OSDOCS-15489 updated vault module

wgabor0427 · wgabor0427 · commit 9c33bb43555e · 2025-08-07T09:03:04.000-04:00
diff --git a/_topic_maps/_topic_map.yml b/_topic_maps/_topic_map.yml
@@ -1239,6 +1239,8 @@ Topics:
     File: zero-trust-manager-install
   - Name: Deploying Zero Trust Workload Identity Manager operands
     File: zero-trust-manager-configuration
+  - Name: Zero Trust Workload Identity Manager upstream authority plugins
+    File: zero-trust-manager-upstream-authority
   - Name: Monitoring Zero Trust Workload Identity Manager
     File: zero-trust-manager-monitoring
   - Name: Uninstalling Zero Trust Workload Identity Manager
diff --git a/modules/zero-trust-manager-cert-manager-crd.adoc b/modules/zero-trust-manager-cert-manager-crd.adoc
@@ -0,0 +1,61 @@
+// Module included in the following assemblies:
+//
+// * security/zero_trust_workload_identity_manager/zero-trust-manager-upstream-authority plugins.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="zero-trust-manager-cert-manager-crd_{context}"]
+= Configuring cert-manager plugin using the SPIRE server CRD
+
+To configure the cert-manager plugin using the SPIRE server Custom Resource Defnition (CRD), perform the following steps:
+
+.Procedure
+
+. Create a YAML file containing the configuration for the `SpireServer` resource, for example `spireserver.yaml`. The file includes the `spec` block and the `upstreamAuthority` block configured to use the `cert-manager` plugin.
++
+.Example `spireserver.yaml`
++
+[source,yaml]
+----
+apiVersion: operator.openshift.io/v1alpha1
+kind: SpireServer
+metadata:
+  name: cluster
+spec:
+  trustDomain: "example.org"
+  upstreamAuthority:
+    type: "cert-manager"
+    upstreamAuthorityCertManager:
+      issuerName: "ca-issuer" <1>
+      issuerKind: "ClusterIssuer" <2>
+      issuerGroup: "cert-manager.io" <3>
+      namespace: "zero-trust-workload-identity-manager" <4>
+      kubeConfigSecretName: "external-cluster-kubeconfig" <5>
+----
+<1> The name of the `cert-manager` Issuer or ClusterIssuer that signs the `certificateRequest`.
+<2> Set to `ClusterIssuer` if issuer is cluster-scoped. The default is `Issuer`.
+<3> The API group of the issuer. The default is `cert-manager.io`.
+<4> The namespace where the `CertificateRequest` is created. The default is `zero-trust-workload-identity-manager`.
+<5> The name of a Secret containing the `kubeconfig` to connect to the clsuter where `cert-manager` is running. If empy, an in-cluster configuration is used.
+
+. Apply the configuration by running the following command:
++
+[source, terminal]
+----
+$ oc apply -f spireserver.yaml
+----
+
+.Verification
+
+. Run the following command to list the `CertificateRequest` resources in the namespace where the SPIRE server creates them.
++
+[source, terminal]
+----
+$ oc get certificaterequests -n <namespace>
+----
+
+. Run the following command ot inspect a specific `CertificateRequest`. Review the `Status` section to confirm the certificate has been signed and that  the certificate data is present.
++
+[source, terminal]
+----
+$ oc describe certificaterequest <name-of-cert-request> -n <namespace>
+----
diff --git a/modules/zero-trust-manager-cert-manager-upstream-authority.adoc b/modules/zero-trust-manager-cert-manager-upstream-authority.adoc
@@ -0,0 +1,11 @@
+// Module included in the following assemblies:
+//
+// * security/zero_trust_workload_identity_manageer/zero-trust-manager-overview.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="zero-trust-manager-cert-manager-upstream-authority_{context}"]
+= About the cert-manager upstream authority plugin
+
+The cert-manager plugin for the SPIRE server is designed to automate the management of the SPIRE server's intermediate signing certificates by integrating with cert-manager in a Kubernetes environment. The cert-manager plugin enables the SPIRE server to dynamically request and receive intermediate signing certificates from cert-manager.
+
+When a SPIRE server needs a new certificate, the cert-manager plugin creates a `CertificateRequest` custom resource in the configured Kubernetes namespace which contains the Certificate Signing Request (CSR) generated by the SPIRE server. The cert-manager plugin processes the `CertificateRequest` and an associated `Issuer` signs the CSR. The signed intermediate certificate and the full Certificate Authority (CA) bundle are made available in the `CertificateRequest` status. These signed credentials are made available to the SPIRE server to be used as its upstream signing authority.
diff --git a/modules/zero-trust-manager-configure-cert-manager.adoc b/modules/zero-trust-manager-configure-cert-manager.adoc
@@ -0,0 +1,18 @@
+// Module included in the following assemblies:
+//
+// * security/zero_trust_workload_identity_manager/zero-trust-manager-upstream-authority plugins.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="zero-trust-manager-configure-cert-manager_{context}"]
+= Configuring the cert-manager plugin
+
+The cert-manager plugin for the SPIRE server is designed to automate the management of the SPIRE server intermediate signing certificates by integrating with cert-manager. The cert-manager plugin enables the SPIRE server to dynamically request and receive intermediate signing certificates from cert-manager.
+
+.Prerequisites
+
+* Access to a Kubernetes cluster where the SPIRE server runs.
+
+* cert-manager must be installed and running within the Kubernetes cluster. For more information about installing cert-manager, see link:https://docs.redhat.com/en/documentation/openshift_container_platform/4.19/html-single/security_and_compliance/index#cert-manager-operator-install[Installing the cert-manager Operator for Red{nbsp}Hat OpenShift].
+
+* A pre-configured cert-manager `Issuer` capable of signing intermediate Certificate Authority (CA) certificates.
+
diff --git a/modules/zero-trust-manager-configure-issuer.adoc b/modules/zero-trust-manager-configure-issuer.adoc
@@ -0,0 +1,45 @@
+// Module included in the following assemblies:
+//
+// * security/zero_trust_workload_identity_manager/zero-trust-manager-upstream-authority plugins.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="zero-trust-manager-configure-issuer_{context}"]
+= Configuring the cert-manager issuer
+
+Before the cert-manager plugin can be configured, an `Issuer` needs to be created since the `Issuer` represents the CA and defines how certificates are issued. You create a cert-manager `Issuer` by performing the following steps:
+
+.Procedure
+
+. Generate the Transport Layer Security (TLS) secret by running the following command:
++
+[source,terminal]
+----
+$ oc create secret tls my-ca-key-pair-secret \
+  --cert=path/to/your/ca.crt \
+  --key=path/to/your/ca.key \
+  --namespace=my-namespace
+----
+
+. Create a YAML file that defines the `Issuer`, for example `ca-issuer.yaml`:
++
+.Example `ca-issuer.yaml`
++
+[source,yaml]
+----
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: my-ca-issuer
+  namespace: my-namespace
+spec:
+  ca:
+    secretName: my-ca-key-pair-secret <1>
+----
+<1> The name of the Kubernetes Secret that holds the `tls.cert` and `tls.key` files. This secret must exist before you create the `Issuer`.
+
+. Apply the configuration by running the following command:
++
+[source, terminal]
+----
+$ oc apply -f ca-issuer.yaml
+----
diff --git a/modules/zero-trust-manager-configure-vault.adoc b/modules/zero-trust-manager-configure-vault.adoc
@@ -0,0 +1,77 @@
+// Module included in the following assemblies:
+//
+// * security/zer_trust_workload_identity_manager/zero-trust-manager.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="zero-trust-manager-configure-cert-vault_{context}"]
+= Configuring the Vault plugin
+
+This procedure outlines the steps required to configure a SPIRE server to obtain its intermediate signing certificates from Vault. The plugin supports the following methodes for authenticating to Vault:
+
+* Client Certificate Authentication
+
+* Token Authentication
+
+* AppRole Authentication
+
+* Kubernetes Authentication
+
+.Prerequisites
+
+* A running and accessible HashiCorp Vault server is available.
+
+* A PKI secret engine must be enabled and configured in Vault at the specified `pki_mount_point`.
+
+* A role within the Vault PKI engine must be configured to allow issuing of intermediate CA certificates.
+
+* The Vault token or authentication method used by the plugin must have the necessary permissions.
+
+* The `ca_ttl` configured in your SPIRE Server configuration must be less than or equal to the cofigured `max_lease_ttl` of the Vault PKI secret engine role that the plugin uses.
+
+
+
+.Procedure
+
+. Create a YAML file containing the configuration for the `SpireServer` resource, for example `spireserver.yaml`. The file includes the `spec` block and the `upstreamAuthority` block configured to use the `vault` plugin.
++
+.Example `spireserver.yaml`
++
+[source,yaml]
+----
+apiVersion: spire.spiffe.io/v1alpha1
+kind: SpireServer
+metadata:
+  name: spire-server
+  namespace: spire
+spec:
+  replicas: 1
+  # ... other SpireServer configuration ...
+  upstreamAuthority:
+    vault:
+      address: "https://vault.example.com" <1>
+      tokenPath: "/var/run/secrets/kubernetes.io/serviceaccount/token" <2>
+      mtls:
+        spireTrustDomain: "spiffe://example.org" <3>
+        serverName: "vault.example.com" <4>
+      pkcs11: <5>
+        # ... PKCS11 configuration if needed ...
+      jwt: <5>
+        # ... JWT configuration if needed ...
+----
+
+<1> The URL of your Vault server.
+<2> The path to the Kubernetes service account token used for authentication with Vault.
+<3> The trust domain of your Spire Server.
+<4> The name used for the Mutual Transport Layer Security (mTLS) authentication with the Vault server.
+<5> Alternative authentication methods with Vault.
+
+. Configure one of the authentication methods:
+
+
+
+. Apply the configuration by running the following command:
++
+[source, terminal]
+----
+$ oc apply -f spireserver.yaml
+----
diff --git a/modules/zero-trust-manager-vault-upstream-authority.adoc b/modules/zero-trust-manager-vault-upstream-authority.adoc
@@ -0,0 +1,16 @@
+// Module included in the following assemblies:
+//
+// * security/zero_trust_workload_identity_manageer/zero-trust-manager-overview.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="zero-trust-manager-vault-upstream-authority_{context}"]
+= About the vault upstream authority plugin
+
+The vault plugin integrates the SPIRE server with the HashiCorp Vault Public Key Infrastructure (PKI) engine to manage the lifecycle of intermediate CA certificates that the SPIRE server uses to sign the workload {svid-full}. The plugin enables the SPIRE server to use the PKI for issuing and renewing intermediate signing certificates.
+
+The plugin interacts with the PKI secret engine to request intermediate CA certificates, signs the requests, and then provides the certificates to the SPIRE server.
+
+[NOTE]
+====
+The vault plugin does not support the `PublishJWTKey` remote procedure call (RPC) and should not be used in SPIRE configurations where JSON Web Tokens-SPIFFE Verifiable Identity Documents (JWT-SVIDs) are used.
+====
diff --git a/security/zero_trust_workload_identity_manager/zero-trust-manager-upstream-authority.adoc b/security/zero_trust_workload_identity_manager/zero-trust-manager-upstream-authority.adoc
@@ -0,0 +1,19 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="zero-trust-manager-upstream-authority-plugins"]
+= Zero Trust Workload Identity Manager upstream authority plugins
+
+include::_attributes/common-attributes.adoc[]
+:context: zero-trust-manager-overview
+
+toc::[]
+
+:FeatureName: Zero Trust Workload Identity Manager
+include::snippets/technology-preview.adoc[]
+
+Upstream authority plugins are components that allow the SPIRE server to integrate with an existing Public Key Infrastructure (PKI) to obtain intermediate signing certificates. The SPIRE server then uses these intermediate certificates to cryptographically sign the {svid-full} that it issues to workloads. The plugins also allow the SPIRE server to use a pre-existing root of trust, rather than establishing a new, isolated one.
+
+The following upstream authority plugins are available:
+
+* cert-manager
+
+* vault
