-1-0-0-features-enhancements_{context}"]
+=== New features and enhancements
+
+[id="zero-trust-manager-1-0-0-federation-support_{context}"]
+==== SPIRE federation support
+
+The Operator now includes support for SPIRE federation, enabling workloads across distinct trust domains to securely communicate and authenticate with each other.
+
+* Key capabilities:
+
+** Configuration of bundle endpoints using `https_spiffe` (mTLS) or `https_web` (Web PKI) profiles.
+** Automatic certificate management via the ACME protocol (e.g., Let's Encrypt).
+** Automatic {product-title} route creation for federation endpoints.
+** Ability to configure relationships with multiple federated trust domains.
+
+* Customer Action Required:
+
+** Review the `federation` configuration within the `SpireServer Custom Resource (CR).
+** Ensure proper DNS resolution and network connectivity to federated trust domains.
+
+[id="zero-trust-manager-1-0-0-configurable-socketpath-plugin-name_{context}"]
+==== Configurable agent socket path and Container Storage Interface (CSI) plugin name
+
+The SPIRE Agent socket path and the SPIFFE CSI Driver plugin name are now configurable, providing operational flexibility for environments with specific directory requirements or co-existence with multiple SPIFFE deployments.
+
+* Key configuration points:
+
+** `SpireAgent.spec.socketPath`
+** `SpiffeCSIDriver.spec.agentSocketPath`
+** `ApiffeCSIDriver.spec.pluginName`
+
+* Customer action required:
+
+** Ensure consistency between `socketPath` in the `SpireAgent` CR and `agentSocketPath` in the `SpiffeCSIDriver` CR.
+
+[id="zero-trust-manager-1-0-0-workload-attestors_{context}"]
+==== Workload attestors verification API
+
+A new API has been introduced to configure kubelet certificate verification for workload attestation, enhancing security and supporting various OpenShift configurations.
+
+* Verification types:
+
+** `auto` (default): Verification utilizes OpenShift defaults (`/etc/kubernetes/kubelet-ca.crt`).
+** `hostCert': Uses a custom CA certificate path.
+** `skip``: Skips TLS verification (not recommended for production use).
+
+[id="zero-trust-manager-1-0-0-configurable-CA-JWT_{context}"]
+==== Configurable Certificate Authority and JSON Web Token key types
+
+Administrators can now configure the cryptographic key types used for the SPIRE Server Certificate Authority (CA) and JSON Web Token (JWT) signing, ensuring compliance with organizational security policies.
+
+* Supported Key Types: `rsa-2048` (default), `rsa-4096`, `ec-p256`, `ec-p384`.
+
+* Customer action required:
+
+** Review organizational security policies to determine required key types.
+
+[id="zero-trust-manager-1-0-0-custom-namespace-deployment_{context}"]
+==== Custom namespace deployment
+
+* The Operator and all associated operands can now be deployed within a custom namespace, providing flexibility for organizations with specific namespace governance requirements.
+
+[id="zero-trust-manager-1-0-0-postgres-database-support_{context}"]
+==== PostgreSQL database support
+
+SPIRE Server now supports PostgreSQL as an external database backend, accommodating production deployments that necessitate enterprise-grade data persistence and high availability.
+
+* Supported Types: sqlite3 (default), postgres, mysql.
+
+* Customer action required:
+
+** For production, evaluation of migration from SQLite to PostgreSQL is recommended.
+** Creation and configuration of Kubernetes Secrets for database TLS certificates and credentials are required.
+
+[id="zero-trust-manager-1-0-0-proxy-aware-operator-operands_{context}"]
+==== Proxy-awared Operator and operands
+
+* The operator and all managed operands are now proxy-aware and automatically inherit cluster-wide proxy settings when configured.
+
+[id="zero-trust-manager-1-0-0-enhanced-security-context_{context}"]
+==== Enhanced Security Context Constraints
+
+* SPIRE Agent and SPIFFE CSI Driver now operate under the restricted Security Context Constraints (SCC).
+
+* All operand containers are configured with the `ReadOnlyRootFilesystem` set to `true`.
+
+[id="zero-trust-manager-1-0-0-enhanced-api-validation_{context}"]
+==== Enhanced API validation
+
+Comprehensive Common Expression Language (CEL) validation has been integrated into all Custom Resource Definitions (CRDs) to prevent configuration errors during admission control.
+
+* Key validations:
+
+** All Operator CRDs are enforced as singletons (must be named `cluster`).
+** Immutable Fields: Fields including `trustDomain`, `clusterName`, `bundleConfigMap`, federation `bundleEndpoint`, and all `Persistence` settings (`size`, `accessMode`, and `storageClass`) are now immutable after initial creation.
+
+* Customer action required:
+
+** Review existing CR configurations to ensure compliance with the new validation rules.
+
+[id="zero-trust-manager-1-0-0-common-configuration_{context}"]
+==== Common configuration consolidation
+
+* Standard configuration options (`labels`, `resources`, `affinity`, `tolerations`, `nodeSelector`) are now standardized across all operand CRs via a shared `CommonConfig` structure.
+
+[id="zero-trust-manager-1-0-0-immutable-fields_{context}"]
+==== Immutable fields
+
+The following fields are now strictly enforced as *immutable* after initial creation:
+
+[cols="1,1,1",options="header"]
+|===
+| Custom resource
+| Field
+| Notes
+
+| ZeroTrustWorkloadIdentityManager
+| `trustDomain`, `clusterName`, `bundleConfigMap`
+| Cannot be modified post-creation.
+
+| SpireServer
+| `persistence.size`, `persistence.accessMode`, `persistence.storageClass`
+| Cannot be modified post-creation.
+
+| SpireServer
+| `federation.bundleEndpoint`
+| Cannot be removed once configured.
+|===
+
+[id="zero-trust-manager-1-0-0-status-observability-improvements_{context}"]
+=== Status and observability improvements
+
+[id="zero-trust-manager-1-0-0-enhanced-status-reporting_{context}"]
+==== Enhanced status reporting
+
+* The main CR now aggregates status information from all operand CRs.
+
+* New status conditions include Upgradeable (indicating a safe upgrade path) and Progressing (detailing deployment progress).
+
+[id="zero-trust-manager-1-0-0-operator-metrics_{context}"]
+==== Operator metrics
+
+* Operator metrics are now exposed and secured with appropriate RBAC configuration.
+
+* Integration is supported with the OpenShift monitoring stack.
+
+[id="zero-trust-manager-1-0-0-bug-fixes_{context}"]
+=== Bug fixes
+
+* Before this update, daemonset, deployment, and `statefulsets`` were not properly reverted to their original form in all valid scenarios due to an oversight in the update logic. As a consequence, user data loss or inconsistency occurred in valid scenarios. With this release, the update logic has been corrected, ensuring all valid scenarios revert to their original form. (link:https://issues.redhat.com/browse/SPIRE-248[SPIRE-248])
+
+* Before this update, the SPIRE OpenID Connect (OIDC) discovery provider pod did not restart after a configuration change due to the lack of an automatic restart. As a consequence, end users experienced persistent authentication issues with the SPIRE OIDC. With this release, the SPIRE OIDC discovery provider restarts automatically after `configmap` changes via the custom resource (CR), improving seamless service updates for end users. (link:https://issues.redhat.com/browse/SPIRE-225[SPIRE-225])
+
+* Before this update, the Spire-controller manager 'ConfigMap' reconciliation failed due to an unhandled edge case in the previous implementation. As a consequence, users experienced configuration inconsistencies. With this release, the Spire-controller manager `ConfigMap` reconciliation issue has been resolved. (link:https://issues.redhat.com/browse/SPIRE-195[SPIRE-195])
 
 [id="zero-trust-manager-release-notes-0-2-0"]
 == {zero-trust-full} 0.2.0 (Technology Preview)
