openshift
diff --git a/‎_topic_maps/_topic_map.yml‎
Lines changed: 4 additions & 2 deletions b/‎_topic_maps/_topic_map.yml‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎modules/zero-trust-manager-about-components.adoc‎
Lines changed: 0 additions & 30 deletions b/‎modules/zero-trust-manager-about-components.adoc‎
Lines changed: 0 additions & 30 deletions
diff --git a/‎modules/zero-trust-manager-about-controller-manager.adoc‎
Lines changed: 13 additions & 0 deletions b/‎modules/zero-trust-manager-about-controller-manager.adoc‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎modules/zero-trust-manager-about-csi-driver.adoc‎
Lines changed: 13 additions & 0 deletions b/‎modules/zero-trust-manager-about-csi-driver.adoc‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎modules/zero-trust-manager-about-oidc-provider.adoc‎
Lines changed: 12 additions & 0 deletions b/‎modules/zero-trust-manager-about-oidc-provider.adoc‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎modules/zero-trust-manager-available-metrics.adoc‎
Lines changed: 60 additions & 0 deletions b/‎modules/zero-trust-manager-available-metrics.adoc‎
Lines changed: 60 additions & 0 deletions
diff --git a/‎modules/zero-trust-manager-enable-metrics-operator.adoc‎
Lines changed: 203 additions & 0 deletions b/‎modules/zero-trust-manager-enable-metrics-operator.adoc‎
Lines changed: 203 additions & 0 deletions
diff --git a/‎modules/zero-trust-manager-enable-metrics-server.adoc‎
Lines changed: 7 additions & 3 deletions b/‎modules/zero-trust-manager-enable-metrics-server.adoc‎
Lines changed: 7 additions & 3 deletions
diff --git a/‎modules/zero-trust-manager-how-it-works.adoc‎
Lines changed: 2 additions & 0 deletions b/‎modules/zero-trust-manager-how-it-works.adoc‎
Lines changed: 2 additions & 0 deletions
@@ -1233,14 +1233,16 @@ Topics:
   Topics:
   - Name: Zero Trust Workload Identity Manager overview
     File: zero-trust-manager-overview
+  - Name: Zero Trust Workload Identity Manager components
+    File: zero-trust-manager-components
   - Name: Zero Trust Workload Identity Manager release notes
     File: zero-trust-manager-release-notes
   - Name: Installing Zero Trust Workload Identity Manager
     File: zero-trust-manager-install
-  - Name: Configuring the egress proxy
-    File: zero-trust-manager-proxy
   - Name: Deploying Zero Trust Workload Identity Manager operands
     File: zero-trust-manager-configuration
+  - Name: Configuring the egress proxy
+    File: zero-trust-manager-proxy
   - Name: Configuring Zero Trust Workload Identity Manager OIDC Federation
     File: zero-trust-manager-oidc-federation
   - Name: Configuring Zero Trust Workload Identity Manager SPIRE Federation
 
@@ -0,0 +1,13 @@
+// Module included in the following assemblies:
+//
+// * security/zero_trust_workload_identity_manager/zer-trust-manager-features.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="zero-trust-manager-about-controller-manager_{context}"]
+= SPIRE Controller Manager
+
+[role="_abstract"]
+Use the SPIRE Controller Manager to automate workload registration with custom resource definitions (CRDs). The manager monitors pods and CRDs to create, update, or delete entries on the SPIRE Server. This process helps ensure that your SPIRE entries accurately reflect your active resources.
+
+The SPIRE Controller Manager is designed to be deployed on the same pod as the SPIRE Server. The manager communicates with the SPIRE Server API using a private UNIX Domain Socket within a shared volume.
+
@@ -0,0 +1,13 @@
+// Module included in the following assemblies:
+//
+// * security/zero_trust_workload_identity_manager/zer-trust-manager-features.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="zero-trust-manager-about-csi-driver_{context}"]
+= SPIFFE CSI Driver
+
+[role="_abstract"]
+The SPIFFE Container Storage Interface (CSI) driver helps pods securely obtain their {svid-full} by delivering the Workload API socket. By using Kubernetes ephemeral inline volumes, the driver simplifies how applications request temporary storage for identity management.
+
+When the pod starts, the Kubelet calls the SPIFFE CSI driver to provision and mount a volume into the pod's containers. The SPIFFE CSI driver mounts a directory that contains the SPIFFE Workload API into the pod. Applications in the pod then communicate with the Workload API to obtain their SVIDs. The driver guarantees that each SVID is unique.
+
@@ -0,0 +1,12 @@
+// Module included in the following assemblies:
+//
+// * security/zero_trust_workload_identity_manager/zer-trust-manager-features.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="zero-trust-manager-about-oidc-provider_{context}"]
+= SPIRE OpenID Connect Discovery Provider
+
+[role="_abstract"]
+Use the SPIRE OpenID Connect (OIDC) Discovery Provider to integrate SPIRE workload identities with OIDC-compliant systems. This component exposes endpoints for token verification. It helps ensure compatibility between SPIRE-issued credentials and external APIs requiring standard OIDC tokens.
+
+While SPIRE primarily issues identities for workloads, additional workload-related claims can be embedded into JWT-SVIDs through the configuration of SPIRE, which these claims to be included in the token and verified by OIDC-compliant clients.
@@ -0,0 +1,60 @@
+// Module included in the following assemblies:
+//
+// * security/zer_trust_workload_identity_manager/zero-trust-manager-monitoring.adoc
+
+:_mod-docs-content-type: REFERENCE
+[id="zero-trust-manager-available-metrics_{context}"]
+= {zero-trust-full} monitoring available metrics
+
+[role="_abstract"]
+Monitor the health and performance of {zero-trust-full} components by reviewing exposed metrics. This reference describes controller, certificate, and runtime metrics that help you maintain system health and troubleshoot errors.
+
+The {zero-trust-full} exposes the following metrics:
+
+Controller runtime metrics::
+
+* `controller_runtime_active_workers`: Number of currently used workers per controller
+
+* `controller_runtime_max_concurrent_reconciles`: Maximum number of concurrent reconciles per controller
+
+* `controller_runtime_reconcile_errors_total`: Total number of reconciliation errors per controller
+
+* `controller_runtime_reconcile_time_seconds`: Length of time per reconciliation per controller
+
+* `controller_runtime_reconcile_total`: Total number of reconciliations per controller
+
+Certificate watcher metrics::
+
+* `certwatcher_read_certificate_errors_total`: Total number of certificate read errors
+
+* `certwatcher_read_certificate_total`: Total number of certificates read
+
+Go runtime metrics::
+
+Standard Go runtime metrics including:
+
+* `go_gc_duration_seconds`: Garbage collection duration
+
+* `go_goroutines`: Number of goroutines
+
+* `go_memstats_*`: Memory statistics
+
+* `process_*`: Process statistics
+
+ Custom Operator metrics::
+
+The operator also exposes custom metrics related to:
+
+* SPIRE Server status and health
+
+* SPIRE Agent deployment status
+
+* SPIFFE CSI Driver status
+
+* OIDC Discovery Provider status
+
+* Workload identity management operations
+
+
+
+
@@ -0,0 +1,203 @@
+// Module included in the following assemblies:
+//
+// * security/zer_trust_workload_identity_manager/zero-trust-manager-monitoring.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="zero-trust-manager-enable-metrics-operator_{context}"]
+= Configuring metrics collection for the Operator by using a ServiceMonitor
+
+[role="_abstract"]
+The {zero-trust-full} exposes metrics by default on port 8443 at the `/metrics` service endpoint. You can configure metrics collection for the Operator by creating a `ServiceMonitor` custom resource (CR) that enables the Prometheus Operator to collect custom metrics. For more information, see "Configuring user workload monitoring".
+
+
+The SPIRE Server operand exposes metrics by default on port `9402` at the `/metrics` endpoint. You can configure metrics collection for the SPIRE Server by creating a `ServiceMonitor` custom resource (CR) that enables the Prometheus Operator to collect custom metrics.
+
+
+.Prerequisites
+
+* You have access to the cluster as a user with the `cluster-admin` cluster role.
+
+* You have installed the {zero-trust-full}.
+
+* You have enabled the user workload monitoring.
+
+.Procedure
+
+. Configure the Operator to use HTTP or HTTPS protocols for the metrics server.
+
+.. Update the subscription object for {zero-trust-full} to configure the HTTP protocol by running the following command:
++
+[source,terminal]
+----
+$ oc -n zero-trust-workload-identity-manager patch subscription zero-trust-workload-identity-manager-subscription --type='merge' -p '{"spec":{"config":{"env":[{"name":"METRICS_BIND_ADDRESS","value":":8080"}, {"name": "METRICS_SECURE", "value": "false"}]}}}'
+----
+
+.. Verify the {zero-trust-full} pod is redeployed and that the configured values for `METRICS_BIND_ADDRESS` and `METRICS_SECURE` is updated by running the following command:
++
+[source,terminal]
+----
+$ oc set env --list deployment/zero-trust-workload-identity-manager-controller-manager -n zero-trust-workload-identity-manager | grep -e METRICS_BIND_ADDRESS -e METRICS_SECURE -e container
+----
++
+.Example output
+[source,text]
+----
+deployments/zero-trust-workload-identity-manager-controller-manager, container manager
+METRICS_BIND_ADDRESS=:8080
+METRICS_SECURE=false
+----
+
+. Create the `Secret` resource with `kubernetes.io/service-account.name` annotation to inject the token required for authenticating with the metrics server.
+
+..  Create the `secret-zero-trust-workload-identity-manager.yaml` YAML file:
++
+[source,yaml]
+----
+apiVersion: v1
+kind: Secret
+metadata:
+ labels:
+   name: zero-trust-workload-identity-manager
+ name: zero-trust-workload-identity-manager-metrics-auth
+ namespace: zero-trust-workload-identity-manager
+ annotations:
+   kubernetes.io/service-account.name: zero-trust-workload-identity-manager-controller-manager
+type: kubernetes.io/service-account-token
+----
+
+.. Create the `Secret` resource by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f secret-zero-trust-workload-identity-manager.yaml
+----
+
+. Create the `ClusterRoleBinding` resource required for granting permissions to access the metrics.
+
+.. Create the `clusterrolebinding-zero-trust-workload-identity-manager.yaml` YAML file:
++
+[source,yaml]
+----
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ labels:
+   name: zero-trust-workload-identity-manager
+ name: zero-trust-workload-identity-manager-allow-metrics-access
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: zero-trust-workload-identity-manager-metrics-reader
+subjects:
+- kind: ServiceAccount
+  name: zero-trust-workload-identity-manager-controller-manager
+  namespace: zero-trust-workload-identity-manager
+----
+
+.. Create the `ClusterRoleBinding` resource by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f clusterrolebinding-zero-trust-workload-identity-manager.yaml
+----
+
+. Create the following `ServiceMonitor` CR if the metrics server is configured to use `http`.
+
+.. Create the `servicemonitor-zero-trust-workload-identity-manager-http.yaml` YAML file:
++
+[source,yaml]
+----
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  labels:
+    name: zero-trust-workload-identity-manager
+  name: zero-trust-workload-identity-manager-metrics-monitor
+  namespace: zero-trust-workload-identity-manager
+spec:
+  endpoints:
+    - authorization:
+        credentials:
+          name: zero-trust-workload-identity-manager-metrics-auth
+          key: token
+        type: Bearer
+      interval: 60s
+      path: /metrics
+      port: metrics-http
+      scheme: http
+      scrapeTimeout: 30s
+  namespaceSelector:
+    matchNames:
+      - zero-trust-workload-identity-manager
+  selector:
+    matchLabels:
+      name: zero-trust-workload-identity-manager
+----
+
+.. Create the `ServiceMonitor` CR by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f servicemonitor-zero-trust-workload-identity-manager-http.yaml
+----
+. Create the following `ServiceMonitor` CR if the metrics server is configured to use `https`.
+
+.. Create the `servicemonitor-zero-trust-workload-identity-manager-https.yaml` YAML file:
++
+[source,yaml]
+----
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  labels:
+    name: zero-trust-workload-identity-manager
+  name: zero-trust-workload-identity-manager-metrics-monitor
+  namespace: zero-trust-workload-identity-manager
+spec:
+  endpoints:
+    - authorization:
+        credentials:
+          name: zero-trust-workload-identity-manager-metrics-auth
+          key: token
+        type: Bearer
+      interval: 60s
+      path: /metrics
+      port: metrics-https
+      scheme: https
+      scrapeTimeout: 30s
+      tlsConfig:
+        ca:
+          configMap:
+            name: openshift-service-ca.crt
+            key: service-ca.crt
+        serverName: zero-trust-workload-identity-manager-metrics-service.zero-trust-workload-identity-manager.svc.cluster.local
+  namespaceSelector:
+    matchNames:
+      - zero-trust-workload-identity-manager
+  selector:
+    matchLabels:
+      name: zero-trust-workload-identity-manager
+----
+
+.. Create the `ServiceMonitor` CR by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f servicemonitor-zero-trust-workload-identity-manager-https.yaml
+----
++
+After the `ServiceMonitor` CR is created, the user workload Prometheus instance begins metrics collection from the SPIRE Server. The collected metrics are labeled with `job="zero-trust-workload-identity-manager-metrics-service"`.
+
+.Verification
+
+. In the {product-title} web console, navigate to *Observe* → *Targets*.
+
+. In the *Label* filter field, enter the following label to filter the metrics targets:
++
+[source,terminal]
+----
+$ service=zero-trust-workload-identity-manager-metrics-service
+----
+
+. Confirm that the *Status* column shows `Up` for the `zero-trust-workload-identity-manager` entry.
+
@@ -4,7 +4,10 @@
 
 :_mod-docs-content-type: PROCEDURE
 [id="zero-trust-manager-enable-metrics-server_{context}"]
-= Configuring metrics collection for SPIRE Server by using a Service Monitor
+= Configuring metrics collection for SPIRE Server by using a ServiceMonitor
+
+[role="_abstract"]
+To collect custom metrics from the SPIRE Server, create a ServiceMonitor custom resource (CR). This configuration enables the Prometheus Operator to scrape metrics from the default endpoint, which helps you monitor your SPIRE deployment.
 
 The SPIRE Server operand exposes metrics by default on port `9402` at the `/metrics` endpoint. You can configure metrics collection for the SPIRE Server by creating a `ServiceMonitor` custom resource (CR) that enables the Prometheus Operator to collect custom metrics.
 
@@ -31,8 +34,8 @@ apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
 labels:
- app.kubernetes.io/name: server
- app.kubernetes.io/instance: spire
+  app.kubernetes.io/name: server
+  app.kubernetes.io/instance: spire
 name: spire-server-metrics
 namespace: zero-trust-workload-identity-manager
 spec:
@@ -70,3 +73,4 @@ $ service=zero-trust-workload-identity-manager-metrics-service
 ----
 
 . Confirm that the *Status* column shows `Up` for the `spire-server-metrics` entry.
+
@@ -6,6 +6,8 @@
 [id="zero-trust-manager-how-it-works_{context}"]
 = About the {zero-trust-full} workflow
 
+[role="_abstract"]
+Understand the high-level workflow of {zero-trust-full} to help you manage secure identities. This process relies on SPIRE components and custom resource definitions (CRDs) to validate nodes and workloads.
 
 The following is a high-level workflow of the {zero-trust-full} within the Red{nbsp}Hat OpenShift cluster.