OSDOCS-15575 updated module

Author: wgabor0427

_topic_maps/_topic_map.yml

@@ -1239,6 +1239,8 @@ Topics:
     File: zero-trust-manager-install
   - Name: Deploying Zero Trust Workload Identity Manager operands
     File: zero-trust-manager-configuration
+  - Name: Zero Trust Workload Identity Manager upstream authority plugins
+    File: zero-trust-manager-upstream-authority
   - Name: Monitoring Zero Trust Workload Identity Manager
     File: zero-trust-manager-monitoring
   - Name: Uninstalling Zero Trust Workload Identity Manager

modules/zero-trust-manager-cert-manager-crd.adoc

@@ -0,0 +1,61 @@
+// Module included in the following assemblies:
+//
+// * security/zero_trust_workload_identity_manager/zero-trust-manager-upstream-authority plugins.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="zero-trust-manager-cert-manager-crd_{context}"]
+= Configuring cert-manager plugin using the SPIRE server CRD
+
+To configure the cert-manager plugin using the SPIRE server Custom Resource Defnition (CRD), perform the following steps:
+
+.Procedure
+
+. Create a YAML file containing the configuration for the `SpireServer` resource, for example `spireserver.yaml`. The file includes the `spec` block and the `upstreamAuthority` block configured to use the `cert-manager` plugin.
++
+.Example `spireserver.yaml`
++
+[source,yaml]
+----
+apiVersion: operator.openshift.io/v1alpha1
+kind: SpireServer
+metadata:
+  name: cluster
+spec:
+  trustDomain: "example.org"
+  upstreamAuthority:
+    type: "cert-manager"
+    upstreamAuthorityCertManager:
+      issuerName: "ca-issuer" <1>
+      issuerKind: "ClusterIssuer" <2>
+      issuerGroup: "cert-manager.io" <3>
+      namespace: "zero-trust-workload-identity-manager" <4>
+      kubeConfigSecretName: "external-cluster-kubeconfig" <5>
+----
+<1> The name of the `cert-manager` Issuer or ClusterIssuer that signs the `certificateRequest`.
+<2> Set to `ClusterIssuer` if issuer is cluster-scoped. The default is `Issuer`.
+<3> The API group of the issuer. The default is `cert-manager.io`.
+<4> The namespace where the `CertificateRequest` is created. The default is `zero-trust-workload-identity-manager`.
+<5> The name of a Secret containing the `kubeconfig` to connect to the clsuter where `cert-manager` is running. If empy, an in-cluster configuration is used.
+
+. Apply the configuration by running the following command:
++
+[source, terminal]
+----
+$ oc apply -f spireserver.yaml
+----
+
+.Verification
+
+. Run the following command to list the `CertificateRequest` resources in the namespace where the SPIRE server creates them.
++
+[source, terminal]
+----
+$ oc get certificaterequests -n <namespace>
+----
+
+. Run the following command ot inspect a specific `CertificateRequest`. Review the `Status` section to confirm the certificate has been signed and that  the certificate data is present.
++
+[source, terminal]
+----
+$ oc describe certificaterequest <name-of-cert-request> -n <namespace>
+----

modules/zero-trust-manager-cert-manager-upstream-authority.adoc

@@ -0,0 +1,11 @@
+// Module included in the following assemblies:
+//
+// * security/zero_trust_workload_identity_manageer/zero-trust-manager-overview.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="zero-trust-manager-cert-manager-upstream-authority_{context}"]
+= About the cert-manager upstream authority plugin
+
+The cert-manager plugin enables the SPIRE server to dynamically request and receive intermediate signing certificates from cert-manager. The plugin automates the management of the SPIRE server intermediate signing certificates by integrating with cert-manager.
+
+When a SPIRE server needs a new certificate, the cert-manager plugin creates a `CertificateRequest` custom resource in the configured Kubernetes namespace. The namespace has the Certificate Signing Request (CSR) generated by the SPIRE server. The cert-manager plugin processes the `CertificateRequest` and an associated `Issuer` signs the CSR. The signed intermediate certificate and the full Certificate Authority (CA) bundle are available in the `CertificateRequest` status. These signed credentials are available to the SPIRE server and used as its upstream signing authority.

modules/zero-trust-manager-configure-cert-manager.adoc

@@ -0,0 +1,88 @@
+// Module included in the following assemblies:
+//
+// * security/zero_trust_workload_identity_manager/zero-trust-manager-upstream-authority plugins.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="zero-trust-manager-configure-cert-manager_{context}"]
+= Configuring the cert-manager plugin
+
+The cert-manager plugin for the SPIRE server automates the intermediate signing certificates lifecycle of a SPIRE server. The plugin manages the creation, renewal, and rotation of the signing certificates.
+
+.Prerequisites
+
+* Access to a Kubernetes cluster where the SPIRE server runs.
+
+* cert-manager is installed and running within the Kubernetes cluster. For more information about installing cert-manager, see link:https://docs.redhat.com/en/documentation/openshift_container_platform/4.19/html-single/security_and_compliance/index#cert-manager-operator-install[Installing the cert-manager Operator for Red{nbsp}Hat OpenShift].
+
+* A pre-configured cert-manager `Issuer` capable of signing intermediate Certificate Authority (CA) certificates.
+
+.Procedure
+
+. Create a YAML file that defines the `SpireSever` CR object, for example, `SpireServer.yaml`:
++
+.Example `SpiffeCSIDriver.yaml`
++
+[source,yaml]
+----
+apiVersion: operator.openshift.io/v1alpha1
+kind: SpireServer
+metadata:
+  name: cluster
+spec:
+  trustDomain: example.com
+  upstreamAuthority:
+    type: cert-manager
+    certManager:
+      issuerKind: Issuer #<1>
+      issuerName: my-org-intermediate-ca #<2>
+      namespace: my-namespace #<3>
+----
+
+<1> Specifies the type of cert-manager issuer to use. The value `Issuer` means it is a namespace resource. The other options is `ClusterIssuer`, which is a cluter-wide resource.
+<2> The name of the `Issuer` or `CluserIssuer` resource within cert-manager that signs the certificate request. The issuer should already exist and configured to connect to the PKI.
+<3> Required when 'issuerKind' is 'Issuer'. This field is omitted if using a `ClusterIssuer`.
+
+. Apply the configuration by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f SpireServer.yaml
+----
+
+.Verification
+
+. Ensure that the resulting signed certificate and trust bundle are available in the secret created by the SPIRE operator:
++
+[source,terminal]
+----
+$ kubectl get secret spire-server-server-ca -n spire -o yaml
+----
++
+.Example signed certificate and trust bundle
++
+[source,yaml]
+----
+apiVersion: v1
+kind: Secret
+metadata:
+  name: spire-server-server-ca
+  namespace: spire
+  ownerReferences:
+  - apiVersion: spire.spiffe.io/v1alpha1
+    kind: SpireServer
+    name: spire-server
+    # ...
+type: Opaque
+data:
+  # The trust bundle containing the root CA and the intermediate CA
+  bundle.crt:
+   <trust_bundle>
+  # The SPIRE Server's intermediate CA certificate signed by your Issuer
+  ca.crt:
+   <intermediate_CA_certificate>
+
+  # The private key for the SPIRE Server's intermediate CA
+  ca.key:
+   <private_key>
+----
+

modules/zero-trust-manager-configure-issuer.adoc

@@ -0,0 +1,55 @@
+// Module included in the following assemblies:
+//
+// * security/zero_trust_workload_identity_manager/zero-trust-manager-upstream-authority plugins.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="zero-trust-manager-configure-issuer_{context}"]
+= Configuring the cert-manager issuer
+
+Before you can configure the cert-manager plugin, you need to create an `Issuer` since the `Issuer` represents the CA and defines how certificates are issued.
+
+.Prerequisites
+
+* cert-manager is installed and running within the Kubernetes cluster. For more information about installing cert-manager, see link:https://docs.redhat.com/en/documentation/openshift_container_platform/4.19/html-single/security_and_compliance/index#cert-manager-operator-install[Installing the cert-manager Operator for Red{nbsp}Hat OpenShift].
+
+
+.Procedure
+
+You create a cert-manager `Issuer` by performing the following steps:
+
+. Generate the Transport Layer Security (TLS) secret by running the following command:
++
+[source,terminal]
+----
+$ oc create secret tls my-ca-key-pair-secret \
+  --cert=path/to/your/ca.crt \
+  --key=path/to/your/ca.key \
+  --namespace=my-namespace
+----
+
+. Create a YAML file that defines the `Issuer`, for example `ca-issuer.yaml`:
++
+.Example `ca-issuer.yaml`
++
+[source,yaml]
+----
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: my-ca-issuer
+  namespace: my-namespace
+spec:
+  ca:
+    secretName: my-ca-key-pair-secret <1>
+----
+<1> The name of the Kubernetes Secret that holds the `tls.cert` and `tls.key` files. This secret must exist before you create the `Issuer`.
+
+. Apply the configuration by running the following command:
++
+[source, terminal]
+----
+$ oc apply -f ca-issuer.yaml
+----
+
+.Verification
+How would you verify if the issuer has been created????

modules/zero-trust-manager-configure-vault.adoc

@@ -0,0 +1,140 @@
+// Module included in the following assemblies:
+//
+// * security/zero_trust_workload_identity_manager/zero-trust-manager.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="zero-trust-manager-configure-cert-vault_{context}"]
+= Configuring the Vault plugin
+
+This procedure outlines the steps required to configure a SPIRE server to obtain its intermediate signing certificates from Vault. The plugin supports the following methods for authenticating to Vault:
+
+* Client Certificate Authentication
+
+* Token Authentication
+
+* `AppRole` Authentication
+
+* Kubernetes Authentication
+
+.Prerequisites
+
+* A running and accessible HashiCorp Vault server is available.
+
+* A PKI secret engine is enabled and configured in Vault at the specified `pki_mount_point`.
+
+* A role within the Vault PKI engine must be configured to allow issuing of intermediate CA certificates.
+
+* The Vault token or authentication method used by the plugin must have the necessary permissions.
+
+* The `ca_ttl` configured in your SPIRE Server configuration must be less than or equal to the configured `max_lease_ttl` of the Vault PKI secret engine role that the plugin uses.
+
+.Procedure
+
+. Create a YAML file containing the configuration for the `SpireServer` resource, for example `spireserver.yaml`. The file includes the `spec` block and the `upstreamAuthority` block configured to use the `vault` plugin.
++
+.Example `spireserver.yaml`
++
+[source,yaml]
+----
+apiVersion: spire.spiffe.io/v1alpha1
+kind: SpireServer
+metadata:
+  name: spire-server
+  namespace: spire
+spec:
+  replicas: 1
+  upstreamAuthority:
+    vault:#
+      address: "https://vault.example.com" <1>
+      tokenPath: "/var/run/secrets/kubernetes.io/serviceaccount/token" <2>
+      mtls:
+        spireTrustDomain: "spiffe://example.org" <3>
+        serverName: "vault.example.com" <4>
+      pkcs11:
+      jwt:
+----
++
+<1> The URL of your Vault server.
+<2> The path to the Kubernetes service account token used for authentication with Vault.
+<3> The trust domain of your Spire Server.
+<4> The name used for the Mutual Transport Layer Security (mTLS) authentication with the Vault server.
+
+. Configure one of the authentication methods:
+.. Configure the `certAuth` authentication in the `UpstreamAuthority` section of the `spireserver.yaml` file. This method uses a client certificate and private key for authentication.
++
+.Example `certAuth`
++
+[source,yaml]
+----
+# ...
+upstreamAuthority:
+  vault:
+    certAuth:
+      certAuthMountPoint: "cert" <1>
+      clientCertSecret: "vault-client-cert-secret" <2>
+      clientKeySecret: "vault-client-key-secret" <3>
+      certAuthRoleName: "spire-server-role" <4>
+----
++
+<1> The mount point where the TLS certificate auth method is enabled.
+<2> Name of the Kubernetes secret containing the client certificate in Privacy Enhanced Mail (PEM) format.
+<3> Name of the Kubernetes secret containing the client private key in PEM format.
+<4> The name of the Vault role to authenticate against.
+
+.. Configure the `tokenAuth` authentication in the `UpstreamAuthority` section of the `spireserver.yaml` file. This method uses a static Vault token.
++
+.Example `tokenAuth`
++
+[source,yaml]
+----
+# ...
+upstreamAuthority:
+  vault:
+    tokenAuth:
+      token: "hvs.YOUR_VAULT_TOKEN_HERE"
+----
+
+.. Configure the `appRoleAuth` authentication in the `UpstreamAuthority` section of the `spireserver.yaml` file. This method uses the `AppRole` for Vault.
++
+.Example `tokenAuth`
++
+[source,yaml]
+----
+# ...
+upstreamAuthority:
+  vault:
+    appRoleAuth:
+      appRoleMountPoint: "approle" <1>
+      appRoleID: "your-approle-id" <2>
+      appRoleSecretID: "your-approle-secret-id" <3>
+----
++
+<1> The mount point where the `AppRole` auth method is enabled.
+<2> The `AppRole` ID used for authentication.
+<3> the `AppRole` SecretID used for authentication.
+
+. Configure the `k8sAuth` authentication in the `UpstreamAuthority` section of the `spireserver.yaml` file. This method uses a Kubernetes ServiceAccount token for authentication.
++
+.Example `tokenAuth`
++
+[source,yaml]
+----
+# ...
+upstreamAuthority:
+  vault:
+    k8sAuth:
+      k8sAuthMountPoint: "kubernetes" <1>
+      k8sAuthRoleName: "spire-server-k8s-role" <2>
+      tokenPath: "/var/run/secrets/kubernetes.io/serviceaccount/token" <3>
+----
++
+<1> The mount point where the Kubernetes auth method is enabled.
+<2> The name of the Vault role the plugin authenticates against.
+<3> The path to the Kubernetes `ServiceAccount` token file.
+
+. Apply the configuration by running the following command:
++
+[source, terminal]
+----
+$ oc apply -f spireserver.yaml
+----

modules/zero-trust-manager-vault-upstream-authority.adoc

@@ -0,0 +1,16 @@
+// Module included in the following assemblies:
+//
+// * security/zero_trust_workload_identity_manageer/zero-trust-manager-overview.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="zero-trust-manager-vault-upstream-authority_{context}"]
+= About the Vault upstream authority plugin
+
+The Vault plugin integrates the SPIRE server with the HashiCorp Vault Public Key Infrastructure (PKI) engine to manage the lifecycle of intermediate CA certificates. The SPIRE server uses the CA certificates to sign the workload {svid-full}. The plugin enables the SPIRE server to use the PKI for issuing and renewing intermediate signing certificates.
+
+The plugin interacts with the PKI secret engine to request intermediate CA certificates, signs the requests, and then provides the certificates to the SPIRE server.
+
+[NOTE]
+====
+The Vault plugin does not support the `PublishJWTKey` remote procedure call (RPC) and should not be used in SPIRE configurations where JSON Web Tokens-SPIFFE Verifiable Identity Documents (JWT-SVIDs) are used.
+====