openshift
diff --git a/‎_topic_maps/_topic_map.yml‎
Lines changed: 2 additions & 0 deletions b/‎_topic_maps/_topic_map.yml‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎modules/zero-trust-manager-config-vault-oidc.adoc‎
Lines changed: 19 additions & 0 deletions b/‎modules/zero-trust-manager-config-vault-oidc.adoc‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎modules/zero-trust-manager-configure-azure.adoc‎
Lines changed: 331 additions & 0 deletions b/‎modules/zero-trust-manager-configure-azure.adoc‎
Lines changed: 331 additions & 0 deletions
@@ -1231,6 +1231,8 @@ Topics:
     File: zero-trust-manager-install
   - Name: Deploying Zero Trust Workload Identity Manager operands
     File: zero-trust-manager-configuration
+  - Name: Configuring Zero Trust Workload Identity Manager OIDC Federation
+    File: zero-trust-manager-oidc-federation
   - Name: Monitoring Zero Trust Workload Identity Manager
     File: zero-trust-manager-monitoring
   - Name: Enabling create-only mode for the Zero Trust Workload Identity Manager
 
@@ -0,0 +1,19 @@
+// Module included in the following assemblies:
+//
+// * security/zero_trust_workload_identity_manageer/zero-trust-manager-oidc-federation.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="zero-trust-manager-config-vault-oidc_{context}"]
+= How to configure the Vault OpenID Connect
+
+The Vault OpenID Connect (OIDC) allows a SPIRE-identified workload to authenticate against a federated Vault server. The SPIRE Server issues JSON Web Token SPIFFE Verifiable Identity Documents (JWT-SVIDs) to workloads and the workloads then present the JWT-SVID to Vault to authenticate and retrieve the secrets it is authorized to access.
+
+The steps to configure Vault OIDC are:
+
+* Install Vault
+
+* Initialize Vault
+
+
+
+
@@ -0,0 +1,331 @@
+// Module included in the following assemblies:
+//
+// * security/zero_trust_workload_identity_manageer/zero-trust-manager-oidc-federation.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="zero-trust-manager-configure-aws_{context}"]
+= Using Entra ID with {azure-first}
+
+After the Entra ID configuration is complete, you can set up Entra ID to work with {azure-short}.
+
+.Prerequisites
+
+* You have configured the SPIRE OIDC Discovery Provider Route to serve the TLS certificates from a publicly trusted CA.
+
+== Configuring an {azure-short} account
+
+.Procedure
+
+. Log in to Azure by running the following command:
++
+[source,terminal]
+----
+$ az login
+----
+
+. Configure variables for your Azure subscription and tenant:
++
+[source,terminal]
+----
+$ export SUBSCRIPTION_ID=$(az account list --query "[?isDefault].id" -o tsv) <1>
+$ export TENANT_ID=$(az account list --query "[?isDefault].tenantId" -o tsv) <2>
+$ export LOCATION=centralus <3>
+----
++
+<1> Your unique subscription identifier.
+<2> The ID for your Azure Active Directory instance.
+<3> The Azure region where your resource is created.
+
+. Define resource variable names.
++
+[source,terminal]
+----
+$ export NAME=ztwim <1>
+$ export RESOURCE_GROUP="${NAME}-rg" <2>
+$ export STORAGE_ACCOUNT="${NAME}storage" <3>
+$ export STORAGE_CONTAINER="${NAME}storagecontainer" <4>
+$ export USER_ASSIGNED_IDENTITY_NAME="${NAME}-identity" <5>
+----
++
+<1> A base name for all resources.
+<2> The name of the resource group.
+<3> The name for the storage account.
+<4> The name for the storage container.
+<5> The name for a managed identity.
+
+. Create the resource group.
++
+[source,terminal]
+----
+$ az group create \
+  --name "${RESOURCE_GROUP}" \
+  --location "${LOCATION}"
+----
+
+== Configuring Azure blob storage
+
+.Procedure
+
+. Create a new storage account that is used to store content.
++
+[source,terminal]
+----
+$ az storage account create \
+  --name ${STORAGE_ACCOUNT} \
+  --resource-group ${RESOURCE_GROUP} \
+  --location ${LOCATION} \
+  --encryption-services blob
+----
+
+. Obtain the storage ID for the newly created storage account.
++
+[source,terminal]
+----
+$ export STORAGE_ACCOUNT_ID=$(az storage account show -n ${STORAGE_ACCOUNT} -g ${RESOURCE_GROUP} --query id --out tsv)
+----
+
+. Create a storage container inside the newly created Storage Account to provide a location to support the storage of blobs.
++
+[source,terminal]
+----
+$ az storage container create \
+  --account-name ${STORAGE_ACCOUNT} \
+  --name ${STORAGE_CONTAINER} \
+  --auth-mode login
+----
+
+== Configuring an Azure user managed identity
+
+.Procedure
+
+. Create a new User Managed Identity and then obtain the Client ID of the related Service Principal associated with the User Managed Identity.
++
+[source,terminal]
+----
+$ az identity create \
+  --name ${USER_ASSIGNED_IDENTITY_NAME} \
+  --resource-group ${RESOURCE_GROUP}
+
+$ export IDENTITY_CLIENT_ID=$(az identity show --resource-group "${RESOURCE_GROUP}" --name "${USER_ASSIGNED_IDENTITY_NAME}" --query 'clientId' -otsv)
+----
+
+. Associate a role with the Service Principal associated with the User Managed Identity.
++
+[source,terminal]
+----
+$ az role assignment create \
+  --role "Storage Blob Data Contributor" \
+  --assignee "${IDENTITY_CLIENT_ID}" \
+  --scope ${STORAGE_ACCOUNT_ID}
+----
+
+== Creating the demonstration application
+
+.Procedure
+
+. Set the application name and namespace.
++
+[source,terminal]
+----
+$ export APP_NAME=workload-app
+$ export APP_NAMESPACE=demo
+----
+
+. Create the namespace.
++
+[source,terminal]
+----
+$ oc create namespace $APP_NAMESPACE
+----
+
+. Create the application Secret.
++
+[source,terminal]
+----
+$ oc apply -f - << EOF
+apiVersion: v1
+kind: Secret
+metadata:
+  name: $APP_NAME
+  namespace: $APP_NAMESPACE
+stringData:
+  AAD_AUTHORITY: https://login.microsoftonline.com/
+  AZURE_AUDIENCE: "api://AzureADTokenExchange"
+  AZURE_TENANT_ID: "${TENANT_ID}"
+  AZURE_CLIENT_ID: "${IDENTITY_CLIENT_ID}"
+  BLOB_STORE_ACCOUNT: "${STORAGE_ACCOUNT}"
+  BLOB_STORE_CONTAINER: "${STORAGE_CONTAINER}"
+EOF
+----
+
+== Deploying the workload application
+
+.Procedure
+
+. To deploy the application, copy the entire command block provided and paste it directly into your terminal. Press *Enter*.
++
+[source,terminal]
+----
+$ oc apply -f - << EOF
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: $APP_NAME
+  namespace: $APP_NAMESPACE
+---
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: $APP_NAME
+  namespace: $APP_NAMESPACE
+spec:
+  selector:
+    matchLabels:
+      app: $APP_NAME
+  template:
+    metadata:
+      labels:
+        app: $APP_NAME
+        deployment: $APP_NAME
+    spec:
+      serviceAccountName: $APP_NAME
+      containers:
+        - name: $APP_NAME
+          image: "registry.redhat.io/ubi9/python-311:latest"
+          command:
+            - /bin/bash
+            - "-c"
+            - |
+              #!/bin/bash
+              pip install spiffe azure-cli
+
+              cat << EOF > /opt/app-root/src/get-spiffe-token.py
+              #!/opt/app-root/bin/python
+              from spiffe import JwtSource
+              import argparse
+              parser = argparse.ArgumentParser(description='Retrieve SPIFFE Token.')
+              parser.add_argument("-a", "--audience", help="The audience to include in the token", required=True)
+              args = parser.parse_args()
+              with JwtSource() as source:
+                jwt_svid = source.fetch_svid(audience={args.audience})
+                print(jwt_svid.token)
+              EOF
+
+              chmod +x /opt/app-root/src/get-spiffe-token.py
+              while true; do sleep 10; done
+          envFrom:
+          - secretRef:
+              name: $APP_NAME
+          env:
+            - name: SPIFFE_ENDPOINT_SOCKET
+              value: unix:///run/spire/sockets/spire-agent.sock
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: false
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
+          ports:
+            - containerPort: 8080
+              protocol: TCP
+          volumeMounts:
+            - name: spiffe-workload-api
+              mountPath: /run/spire/sockets
+              readOnly: true
+      volumes:
+        - name: spiffe-workload-api
+          csi:
+            driver: csi.spiffe.io
+            readOnly: true
+EOF
+----
+
+.Verification
+. Ensure that the `workload-app` pod is running successfully.
++
+[source,terminal]
+----
+$ oc get pods -n $APP_NAMESPACE
+----
++
+.Example output
+[source, terminal]
+----
+NAME                             READY     STATUS      RESTARTS      AGE
+workload-app-5f8b9d685b-abcde    1/1       Running     0             60s
+----
+
+. Retrieve the SPIFFE JWT Token (SVID-JWT)
++
+[source,terminal]
+----
+# Get the pod name dynamically
+$ POD_NAME=$(oc get pods -n $APP_NAMESPACE -l app=$APP_NAME -o jsonpath='{.items[0].metadata.name}')
+
+# Execute the script inside the pod
+$ oc exec -it $POD_NAME -n $APP_NAMESPACE -- \
+  /opt/app-root/src/get-spiffe-token.py -a "api://AzureADTokenExchange"
+----
+
+== Configuring Azure with the SPIFFE identity federation
+
+.Procedure
+
+* Federate the identities between the User Managed Identity and the SPIFFE identity associated with the workload application.
++
+[source,terminal]
+----
+$ az identity federated-credential create \
+  --name ${NAME} \
+  --identity-name ${USER_ASSIGNED_IDENTITY_NAME} \
+  --resource-group ${RESOURCE_GROUP} \
+  --issuer https://$JWT_ISSUER_ENDPOINT \
+  --subject spiffe://$APP_DOMAIN/ns/$APP_NAMESPACE/sa/$APP_NAME \
+  --audience api://AzureADTokenExchange
+----
+
+== Verifying that the application workload can access the content in the Azure Blob Storage
+
+.Procedure
+
+. Retrieve a JWT token from the SPIFFE Workload API and login to the Azure CLI included within the pod.
++
+[source,terminal]
+----
+$ oc rsh -n $APP_NAMESPACE deployment/$APP_NAME
+
+$ export TOKEN=$(/opt/app-root/src/get-spiffe-token.py --audience=$AZURE_AUDIENCE)
+$ az login --service-principal \
+  -t ${AZURE_TENANT_ID} \
+  -u ${AZURE_CLIENT_ID} \
+  --federated-token ${TOKEN}
+----
+
+. Create a new file with the application workload pod and upload the file to the Blob Storage.
++
+[source,terminal]
+----
+$ echo “Hello from OpenShift” > openshift-spire-federated-identities.txt
+$ az storage blob upload \
+  --account-name ${BLOB_STORE_ACCOUNT} \
+  --container-name ${BLOB_STORE_CONTAINER} \
+  --name openshift-spire-federated-identities.txt \
+  --file openshift-spire-federated-identities.txt \
+  --auth-mode login
+----
+
+.Verification
+* Confirm the file uploaded successfully by listing the files contained.
++
+[source,terminal]
+----
+$ az storage blob list \
+  --account-name ${BLOB_STORE_ACCOUNT} \
+  --container-name ${BLOB_STORE_CONTAINER} \
+  --auth-mode login \
+  -o table
+----
+