OSDOCS-17246 created doc for spire federation #103787

wgabor0427 · 2025-12-10T22:40:23Z

Version(s):
4.20+

Issue:
https://issues.redhat.com/browse/OSDOCS-17246

Link to docs preview:

QE review:

QE has approved this change.

Additional information:

ocpdocs-previewbot · 2025-12-10T22:48:36Z

🤖 Thu Dec 18 19:04:17 - Prow CI generated the docs preview:

https://103787--ocpdocs-pr.netlify.app/openshift-enterprise/latest/security/zero_trust_workload_identity_manager/zero-trust-manager-configuration.html
https://103787--ocpdocs-pr.netlify.app/openshift-enterprise/latest/security/zero_trust_workload_identity_manager/zero-trust-manager-monitoring.html
https://103787--ocpdocs-pr.netlify.app/openshift-enterprise/latest/security/zero_trust_workload_identity_manager/zero-trust-manager-overview.html
https://103787--ocpdocs-pr.netlify.app/openshift-enterprise/latest/security/zero_trust_workload_identity_manager/zero-trust-manager-spire-federation.html

ocpdocs-vale-bot · 2025-12-10T22:50:53Z

modules/zero-trust-manager-automatic-management.adoc

+// * security/zero_trust_workload_identity_manageer/zero-trust-manager-spire-federation.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="zero-trust-manager-automatic-management{context}"]


🤖 [error] OpenShiftAsciiDoc.IdHasContextVariable: ID is missing the '_{context}' variable at the end of the ID.

ocpdocs-vale-bot · 2025-12-10T22:50:55Z

modules/zero-trust-manager-config-example.adoc

+// * security/zero_trust_workload_identity_manageer/zero-trust-manager-spire-federation.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="zero-trust-manager-config-example{context}"]


🤖 [error] OpenShiftAsciiDoc.IdHasContextVariable: ID is missing the '_{context}' variable at the end of the ID.

ocpdocs-vale-bot · 2025-12-10T22:50:56Z

modules/zero-trust-manager-configure-endpoints.adoc

+// * security/zero_trust_workload_identity_manageer/zero-trust-manager-spire-federation.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="zero-trust-manager-configure-endpoints{context}"]


🤖 [error] OpenShiftAsciiDoc.IdHasContextVariable: ID is missing the '_{context}' variable at the end of the ID.

ocpdocs-vale-bot · 2025-12-10T22:50:57Z

modules/zero-trust-manager-federation-field-reference.adoc

+// * security/zero_trust_workload_identity_manageer/zero-trust-manager-spire-federation.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="zero-trust-manager-federation-field-reference{context}"]


🤖 [error] OpenShiftAsciiDoc.IdHasContextVariable: ID is missing the '_{context}' variable at the end of the ID.

ocpdocs-vale-bot · 2025-12-10T22:50:58Z

modules/zero-trust-manager-federation-field-reference.adoc

+|Description
+
+|`federation.bundleEndpoint.profile`
+|enum


🤖 [error] RedHat.TermsErrors: Use 'data enumeration' rather than 'enum'. For more information, see RedHat.TermsErrors.

enum is correct in this instance

ocpdocs-vale-bot · 2025-12-10T22:51:00Z

modules/zero-trust-manager-manual-management.adoc

+// * security/zero_trust_workload_identity_manageer/zero-trust-manager-spire-federation.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="zero-trust-manager-manual-management{context}"]


🤖 [error] OpenShiftAsciiDoc.IdHasContextVariable: ID is missing the '_{context}' variable at the end of the ID.

ocpdocs-vale-bot · 2025-12-10T22:51:00Z

modules/zero-trust-manager-manual-management.adoc

+$ oc --kubeconfig=/path/to/cluster3/kubeconfig apply -f -
+----
+
+The following is example output from running the command:


🤖 [error] AsciiDocDITA.TaskStep: Content other than a single list cannot be mapped to DITA tasks.

anirudhAgniRedhat

In this document , the way to setup the federation is explained via script. the script mentioned in the document is not customer facing and might not be shared with the customers.
Can we please update it and only explain the way to configure federation via spire server CR only

anirudhAgniRedhat · 2025-12-11T10:23:23Z

modules/zero-trust-manager-config-example.adoc

+spec:
+  # ... other configuration ...
+  federation:
+    #########################################################################


remove these comments

anirudhAgniRedhat · 2025-12-11T10:24:25Z

modules/zero-trust-manager-manual-management.adoc

+[source,terminal]
+----
+$ ./setup-3-cluster-federation-serving_cert.sh \
+   -k1 /path/to/cluster1/kubeconfig \
+   -k2 /path/to/cluster2/kubeconfig \
+   -k3 /path/to/cluster3/kubeconfig \
+   -c1 cluster1-name \
+   -c2 cluster2-name \
+   -c3 cluster3-name
+----
+
+The following is an example of a configured script.
+
+[source,terminal]
+----
+$ ./setup-3-cluster-federation-serving_cert.sh \
+   -k1 /home/rausingh/Documents/aws_cluster/08DecCluster1/auth/kubeconfig \
+   -k2 /home/rausingh/Documents/aws_cluster/08DecCluster2/auth/kubeconfig \


please do not refer the script to configure the federation.

anirudhAgniRedhat · 2025-12-11T10:25:38Z

modules/zero-trust-manager-automatic-management.adoc

@@ -0,0 +1,190 @@
+// Module included in the following assemblies:


This file also refers to the script. Can we please remove this??

modules/zero-trust-manager-federation-configuration.adoc

ocpdocs-vale-bot · 2025-12-11T19:58:14Z

modules/zero-trust-manager-federation-configuration.adoc

+
+* You have network connectivity between the clusters you intend to federate.
+
+.Procedures


🤖 [error] AsciiDocDITA.TaskTitle: Unsupported titles cannot be mapped to DITA tasks.

ocpdocs-vale-bot · 2025-12-11T19:58:15Z

modules/zero-trust-manager-federation-configuration.adoc

+
+* You have network connectivity between the clusters you intend to federate.
+
+.Procedures


🤖 [error] AsciiDocDITA.BlockTitle: Block titles can only be assigned to examples, figures, and tables in DITA.

ocpdocs-vale-bot · 2025-12-11T19:58:15Z

modules/zero-trust-manager-federation-configuration.adoc

+
+. Edit your `SpireServer` custom resource to add the `federation` section.
+
+.Example YAML


🤖 [error] AsciiDocDITA.BlockTitle: Block titles can only be assigned to examples, figures, and tables in DITA.

anirudhAgniRedhat · 2025-12-15T16:06:07Z

/cc @rausingh-rh for review

openshift-ci · 2025-12-15T16:06:43Z

@anirudhAgniRedhat: GitHub didn't allow me to request PR reviews from the following users: for, review.

Note that only openshift members and repo collaborators can review this PR, and authors cannot review their own PRs.

Details

In response to this:

/cc @rausingh-rh for review

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

anirudhAgniRedhat · 2025-12-15T16:07:56Z

/cc @sayak-redhat for docs review as well

openshift-ci · 2025-12-15T16:08:37Z

@anirudhAgniRedhat: GitHub didn't allow me to request PR reviews from the following users: for, docs, review, as, well.

Note that only openshift members and repo collaborators can review this PR, and authors cannot review their own PRs.

Details

In response to this:

/cc @sayak-redhat for docs review as well

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

rausingh-rh · 2025-12-16T11:40:20Z

modules/zero-trust-manager-automatic-management.adoc

+
+:_mod-docs-content-type: PROCEDURE
+[id="zero-trust-manager-automatic-management_{context}"]
+= Using SPIRE federation with Automatice Certificate Management (ACME)


Suggested change

= Using SPIRE federation with Automatice Certificate Management (ACME)

= Using SPIRE federation with Automatic Certificate Management Environment (ACME)

typo

ocpdocs-vale-bot · 2025-12-16T20:25:05Z

modules/zero-trust-manager-automatic-management.adoc

+
+    managedRoute: "true"  # <7>
+----
+<1> Set a unique trust domain for each cluster (for example, `cluster1.example.com`, `cluster2.example.com`)


🤖 [error] AsciiDocDITA.CalloutList: Callouts are not supported in DITA.

ocpdocs-vale-bot · 2025-12-16T20:25:05Z

modules/zero-trust-manager-automatic-management.adoc

+      "spiffe_sequence": 1
+    }
+----
+<1> Paste the complete trust bundle JSON content you fetched using `curl` in step 5


🤖 [error] AsciiDocDITA.CalloutList: Callouts are not supported in DITA.

ocpdocs-vale-bot · 2025-12-16T20:25:09Z

modules/zero-trust-manager-federation-configuration.adoc

+      "spiffe_sequence": 1
+    }
+----
+<1> The SPIFFE ID of the remote SPIRE server. Required for `https_spiffe` profile to validate the remote server's identity


🤖 [error] AsciiDocDITA.CalloutList: Callouts are not supported in DITA.

ocpdocs-vale-bot · 2025-12-17T19:47:46Z

modules/zero-trust-manager-manual-management.adoc

+
+* You have `cluster-admin` privileges on all participating clusters.
+
+* You have installed the {cert-manager-operator}. For more information, see link:https://docs.redhat.com/en/documentation/openshift_container_platform/4.20/html/security_and_compliance/cert-manager-operator-for-red-hat-openshift[cert-manager Operator for Red Hat OpenShift].


🤖 [error] OpenShiftAsciiDoc.SuggestAttribute: Use the AsciiDoc attribute '{cert-manager-operator}' rather than the plain text product term 'cert-manager Operator for Red Hat OpenShift', unless your use case is an exception.

stevsmit

I've left a lot of feedback on this PR, and really most of it can be resolved in a separate PR. I am not typically a fan of asking people to do remediation work after something's been merged, but you seem to have a lot on your plate across multiple PRs. Normally I would require this stuff to be fixed before merging, but given the nature of how we do reviews now, it seems like it's crunch time for you.

(Keep in mind that if you ever have XXL PRs that are staged and ready for review, you can still send them to merge review and add the do-not-merge label, just so when it's release day you can quickly get someone to merge them without having an actual review done).

What you need to do before merging:

Fix the mod_docs_content_type types where I've called them out. You have concept modules that are really reference modules, and reference modules that are really concept modules. I can honestly see how this can be confusing. So if you'll fix those, I'll merge this PR.

Post migration:

Almost all callouts need formatted according to Andrea's team's guidelines here: https://docs.google.com/document/d/1j78SA8Y-ZRlVATbVe6D8bdYj7mQzzhOJtGt1xH_3qa0/edit?tab=t.0 .
There are some minor nits like adding ". . . by running the following command:."
There are a few instances where I think substep numbering would help
Be sure to run the asciidoctor-dita-vale tool on subsequent PRs.

stevsmit · 2025-12-17T19:24:49Z

modules/zero-trust-manager-automatic-management.adoc

+= Using SPIRE federation with Automatic Certificate Management (ACME)
+
+[role="_abstract"]
+Using SPIRE federation with ACME provides automatic certificate provisioning from Let's Encrypt. ACME also enables automatic certificate renewal before expiration, eliminating manual certificate management overhead.


Suggested change

Using SPIRE federation with ACME provides automatic certificate provisioning from Let's Encrypt. ACME also enables automatic certificate renewal before expiration, eliminating manual certificate management overhead.

Using SPIRE federation with Automatic Certificate Management (ACME) provides automatic certificate provisioning from Let's Encrypt. ACME also enables automatic certificate renewal before expiration, eliminating manual certificate management overhead.

stevsmit · 2025-12-17T19:28:12Z

modules/zero-trust-manager-automatic-management.adoc

+          tosAccepted: "true"
+    managedRoute: "true"
+----
+


Should be like:

Suggested change

+

--

where:

`trustDomain::` Set a unique trust domain for each cluster (for example, `cluster1.example.com`, `cluster2.example.com`)

`<entry 2>`

`<entry 3>`

--

Technically some of these would start with "Specifies." See https://docs.google.com/document/d/1j78SA8Y-ZRlVATbVe6D8bdYj7mQzzhOJtGt1xH_3qa0/edit?tab=t.0#heading=h.vsfnqm21wp0r

Probably all need to end with periods.

I redid all of this in the new format * The <replaceable value> field .. format

stevsmit · 2025-12-17T19:29:28Z

modules/zero-trust-manager-automatic-management.adoc

+trustDomain:: Set a unique trust domain for each cluster (for example, `cluster1.example.com`, `cluster2.example.com`)
+profile:: Use `https_web` profile for ACME-based certificate management
+directoryUrl:: Let's Encrypt production directory URL. For testing, use: `https://acme-staging-v02.api.letsencrypt.org/directory`
+domainName:: The domain name where your federation endpoint will be accessible. This will be automatically set to `federation.<cluster-apps-domain>` if `managedRoute` is set to "true"


Suggested change

domainName:: The domain name where your federation endpoint will be accessible. This will be automatically set to `federation.<cluster-apps-domain>` if `managedRoute` is set to "true"

domainName:: The domain name where your federation endpoint will be accessible. This is automatically set to `federation.<cluster-apps-domain>` if `managedRoute` is set to "true".

stevsmit · 2025-12-17T19:46:02Z

modules/zero-trust-manager-automatic-management.adoc

+tosAccepted:: Accept Let's Encrypt Terms of Service
+managedRoute:: Enable automatic route creation by the operator for the federation bundle endpoint
+
+. Apply the configuration to each cluster:


Suggested change

. Apply the configuration to each cluster:

. Apply the configuration to each cluster by entering the following command:

On all like this

stevsmit · 2025-12-17T19:47:03Z

modules/zero-trust-manager-automatic-management.adoc

+$ oc apply -f spireserver.yaml
+----
+
+. Wait for the SPIRE Server to be ready on each cluster:


Suggested change

. Wait for the SPIRE Server to be ready on each cluster:

. Check the status of the SPIRE Server by entering the following command. Wait for the `Ready` status to be returned before proceeding to the next step.

stevsmit · 2025-12-17T20:36:26Z

modules/zero-trust-manager-configure-endpoints.adoc

+
+[IMPORTANT]
+====
+Once enabled, federation cannot be disabled. The bundle endpoint profile is immutable once configured. Changing the profile or disabling federation requires reinstallation of the system. However, peer configurations (`federatesWith`) remain dynamic and can be added or removed at any time. Plan your profile selection carefully based on your long-term federation requirements.


We only use "once" when it's being used as "one time".

Suggested change

Once enabled, federation cannot be disabled. The bundle endpoint profile is immutable once configured. Changing the profile or disabling federation requires reinstallation of the system. However, peer configurations (`federatesWith`) remain dynamic and can be added or removed at any time. Plan your profile selection carefully based on your long-term federation requirements.

After enablement, federation cannot be disabled. The bundle endpoint profile is immutable once configured. Changing the profile or disabling federation requires reinstallation of the system. However, peer configurations (`federatesWith`) remain dynamic and can be added or removed at any time. Plan your profile selection carefully based on your long-term federation requirements.

stevsmit · 2025-12-17T20:39:54Z

modules/zero-trust-manager-federation-configuration.adoc

+      refreshHint: 300
+    managedRoute: "true"
+----
+


Suggested change

+

--

where:

<entry>

--

stevsmit · 2025-12-17T20:41:48Z

modules/zero-trust-manager-federation-configuration.adoc

+
+[source,terminal]
+----
+$ curl -k https://federation.apps.cluster2.example.com > cluster2-bundle.json


In general we try not to have code blocks in notes. We could just make it another line and move it out of the NOTE box.

Moved code outside of annotation

stevsmit · 2025-12-17T20:41:58Z

modules/zero-trust-manager-federation-configuration.adoc

+
+. Create `ClusterFederatedTrustDomain` resources for each remote trust domain.
+
+On Cluster 1, create a resource to federate with Cluster 2:


Suggested change

On Cluster 1, create a resource to federate with Cluster 2:

.. On Cluster 1, create a resource to federate with Cluster 2:

stevsmit · 2025-12-17T20:45:36Z

modules/zero-trust-manager-federation-field-reference.adoc

+//
+// * security/zero_trust_workload_identity_manager/zero-trust-manager-spire-federation.adoc
+
+:_mod-docs-content-type: CONCEPT


Probably more of a REFERENCE module (even has REFERENCE in the title :D )

ocpdocs-vale-bot · 2025-12-18T00:07:38Z

modules/zero-trust-manager-manual-management.adoc

+
+* You have `cluster-admin` privileges on all participating clusters.
+
+* You have installed the {cert-manager-operator}. For more information, see link:https://docs.redhat.com/en/documentation/openshift_container_platform/4.20/html/security_and_compliance/cert-manager-operator-for-red-hat-openshift[cert-manager Operator for Red Hat OpenShift].


🤖 [error] OpenShiftAsciiDoc.SuggestAttribute: Use the AsciiDoc attribute '{cert-manager-operator}' rather than the plain text product term 'cert-manager Operator for Red Hat OpenShift', unless your use case is an exception.

sayak-redhat · 2025-12-18T11:18:27Z

lgtm

sayak-redhat

lgtm

lunarwhite · 2025-12-18T11:59:21Z

modules/zero-trust-manager-automatic-management.adoc

+metadata:
+  name: cluster
+  namespace: zero-trust-workload-identity-manager


Suggested change

metadata:

name: cluster

namespace: zero-trust-workload-identity-manager

metadata:

name: cluster

lunarwhite · 2025-12-18T12:00:22Z

modules/zero-trust-manager-automatic-management.adoc

+metadata:
+  name: cluster
+  namespace: zero-trust-workload-identity-manager


Suggested change

metadata:

name: cluster

namespace: zero-trust-workload-identity-manager

metadata:

name: cluster

lunarwhite · 2025-12-18T12:02:03Z

modules/zero-trust-manager-config-example.adoc

+metadata:
+  name: cluster
+  namespace: zero-trust-workload-identity-manager


Suggested change

metadata:

name: cluster

namespace: zero-trust-workload-identity-manager

metadata:

name: cluster

lunarwhite · 2025-12-18T12:02:49Z

modules/zero-trust-manager-config-example.adoc

+metadata:
+  name: cluster
+  namespace: zero-trust-workload-identity-manager


Suggested change

metadata:

name: cluster

namespace: zero-trust-workload-identity-manager

metadata:

name: cluster

lunarwhite · 2025-12-18T12:03:40Z

modules/zero-trust-manager-config-example.adoc

+      - trustDomain: partner.example.com
+        bundleEndpointUrl: https://federation.partner.example.com
+        bundleEndpointProfile: https_web
+      #Another external partner using Web PKI


Suggested change

#Another external partner using Web PKI

# Another external partner using Web PKI

lunarwhite · 2025-12-18T12:09:21Z

modules/zero-trust-manager-manual-management.adoc

+metadata:
+  name: cluster
+  namespace: zero-trust-workload-identity-manager


Suggested change

metadata:

name: cluster

namespace: zero-trust-workload-identity-manager

metadata:

name: cluster

lunarwhite · 2025-12-18T12:09:33Z

modules/zero-trust-manager-manual-management.adoc

+metadata:
+  name: cluster
+  namespace: zero-trust-workload-identity-manager


Suggested change

metadata:

name: cluster

namespace: zero-trust-workload-identity-manager

metadata:

name: cluster

lunarwhite · 2025-12-18T12:16:58Z

modules/zero-trust-manager-automatic-management.adoc

+
+[source,terminal]
+----
+$ oc get spireserver cluster -n zero-trust-workload-identity-manager -w


Suggested change

$ oc get spireserver cluster -n zero-trust-workload-identity-manager -w

$ oc get spireserver cluster -w

lunarwhite · 2025-12-18T12:18:11Z

modules/zero-trust-manager-federation-configuration.adoc

+. Wait for the SPIRE Server to be ready:
+
+[source,terminal]
+----
+$ oc get spireserver cluster -n zero-trust-workload-identity-manager -w
+----
+


Suggested change

. Wait for the SPIRE Server to be ready:

+

[source,terminal]

----

$ oc get spireserver cluster -n zero-trust-workload-identity-manager -w

----

+

lunarwhite · 2025-12-18T12:18:19Z

modules/zero-trust-manager-federation-configuration.adoc

+
+[source,terminal]
+----
+$ oc get spireserver cluster -n zero-trust-workload-identity-manager -w


Suggested change

$ oc get spireserver cluster -n zero-trust-workload-identity-manager -w

$ oc get spireserver cluster -w

lunarwhite · 2025-12-18T12:28:45Z

modules/zero-trust-manager-automatic-management.adoc

+
+:_mod-docs-content-type: PROCEDURE
+[id="zero-trust-manager-automatic-management_{context}"]
+= Using SPIRE federation with Automatic Certificate Management


Suggested change

= Using SPIRE federation with Automatic Certificate Management

= Using SPIRE federation with Automatic Certificate Management Environment protocol

lunarwhite · 2025-12-18T12:29:07Z

modules/zero-trust-manager-automatic-management.adoc

+= Using SPIRE federation with Automatic Certificate Management
+
+[role="_abstract"]
+Using SPIRE federation with Automatic Certificate Management (ACME) provides automatic certificate provisioning from Let's Encrypt. ACME also enables automatic certificate renewal before expiration, eliminating manual certificate management overhead.


Suggested change

Using SPIRE federation with Automatic Certificate Management (ACME) provides automatic certificate provisioning from Let's Encrypt. ACME also enables automatic certificate renewal before expiration, eliminating manual certificate management overhead.

Using SPIRE federation with Automatic Certificate Management Environment (ACME) protocol provides automatic certificate provisioning from Let's Encrypt. ACME also enables automatic certificate renewal before expiration, eliminating manual certificate management overhead.

ocpdocs-vale-bot · 2025-12-18T14:06:35Z

modules/zero-trust-manager-manual-management.adoc

+
+* You have `cluster-admin` privileges on all participating clusters.
+
+* You have installed the {cert-manager-operator}. For more information, see link:https://docs.redhat.com/en/documentation/openshift_container_platform/4.20/html/security_and_compliance/cert-manager-operator-for-red-hat-openshift[cert-manager Operator for Red Hat OpenShift].


🤖 [error] OpenShiftAsciiDoc.SuggestAttribute: Use the AsciiDoc attribute '{cert-manager-operator}' rather than the plain text product term 'cert-manager Operator for Red Hat OpenShift', unless your use case is an exception.

ocpdocs-vale-bot · 2025-12-18T15:52:39Z

modules/zero-trust-manager-manual-management.adoc

+
+* You have `cluster-admin` privileges on all participating clusters.
+
+* You have installed the {cert-manager-operator}. For more information, see link:https://docs.redhat.com/en/documentation/openshift_container_platform/4.20/html/security_and_compliance/cert-manager-operator-for-red-hat-openshift[cert-manager Operator for Red Hat OpenShift].


🤖 [error] OpenShiftAsciiDoc.SuggestAttribute: Use the AsciiDoc attribute '{cert-manager-operator}' rather than the plain text product term 'cert-manager Operator for Red Hat OpenShift', unless your use case is an exception.

stevsmit · 2025-12-18T18:41:30Z

modules/zero-trust-manager-federation-configuration.adoc

+$ curl -k https://federation.apps.cluster2.example.com > cluster2-bundle.json
+----
+
+The response contains the trust bundle in JSON Web Key Set (JWKS) format:


This line needs fixed:

ocpdocs-vale-bot · 2025-12-18T19:04:59Z

modules/zero-trust-manager-enable-metrics-server.adoc

🤖 [error] AsciiDocDITA.ShortDescription: Assign [role="_abstract"] to a paragraph to use it as in DITA.

ocpdocs-vale-bot · 2025-12-18T19:05:07Z

modules/zero-trust-manager-manual-management.adoc

+
+* You have `cluster-admin` privileges on all participating clusters.
+
+* You have installed the {cert-manager-operator}. For more information, see link:https://docs.redhat.com/en/documentation/openshift_container_platform/4.20/html/security_and_compliance/cert-manager-operator-for-red-hat-openshift[cert-manager Operator for Red Hat OpenShift].


🤖 [error] OpenShiftAsciiDoc.SuggestAttribute: Use the AsciiDoc attribute '{cert-manager-operator}' rather than the plain text product term 'cert-manager Operator for Red Hat OpenShift', unless your use case is an exception.

ocpdocs-vale-bot · 2025-12-18T19:05:11Z

security/zero_trust_workload_identity_manager/zero-trust-manager-configuration.adoc

🤖 [error] AsciiDocDITA.ShortDescription: Assign [role="_abstract"] to a paragraph to use it as in DITA.

ocpdocs-vale-bot · 2025-12-18T19:05:14Z

security/zero_trust_workload_identity_manager/zero-trust-manager-overview.adoc

🤖 [error] AsciiDocDITA.ShortDescription: Assign [role="_abstract"] to a paragraph to use it as in DITA.

openshift-ci · 2025-12-18T19:05:25Z

@wgabor0427: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

stevsmit · 2025-12-18T19:27:17Z

Merging under the conditions that there are still a few ADV errors that need resolved in a follow up PR.

stevsmit · 2025-12-18T19:27:33Z

/cherry-pick enterprise-4.21

stevsmit · 2025-12-18T19:27:37Z

/cherry-pick enterprise-4.20

openshift-cherrypick-robot · 2025-12-18T19:28:25Z

@stevsmit: new pull request created: #104191

Details

In response to this:

/cherry-pick enterprise-4.21

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

openshift-cherrypick-robot · 2025-12-18T19:28:30Z

@stevsmit: new pull request created: #104192

Details

In response to this:

/cherry-pick enterprise-4.20

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

openshift-ci bot added the size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. label Dec 10, 2025

ocpdocs-vale-bot reviewed Dec 10, 2025

View reviewed changes

wgabor0427 force-pushed the OSDOCS-17246 branch from 8bda82c to c5e1d35 Compare December 10, 2025 22:57

anirudhAgniRedhat reviewed Dec 11, 2025

View reviewed changes

wgabor0427 force-pushed the OSDOCS-17246 branch from c5e1d35 to bc1ed89 Compare December 11, 2025 19:50

ocpdocs-vale-bot reviewed Dec 11, 2025

View reviewed changes

modules/zero-trust-manager-federation-configuration.adoc Show resolved Hide resolved

ocpdocs-vale-bot reviewed Dec 11, 2025

View reviewed changes

wgabor0427 force-pushed the OSDOCS-17246 branch from bc1ed89 to 12e686f Compare December 11, 2025 20:17

openshift-ci bot requested a review from rausingh-rh December 15, 2025 16:06

openshift-ci bot requested a review from sayak-redhat December 15, 2025 16:08

rausingh-rh reviewed Dec 16, 2025

View reviewed changes

wgabor0427 force-pushed the OSDOCS-17246 branch from 12e686f to d91b1d0 Compare December 16, 2025 20:11

openshift-ci bot added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. and removed size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Dec 16, 2025

ocpdocs-vale-bot reviewed Dec 16, 2025

View reviewed changes

wgabor0427 force-pushed the OSDOCS-17246 branch from 542ef07 to 02e078e Compare December 17, 2025 19:35

ocpdocs-vale-bot reviewed Dec 17, 2025

View reviewed changes

stevsmit reviewed Dec 17, 2025

View reviewed changes

wgabor0427 force-pushed the OSDOCS-17246 branch from 02e078e to fb5c75e Compare December 17, 2025 23:55

ocpdocs-vale-bot reviewed Dec 18, 2025

View reviewed changes

maxwelldb mentioned this pull request Dec 18, 2025

[prow/ci] attempt to use file-level comments for vale's 1:1 errors #104109

Merged

sayak-redhat reviewed Dec 18, 2025

View reviewed changes

lunarwhite reviewed Dec 18, 2025

View reviewed changes

wgabor0427 force-pushed the OSDOCS-17246 branch from fb5c75e to 409a00d Compare December 18, 2025 13:56

ocpdocs-vale-bot reviewed Dec 18, 2025

View reviewed changes

wgabor0427 force-pushed the OSDOCS-17246 branch from 409a00d to 064bd50 Compare December 18, 2025 15:42

ocpdocs-vale-bot reviewed Dec 18, 2025

View reviewed changes

stevsmit reviewed Dec 18, 2025

View reviewed changes

OSDOCS-17246 updated modules

7d67fda

wgabor0427 force-pushed the OSDOCS-17246 branch from 064bd50 to 7d67fda Compare December 18, 2025 18:54

ocpdocs-vale-bot reviewed Dec 18, 2025

View reviewed changes

stevsmit merged commit 43ec5f2 into openshift:main Dec 18, 2025
2 checks passed

openshift-cherrypick-robot mentioned this pull request Dec 18, 2025

[enterprise-4.21] OSDOCS-17246 created doc for spire federation #104191

Merged

openshift-cherrypick-robot mentioned this pull request Dec 18, 2025

[enterprise-4.20] OSDOCS-17246 created doc for spire federation #104192

Merged

		@@ -0,0 +1,190 @@
		// Module included in the following assemblies:


		* You have network connectivity between the clusters you intend to federate.

		.Procedures

	= Using SPIRE federation with Automatice Certificate Management (ACME)
	= Using SPIRE federation with Automatic Certificate Management Environment (ACME)


		* You have `cluster-admin` privileges on all participating clusters.

		* You have installed the {cert-manager-operator}. For more information, see link:https://docs.redhat.com/en/documentation/openshift_container_platform/4.20/html/security_and_compliance/cert-manager-operator-for-red-hat-openshift[cert-manager Operator for Red Hat OpenShift].

	Using SPIRE federation with ACME provides automatic certificate provisioning from Let's Encrypt. ACME also enables automatic certificate renewal before expiration, eliminating manual certificate management overhead.
	Using SPIRE federation with Automatic Certificate Management (ACME) provides automatic certificate provisioning from Let's Encrypt. ACME also enables automatic certificate renewal before expiration, eliminating manual certificate management overhead.

++
+--
+where:
+`trustDomain::` Set a unique trust domain for each cluster (for example, `cluster1.example.com`, `cluster2.example.com`)
+`<entry 2>`
+`<entry 3>`
+--

	domainName:: The domain name where your federation endpoint will be accessible. This will be automatically set to `federation.<cluster-apps-domain>` if `managedRoute` is set to "true"
	domainName:: The domain name where your federation endpoint will be accessible. This is automatically set to `federation.<cluster-apps-domain>` if `managedRoute` is set to "true".

	. Apply the configuration to each cluster:
	. Apply the configuration to each cluster by entering the following command:

	. Wait for the SPIRE Server to be ready on each cluster:
	. Check the status of the SPIRE Server by entering the following command. Wait for the `Ready` status to be returned before proceeding to the next step.

	Once enabled, federation cannot be disabled. The bundle endpoint profile is immutable once configured. Changing the profile or disabling federation requires reinstallation of the system. However, peer configurations (`federatesWith`) remain dynamic and can be added or removed at any time. Plan your profile selection carefully based on your long-term federation requirements.
	After enablement, federation cannot be disabled. The bundle endpoint profile is immutable once configured. Changing the profile or disabling federation requires reinstallation of the system. However, peer configurations (`federatesWith`) remain dynamic and can be added or removed at any time. Plan your profile selection carefully based on your long-term federation requirements.

++
+--
+where:
+<entry>
+--

	On Cluster 1, create a resource to federate with Cluster 2:
	.. On Cluster 1, create a resource to federate with Cluster 2:

	#Another external partner using Web PKI
	# Another external partner using Web PKI

	$ oc get spireserver cluster -n zero-trust-workload-identity-manager -w
	$ oc get spireserver cluster -w

OSDOCS-17246 created doc for spire federation #103787

OSDOCS-17246 created doc for spire federation #103787

Uh oh!

Conversation

wgabor0427 commented Dec 10, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

ocpdocs-previewbot commented Dec 10, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

anirudhAgniRedhat left a comment

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

anirudhAgniRedhat commented Dec 15, 2025

Uh oh!

openshift-ci bot commented Dec 15, 2025

Uh oh!

anirudhAgniRedhat commented Dec 15, 2025

Uh oh!

openshift-ci bot commented Dec 15, 2025

Uh oh!

rausingh-rh Dec 16, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

stevsmit left a comment

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

wgabor0427 commented Dec 10, 2025 •

edited

Loading

ocpdocs-previewbot commented Dec 10, 2025 •

edited

Loading

rausingh-rh Dec 16, 2025 •

edited

Loading