OSDOCS-17626 updated zero-trust release notes for GA #103679
Conversation
openshift-ci
bot
added
the
size/L
|
🤖 Wed Dec 10 15:06:00 - Prow CI generated the docs preview: |
wgabor0427
force-pushed
the
OSDOCS-17626
branch
from
495feef to
9eaec7a
Compare
| * Integration is supported with the OpenShift monitoring stack. | ||
|
|
||
| [id="zero-trust-manager-1-0-0-bug-fixes_{context}"] | ||
| === Bug fixes |
There was a problem hiding this comment.
few bugs which were resolved
SPIRE-68: Updating the operands CR spec sometimes does not trigger reconciliation
SPIRE-60: Agent runs as non-root user
SPIRE-190: Remove the SCC for the OIDC Discovery Provider
@lunarwhite please check if I had missed any??
| toc::[] | ||
|
|
||
| The {zero-trust-full} leverages Secure Production Identity Framework for Everyone (SPIFFE) and the SPIFFE Runtime Environment (SPIRE) to provide a comprehensive identity management solution for distributed systems. {zero-trust-full} supports SPIRE version 1.12.4 running as an operand. | ||
|
|
There was a problem hiding this comment.
We could remove this sentence: https://github.com/openshift/openshift-docs/blob/9eaec7a7c25eb2558d4ca9ddaf2070ae9dc43d63/security/zero_trust_workload_identity_manager/zero-trust-manager-release-notes.adoc?plain=1#L10C216-L10C286, as the versions are explicitly mentioned in the chart:
. There is no need to maintain it in two places, which would only increase the maintainance burden for each release.|
|
||
| * Customer Action Required: | ||
|
|
||
| ** Review the `federation` configuration within the `SpireServer Custom Resource (CR). |
There was a problem hiding this comment.
| ** Review the `federation` configuration within the `SpireServer Custom Resource (CR). | |
| ** Review the `federation` configuration within the `SpireServer` Custom Resource (CR). |
|
|
||
| ** `SpireAgent.spec.socketPath` | ||
| ** `SpiffeCSIDriver.spec.agentSocketPath` | ||
| ** `ApiffeCSIDriver.spec.pluginName` |
There was a problem hiding this comment.
| ** `ApiffeCSIDriver.spec.pluginName` | |
| ** `SpiffeCSIDriver.spec.pluginName` |
| * Verification types: | ||
|
|
||
| ** `auto` (default): Verification utilizes OpenShift defaults (`/etc/kubernetes/kubelet-ca.crt`). | ||
| ** `hostCert': Uses a custom CA certificate path. |
There was a problem hiding this comment.
| ** `hostCert': Uses a custom CA certificate path. | |
| ** `hostCert`: Uses a custom CA certificate path. |
|
|
||
| ** `auto` (default): Verification utilizes OpenShift defaults (`/etc/kubernetes/kubelet-ca.crt`). | ||
| ** `hostCert': Uses a custom CA certificate path. | ||
| ** `skip``: Skips TLS verification (not recommended for production use). |
There was a problem hiding this comment.
| ** `skip``: Skips TLS verification (not recommended for production use). | |
| ** `skip`: Skips TLS verification (not recommended for production use). |
|
|
||
| * The Operator and all associated operands can now be deployed within a custom namespace, providing flexibility for organizations with specific namespace governance requirements. | ||
|
|
||
| [id="zero-trust-manager-1-0-0-postgres-database-support_{context}"] |
There was a problem hiding this comment.
It's better to move this item (PostgreSQL database support) to the position right after SPIRE federation support.
|
|
||
| * SPIRE Agent and SPIFFE CSI Driver now operate under the restricted Security Context Constraints (SCC). | ||
|
|
||
| * All operand containers are configured with the `ReadOnlyRootFilesystem` set to `true`. |
There was a problem hiding this comment.
| * All operand containers are configured with the `ReadOnlyRootFilesystem` set to `true`. | |
| * Operator and all operand containers are configured with the `ReadOnlyRootFilesystem` set to `true`. |
| [id="zero-trust-manager-1-0-0-immutable-fields_{context}"] | ||
| ==== Immutable fields | ||
|
|
||
| The following fields are now strictly enforced as *immutable* after initial creation: | ||
|
|
||
| [cols="1,1,1",options="header"] | ||
| |=== | ||
| | Custom resource | ||
| | Field | ||
| | Notes | ||
|
|
||
| | ZeroTrustWorkloadIdentityManager | ||
| | `trustDomain`, `clusterName`, `bundleConfigMap` | ||
| | Cannot be modified post-creation. | ||
|
|
||
| | SpireServer | ||
| | `persistence.size`, `persistence.accessMode`, `persistence.storageClass` | ||
| | Cannot be modified post-creation. | ||
|
|
||
| | SpireServer | ||
| | `federation.bundleEndpoint` | ||
| | Cannot be removed once configured. | ||
| |=== | ||
|
|
There was a problem hiding this comment.
consider removing this table as they has been mentioned at this line already: https://github.com/openshift/openshift-docs/pull/103679/files#diff-cae3550cca1c8918c4da09faef482503a73e4be67ba89e4e2b5259044e9de140R138
wgabor0427
force-pushed
the
OSDOCS-17626
branch
from
9eaec7a to
7963ff0
Compare
|
@wgabor0427: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
lunarwhite
left a comment
lunarwhite
left a comment
There was a problem hiding this comment.
/lgtm
expect for minor nitpicks
| | Updating the operands CR spec sometimes does not trigger reconciliation. | ||
|
|
||
| | SPIRE-190 | ||
| | Updating the operands CR spec sometimes does not trigger reconciliation. |
There was a problem hiding this comment.
| | Updating the operands CR spec sometimes does not trigger reconciliation. | |
| | Remove redundant SCC for the OIDC Discovery Provider. |
|
|
||
| SPIRE Server now supports PostgreSQL as an external database backend, accommodating production deployments that necessitate enterprise-grade data persistence and high availability. | ||
|
|
||
| * Supported Types: sqlite3 (default), postgres, mysql. |
There was a problem hiding this comment.
| * Supported Types: sqlite3 (default), postgres, mysql. | |
| * Supported Types: `sqlite3` (default), `postgres`, `mysql`. |
|
|
||
| This release introduces flexible logging controls to improve observability and debugging across the platform: | ||
|
|
||
| * SPIRE Components: Users can now configure the `logLevel` (debug, info, warn, error) and `logFormat` (text, JSON) independently for `SpireServer`, `SpireAgent`, and `SpireOIDCDiscoveryProvider` directly within their CR specifications. The defaults are set to "info" for the `logLevel` and "text" for the `logFormat. |
There was a problem hiding this comment.
| * SPIRE Components: Users can now configure the `logLevel` (debug, info, warn, error) and `logFormat` (text, JSON) independently for `SpireServer`, `SpireAgent`, and `SpireOIDCDiscoveryProvider` directly within their CR specifications. The defaults are set to "info" for the `logLevel` and "text" for the `logFormat. | |
| * SPIRE Components: Users can now configure the `logLevel` (debug, info, warn, error) and `logFormat` (text, JSON) independently for `SpireServer`, `SpireAgent`, and `SpireOIDCDiscoveryProvider` directly within their CR specifications. The defaults are set to "info" for the `logLevel` and "text" for the `logFormat`. |
4 participants
Version(s):
4.20+
Issue:
https://issues.redhat.com/browse/OSDOCS-17626
Link to docs preview:
https://103679--ocpdocs-pr.netlify.app/openshift-enterprise/latest/security/zero_trust_workload_identity_manager/zero-trust-manager-release-notes.html
QE review:
Additional information: