OSDOCS-17626 updated RNs

wgabor0427 · wgabor0427 · commit 7963ff051a14 · 2025-12-10T09:59:02.000-05:00
diff --git a/security/zero_trust_workload_identity_manager/zero-trust-manager-release-notes.adoc b/security/zero_trust_workload_identity_manager/zero-trust-manager-release-notes.adoc
@@ -7,12 +7,207 @@ include::_attributes/common-attributes.adoc[]
 
 toc::[]
 
-The {zero-trust-full} leverages Secure Production Identity Framework for Everyone (SPIFFE) and the SPIFFE Runtime Environment (SPIRE) to provide a comprehensive identity management solution for distributed systems. {zero-trust-full} supports SPIRE version 1.12.4 running as an operand.
+The {zero-trust-full} leverages Secure Production Identity Framework for Everyone (SPIFFE) and the SPIFFE Runtime Environment (SPIRE) to provide a comprehensive identity management solution for distributed systems.
 
 These release notes track the development of {zero-trust-full}.
 
-:FeatureName: Zero Trust Workload Identity Manager
-include::snippets/technology-preview.adoc[]
+[id="zero-trust-manager-release-notes-1-0-0"]
+== {zero-trust-full} 1.0.0 (General Availability)
+
+Issued: 2025-12-17
+
+This release of the {zero-trust-full} introduces new capabilities focused on enterprise readiness, security, and operational flexibility. Key features include SPIRE federation support for cross-cluster identity, PostgreSQL database support for production persistence, and enhanced security controls implemented through stricter Security Context Constraints (SCCs) and comprehensive API validation.
+
+{zero-trust-full} supports the following components and versions:
+
+[cols="1,1",options="header"]
+|===
+| Component
+| Version
+
+| SPIRE Server
+| 1.13.3
+
+| SPIRE Agent
+| 1.13.3
+
+| SPIRE Controller Manager
+| 0.6.3
+
+| SPIRE OIDC Discovery Provider
+| 1.13.3
+
+| SPIFFE CSI Driver
+| 0.2.8
+|===
+
+[id="zero-trust-manager-1-0-0-features-enhancements_{context}"]
+=== New features and enhancements
+
+[id="zero-trust-manager-1-0-0-federation-support_{context}"]
+==== SPIRE federation support
+
+The Operator now includes support for SPIRE federation, enabling workloads across distinct trust domains to securely communicate and authenticate with each other.
+
+* Key capabilities:
+
+** Configuration of bundle endpoints using `https_spiffe` (mTLS) or `https_web` (Web PKI) profiles.
+** Automatic certificate management via the ACME protocol (e.g., Let's Encrypt).
+** Automatic {product-title} route creation for federation endpoints.
+** Ability to configure relationships with multiple federated trust domains.
+
+* Customer Action Required:
+
+** Review the `federation` configuration within the `SpireServer` Custom Resource (CR).
+** Ensure proper DNS resolution and network connectivity to federated trust domains.
+
+[id="zero-trust-manager-1-0-0-postgres-database-support_{context}"]
+==== PostgreSQL database support
+
+SPIRE Server now supports PostgreSQL as an external database backend, accommodating production deployments that necessitate enterprise-grade data persistence and high availability.
+
+* Supported Types: sqlite3 (default), postgres, mysql.
+
+* Customer action required:
+
+** For production, evaluation of migration from SQLite to PostgreSQL is recommended.
+** Creation and configuration of Kubernetes Secrets for database TLS certificates and credentials are required.
+
+[id="zero-trust-manager-1-0-0-configurable-socketpath-plugin-name_{context}"]
+==== Configurable agent socket path and Container Storage Interface (CSI) plugin name
+
+The SPIRE Agent socket path and the SPIFFE CSI Driver plugin name are now configurable, providing operational flexibility for environments with specific directory requirements or co-existence with multiple SPIFFE deployments.
+
+* Key configuration points:
+
+** `SpireAgent.spec.socketPath`
+** `SpiffeCSIDriver.spec.agentSocketPath`
+** `SpiffeCSIDriver.spec.pluginName`
+
+* Customer action required:
+
+** Ensure consistency between `socketPath` in the `SpireAgent` CR and `agentSocketPath` in the `SpiffeCSIDriver` CR.
+
+[id="zero-trust-manager-1-0-0-workload-attestors_{context}"]
+==== Workload attestors verification API
+
+A new API has been introduced to configure kubelet certificate verification for workload attestation, enhancing security and supporting various OpenShift configurations.
+
+* Verification types:
+
+** `auto` (default): Verification utilizes OpenShift defaults (`/etc/kubernetes/kubelet-ca.crt`).
+** `hostCert`: Uses a custom CA certificate path.
+** `skip`: Skips TLS verification (not recommended for production use).
+
+[id="zero-trust-manager-1-0-0-configurable-CA-JWT_{context}"]
+==== Configurable Certificate Authority and JSON Web Token key types
+
+Administrators can now configure the cryptographic key types used for the SPIRE Server Certificate Authority (CA) and JSON Web Token (JWT) signing, ensuring compliance with organizational security policies.
+
+* Supported Key Types: `rsa-2048` (default), `rsa-4096`, `ec-p256`, `ec-p384`.
+
+* Customer action required:
+
+** Review organizational security policies to determine required key types.
+
+[id="zero-trust-manager-1-0-0-custom-namespace-deployment_{context}"]
+==== Custom namespace deployment
+
+* The Operator and all associated operands can now be deployed within a custom namespace, providing flexibility for organizations with specific namespace governance requirements.
+
+[id="zero-trust-manager-1-0-0-proxy-aware-operator-operands_{context}"]
+==== Proxy-aware Operator and operands
+
+* The Operator and all managed operands are now proxy-aware and automatically inherit cluster-wide proxy settings when configured.
+
+[id="zero-trust-manager-1-0-0-enhanced-security-context_{context}"]
+==== Enhanced Security Context Constraints
+
+* SPIRE Agent and SPIFFE CSI Driver now operate under the restricted Security Context Constraints (SCC).
+
+* The Operator and all operand containers are configured with the `ReadOnlyRootFilesystem` set to `true`.
+
+[id="zero-trust-manager-1-0-0-enhanced-api-validation_{context}"]
+==== Enhanced API validation
+
+Comprehensive Common Expression Language (CEL) validation has been integrated into all Custom Resource Definitions (CRDs) to prevent configuration errors during admission control.
+
+* Key validations:
+
+** All Operator CRDs are enforced as singletons (must be named `cluster`).
+** Immutable Fields: Fields including `trustDomain`, `clusterName`, `bundleConfigMap`, federation `bundleEndpoint`, and all `Persistence` settings (`size`, `accessMode`, and `storageClass`) are now immutable after initial creation.
+
+* Customer action required:
+
+** Review existing CR configurations to ensure compliance with the new validation rules.
+
+[id="zero-trust-manager-1-0-0-common-configuration_{context}"]
+==== Common configuration consolidation
+
+* Standard configuration options (`labels`, `resources`, `affinity`, `tolerations`, `nodeSelector`) are now standardized across all operand CRs via a shared `CommonConfig` structure.
+
+[id="zero-trust-manager-1-0-0-configure-loglevel-logformat_{context}"]
+==== Configuring log level and log format for the operands
+
+This release introduces flexible logging controls to improve observability and debugging across the platform:
+
+* SPIRE Components: Users can now configure the `logLevel` (debug, info, warn, error) and `logFormat` (text, JSON) independently for `SpireServer`, `SpireAgent`, and `SpireOIDCDiscoveryProvider` directly within their CR specifications. The defaults are set to "info" for the `logLevel` and "text" for the `logFormat.
+
+* Operator: The operator’s log verbosity is now configurable via the `OPERATOR_LOG_LEVEL` environment variable using klog’s `textlogger`.
+
+[id="zero-trust-manager-1-0-0-create-only-mode_{context}"]
+====  Refactor for create-only mode
+
+By setting the `CREATE_ONLY_MODE` environment variable, users can prevent the operator from reconciling updates. This allows for manual resource modification without interference. If this mode is disabled, the Operator resumes enforcing the state and overwrites any manual changes.
+
+[id="zero-trust-manager-1-0-0-status-observability-improvements_{context}"]
+=== Status and observability improvements
+
+[id="zero-trust-manager-1-0-0-enhanced-status-reporting_{context}"]
+==== Enhanced status reporting
+
+* The main CR now aggregates status information from all operand CRs.
+
+* New status conditions include Upgradeable (indicating a safe upgrade path) and Progressing (detailing deployment progress).
+
+[id="zero-trust-manager-1-0-0-operator-metrics_{context}"]
+==== Operator metrics
+
+* Operator metrics are now exposed and secured with appropriate RBAC configuration.
+
+* Integration is supported with the OpenShift monitoring stack.
+
+[id="zero-trust-manager-1-0-0-bug-fixes_{context}"]
+=== Bug fixes
+
+[cols="1,1",options="header"]
+|===
+| Issue ID
+| Description
+
+| SPIRE-60
+| Agent runs as non-root user.
+
+| SPIRE-68
+| Updating the operands CR spec sometimes does not trigger reconciliation.
+
+| SPIRE-190
+| Updating the operands CR spec sometimes does not trigger reconciliation.
+
+| SPIRE-248
+| Corrected update logic for `StatefulSet`, `Deployment`, and `DaemonSet` to properly handle operand updates.
+
+| SPIRE-225
+| Resolved SPIRE OIDC Discovery Provider restart issue following `ConfigMap`` changes via the CR.
+
+| SPIRE-195
+| Fixed reconciliation issue in the spire-controller-manager `ConfigMap`.
+
+| Other fixed issues
+| Fixed issues related to continuous reconciliation and unnecessary updates.
+
+Eliminated requeue logic for user input validation errors.
+|===
 
 [id="zero-trust-manager-release-notes-0-2-0"]
 == {zero-trust-full} 0.2.0 (Technology Preview)
