- OpenShift 4.18+
- OpenShift Command Line installed and authenticated to target Cluster
- Git
- Helm
oc apply -f - <<EOF
apiVersion: v1
kind: Namespace
metadata:
annotations:
openshift.io/display-name: Zero Trust Workload Identity Manager
labels:
openshift.io/cluster-monitoring: "true"
name: zero-trust-workload-identity-manager
---
apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
name: zero-trust-workload-identity-manager
namespace: zero-trust-workload-identity-manager
spec:
targetNamespaces:
- zero-trust-workload-identity-manager
---
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
name: openshift-zero-trust-workload-identity-manager
namespace: zero-trust-workload-identity-manager
spec:
channel: tech-preview-v0.1
installPlanApproval: Automatic
name: openshift-zero-trust-workload-identity-manager
source: redhat-operators
sourceNamespace: openshift-marketplace
EOF- Clone the Zero Trust Validated Pattern
git clone https://github.com/validatedpatterns/layered-zero-trust
cd layered-zero-trust- Install the Helm Chart
helm template zero-trust-workload-identity-manager -n zero-trust-workload-identity-manager charts/zero-trust-workload-identity-manager --values - <<EOF | oc apply -f-
global:
localClusterDomain: apps.$(oc get dns cluster -o jsonpath='{ .spec.baseDomain }')
spire:
oidcDiscoveryProvider:
ingress:
enabled: true
annotations:
route.openshift.io/termination: reencrypt
route.openshift.io/destination-ca-certificate-secret: spire-bundle
EOF
Wait until all pods are running in the zero-trust-workload-identity-manager namespace
- Deploy Kyverno
oc create -k https://github.com/redhat-cop/gitops-catalog/kyverno/base
- Create the
ClusterPolicy
oc apply -f - <<EOF
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: spire-bundle
spec:
generateExisting: true
background: false
rules:
- name: spire-bundle
match:
any:
- resources:
kinds:
- ConfigMap
namespaces:
- zero-trust-workload-identity-manager
names:
- spire-bundle
generate:
kind: Secret
apiVersion: v1
name: "{{request.object.metadata.name}}"
namespace: "{{request.namespace}}"
synchronize: true
data:
metadata:
ownerReferences:
- apiVersion: v1
kind: ConfigMap
name: "{{request.object.metadata.name}}"
uid: "{{request.object.metadata.uid}}"
data:
tls.crt: "{{ base64_encode(request.object.data.\"bundle.crt\") }}"
EOF
- Confirm the
spire-bundleSecret has been created
until oc get secret -n zero-trust-workload-identity-manager spire-bundle &>/dev/null; do sleep 5; done
- Confirm the OIDC Discovery Document can be retrieved
curl -L https://$(oc get ingress -n zero-trust-workload-identity-manager spire-spiffe-oidc-discovery-provider -o jsonpath='{ .spec.rules[0].host }')/.well-known/openid-configurationZTWIM TP1 has limitations as it relates to the configuration of the OIDC Discovery provider which will cause errors when JWT's are verified. Perform the following steps to manually correct the configuration.
- Scale down the ZTWIM Operator
oc patch csv -n zero-trust-workload-identity-manager zero-trust-workload-identity-manager.v0.1.0 --type='json' -p='[{"op": "replace", "path": "/spec/install/spec/deployments/0/spec/replicas", "value": 0}]'- Extract and update
server.confConfigMap
oc get cm spire-server -n zero-trust-workload-identity-manager -o jsonpath='{ .data.server\.conf }'| jq --arg jwt_issuer https://$(oc get ingress -n zero-trust-workload-identity-manager spire-spiffe-oidc-discovery-provider -o jsonpath='{ .spec.rules[0].host }') -r '.server.jwt_issuer = $jwt_issuer' > ztwim-server.conf
oc create cm -n zero-trust-workload-identity-manager spire-server --from-file=server.conf=ztwim-server.conf -o yaml --dry-run=client | oc apply --server-side=true --force-conflicts -f-
rm ztwim-server.conf- Delete all pods in the
zero-trust-workload-identity-managernamespace
oc delete pod --all -n zero-trust-workload-identity-managerEnjoy using ZTWIM TP1