Merge pull request #103738 from wgabor0427/OSDOCS-17644

OSDOCS-17644 created docs for egress proxy

Author: stevsmit

_topic_maps/_topic_map.yml

@@ -1238,6 +1238,8 @@ Topics:
     File: zero-trust-manager-release-notes
   - Name: Installing Zero Trust Workload Identity Manager
     File: zero-trust-manager-install
+  - Name: Configuring the egress proxy
+    File: zero-trust-manager-proxy
   - Name: Deploying Zero Trust Workload Identity Manager operands
     File: zero-trust-manager-configuration
   - Name: Configuring Zero Trust Workload Identity Manager OIDC Federation

modules/zero-trust-manager-enable-metrics-server.adoc

@@ -30,23 +30,23 @@ The SPIRE Server operand exposes metrics by default on port `9402` at the `/metr
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
-  labels:
-    app.kubernetes.io/name: server
-    app.kubernetes.io/instance: spire
-  name: spire-server-metrics
-  namespace: zero-trust-workload-identity-manager
+ labels:
+   app.kubernetes.io/name: server
+   app.kubernetes.io/instance: spire
+ name: spire-server-metrics
+ namespace: zero-trust-workload-identity-manager
 spec:
-  endpoints:
-  - port: metrics
-    interval: 30s
-    path: /metrics
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: server
-      app.kubernetes.io/instance: spire
-  namespaceSelector:
-    matchNames:
-    - zero-trust-workload-identity-manager
+ endpoints:
+ - port: metrics
+   interval: 30s
+   path: /metrics
+ selector:
+   matchLabels:
+     app.kubernetes.io/name: server
+     app.kubernetes.io/instance: spire
+ namespaceSelector:
+   matchNames:
+   - zero-trust-workload-identity-manager
 ----
 
 .. Create the `ServiceMonitor` CR by running the following command:
@@ -60,15 +60,13 @@ After the `ServiceMonitor` CR is created, the user workload Prometheus instance
 
 .Verification
 
-. In the {product-title} web console, navigate to *Observe* → *Targets*.
-
+. In the {product-title} web console, navigate to *Observe* -> *Targets*.
 
 . In the *Label* filter field, enter the following label to filter the metrics targets:
 +
 [source,terminal]
 ----
-$ service=spire-server
+$ service=zero-trust-workload-identity-manager-metrics-service
 ----
 
 . Confirm that the *Status* column shows `Up` for the `spire-server-metrics` entry.
-

modules/zero-trust-manager-proxy-support.adoc

@@ -0,0 +1,132 @@
+// Module included in the following assemblies:
+//
+// * security/cert_manager_operator/cert-manager-operator-proxy.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="zero-trust-manager-proxy-support_{context}"]
+= Injecting a custom CA certificate for the {zero-trust-full}
+
+[role="_abstract"]
+Inject certificate authority (CA) certificates into the {zero-trust-full} to support proxying HTTPS connections. This configuration helps ensure that the Identity Manager can communicate securely when you enable a cluster-wide proxy.
+
+.Prerequisites
+
+* You have access to the cluster as a user with the `cluster-admin` role.
+
+* You have enabled the cluster-wide proxy for {product-title}.
+
+* You have installed {zero-trust-full} 1.0.0 or later.
+
+* You have deployed the SPIRE Server, SPIRE Agent, SPIFFEE CSI Driver, and the SPIRE OIDC Discovery Provider operands in the cluster.
+
+.Procedure
+
+. Create a config map in the `zero-trust-workload-identity-manager` namespace by running the following command:
++
+[source,terminal]
+----
+$ oc create configmap trusted-ca -n zero-trust-workload-identity-manager
+----
+
+. Inject the CA bundle that is trusted by {product-title} into the config map by running the following command:
++
+[source,terminal]
+----
+$ oc label cm trusted-ca config.openshift.io/inject-trusted-cabundle=true -n zero-trust-workload-identity-manager
+----
+
+. Update the subscription for the {zero-trust-full} to use the config map by running the following command:
++
+[source,terminal]
+----
+$ oc -n zero-trust-workload-identity-manager patch subscription openshift-zero-trust-workload-identity-manager --type='merge' -p '{"spec":{"config":{"env":[{"name":"TRUSTED_CA_BUNDLE_CONFIGMAP","value":"trusted-ca"}]}}}'
+----
+
+.Verification
+
+. Verify that the operands have finished rolling out by running the following command:
++
+[source,terminal]
+----
+$ oc rollout status deployment/zero-trust-workload-identity-manager-controller-manager -n zero-trust-workload-identity-manager && \
+$ oc rollout status statefulset/spireserver -n zero-trust-workload-identity-manager && \
+$ oc rollout status daemonset/spire-agent -n zero-trust-workload-identity-manager && \
+$ oc rollout status deployment/spire-spiffe-oidc-discovery-provider -n zero-trust-workload-identity-manager
+----
++
+.Example output
+[source,terminal]
+----
+deployment "zero-trust-workload-identity-manager-controller-manager" successfully rolled out
+statefulset "spire-server" successfully rolled out
+daemonset "spire-agent" successfully rolled out
+deployment "spire-spiffe-oidc-discovery-provider" successfully rolled out
+----
+
+. Verify that the CA bundle was mounted as a volume by running the following command:
++
+[source,terminal]
+----
+$ oc get deployment zero-trust-workload-identity-manager -n zero-trust-workload-identity-manager -o=jsonpath={.spec.template.spec.'containers[0].volumeMounts'}
+----
++
+[source,terminal]
+----
+$ oc get statefulset spire-server -n zero-trust-workload-identity-manager -o jsonpath='{.spec.template.spec.containers[*].volumeMounts[?(@.name=="trusted-ca-bundle")]}'
+----
++
+[source,terminal]
+----
+$ oc get daemonset spire-agent -n zero-trust-workload-identity-manager -o jsonpath='{.spec.template.spec.containers[*].volumeMounts[?(@.name=="trusted-ca-bundle")]}'
+----
++
+[source,terminal]
+----
+$ oc get daemonset spire-spiffe-csi-driver -n zero-trust-workload-identity-manager -o jsonpath='{.spec.template.spec.containers[*].volumeMounts[?(@.name=="trusted-ca-bundle")]}'
+----
++
+.Example output
+[source,terminal]
+----
+[{{"mountPath":"/etc/pki/ca-trust/extracted/pem","name":"trusted-ca-bundle","readOnly":true}]
+----
+
+. Verify that the source of the CA bundle is the `trusted-ca` config map by running the following command:
++
+[source,terminal]
+----
+$ oc get deployment zero-trust-workload-identity-manager -n zero-trust-workload-identity-manager -o=jsonpath={.spec.template.spec.volumes}
+----
++
+[source,terminal]
+----
+$ oc get statefulset spire-server -n zero-trust-workload-identity-manager -o=jsonpath='{.spec.template.spec.volumes}' | jq '.[] | select(.name=="trusted-ca-bundle")'
+----
++
+[source,terminal]
+----
+$ oc get daemonset spire-agent -n zero-trust-workload-identity-manager -o=jsonpath='{.spec.template.spec.volumes}' | jq '.[] | select(.name=="trusted-ca-bundle")'
+----
++
+[source,terminal]
+----
+$ oc get deployment spire-spiffe-oidc-discovery-provider -n zero-trust-workload-identity-manager -o=jsonpath='{.spec.template.spec.volumes}' | jq '.[] | select(.name=="trusted-ca-bundle")'
+----
++
+.Example output
+[source,terminal]
+----
+{
+  "configMap": {
+    "defaultMode": 420,
+    "items": [
+      {
+        "key": "ca-bundle.crt",
+        "path": "tls-ca-bundle.pem"
+      }
+    ],
+    "name": "trusted-ca"
+  },
+  "name": "trusted-ca-bundle"
+}
+----

security/zero_trust_workload_identity_manager/zero-trust-manager-configuration.adoc

@@ -2,9 +2,6 @@
 [id="zero-trust-manager-configuration"]
 = Deploying Zero Trust Workload Identity Manager operands
 
-include::_attributes/common-attributes.adoc[]
-:context: zero-trust-manager-configuration
-
 toc::[]
 
 :FeatureName: Zero Trust Workload Identity Manager

security/zero_trust_workload_identity_manager/zero-trust-manager-proxy.adoc

@@ -0,0 +1,17 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="zero-trust-manager-proxy"]
+= Configuring the egress proxy for the {zero-trust-full}
+include::_attributes/common-attributes.adoc[]
+:context: zero-trust-manager-proxy
+
+[role="_abstract"]
+Operator Lifecycle Manager (OLM) automatically configures managed Operators with proxy settings when you use a cluster-wide egress proxy. To support proxying HTTPS connections, you can inject certificate authority (CA) certificates into the {zero-trust-full}.
+
+// Injecting a custom CA certificate for the {cert-manager-operator}
+include::modules/zero-trust-manager-proxy-support.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+[id="zero-trust-manager-proxy_additional-resources"]
+== Additional resources
+
+* xref:../../operators/admin/olm-configuring-proxy-support.adoc#olm-configuring-proxy-support[Configuring proxy support in Operator Lifecycle Manager]