openshift · wgabor0427 · Apr 28, 2026 · ocpdocs-vale-bot · Apr 28, 2026
diff --git a/_topic_maps/_topic_map.yml b/_topic_maps/_topic_map.yml
@@ -1301,6 +1301,8 @@ Topics:
     File: zero-trust-manager-install
   - Name: Deploying Zero Trust Workload Identity Manager operands
     File: zero-trust-manager-configuration
+  - Name: Configuring Zero Trust Workload Identity Manager OIDC Federation
+    File: zero-trust-manager-oidc-federation
   - Name: Monitoring Zero Trust Workload Identity Manager
     File: zero-trust-manager-monitoring
   - Name: Uninstalling Zero Trust Workload Identity Manager

diff --git a/modules/zero-trust-manager-config-azure-blob.adoc b/modules/zero-trust-manager-config-azure-blob.adoc
@@ -0,0 +1,40 @@
+// Module included in the following assemblies:
+//
+// * security/zero_trust_workload_identity_manageer/zero-trust-manager-oidc-federation.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="zero-trust-manager-configure-azure-blob_{context}"]
+= Configuring Azure blob storage
+
+[role="_abstract"]
+Create and configure an Azure storage account and container to store blob content for your zero trust environment. This procedure includes enabling blob encryption and retrieving the unique storage account identifier for further configuration.
+
+.Procedure
+
+. Create a new storage account that is used to store content by running the following command:
++
+[source,terminal]
+----
+$ az storage account create \
+  --name ${STORAGE_ACCOUNT} \
+  --resource-group ${RESOURCE_GROUP} \
+  --location ${LOCATION} \
+  --encryption-services blob
+----
+
+. Obtain the storage ID for the newly created storage account by running the following command:
++
+[source,terminal]
+----
+$ export STORAGE_ACCOUNT_ID=$(az storage account show -n ${STORAGE_ACCOUNT} -g ${RESOURCE_GROUP} --query id --out tsv)
+----
+
+. Create a storage container inside the newly created storage account to provide a location to support the storage of blobs by running the following command:
++
+[source,terminal]
+----
+$ az storage container create \
+  --account-name ${STORAGE_ACCOUNT} \
+  --name ${STORAGE_CONTAINER} \
+  --auth-mode login
+----
diff --git a/modules/zero-trust-manager-config-azure-identity.adoc b/modules/zero-trust-manager-config-azure-identity.adoc
@@ -0,0 +1,43 @@
+// Module included in the following assemblies:
+//
+// * security/zero_trust_workload_identity_manageer/zero-trust-manager-oidc-federation.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="zero-trust-manager-configure-azure-identity_{context}"]
+= Configuring an Azure user managed identity
+
+[role="_abstract"]
+Create an Azure user-assigned managed identity and assign it the Storage Blob Data Contributor role. This procedure includes retrieving the identity client ID to authorize access to your Azure storage resources.
+
+.Procedure
+
+. Create a new User Managed Identity and then obtain the Client ID of the related Service Principal associated with the User Managed Identity by running the following command:
++
+[source,terminal]
+----
+$ az identity create \
+  --name ${USER_ASSIGNED_IDENTITY_NAME} \
+  --resource-group ${RESOURCE_GROUP}
+----
++
+[source,terminal]
+----
+$ export IDENTITY_CLIENT_ID=$(az identity show --resource-group "${RESOURCE_GROUP}" --name "${USER_ASSIGNED_IDENTITY_NAME}" --query 'clientId' -otsv)
+----
+
+. Retrieve the `CLIENT_ID` of an Azure user-assigned managed identity and save it as an environment variable by running the following command:
++
+[source,terminal]
+----
+$ export IDENTITY_CLIENT_ID=$(az identity show --resource-group "${RESOURCE_GROUP}" --name "${USER_ASSIGNED_IDENTITY_NAME}" --query 'clientId' -otsv)
+----
+
+. Associate a role with the Service Principal associated with the User Managed Identity by running the following command:
++
+[source,terminal]
+----
+$ az role assignment create \
+  --role "Storage Blob Data Contributor" \
+  --assignee "${IDENTITY_CLIENT_ID}" \
+  --scope ${STORAGE_ACCOUNT_ID}
+----
diff --git a/modules/zero-trust-manager-configure-azure.adoc b/modules/zero-trust-manager-configure-azure.adoc
@@ -0,0 +1,96 @@
+// Module included in the following assemblies:
+//
+// * security/zero_trust_workload_identity_manageer/zero-trust-manager-oidc-federation.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="zero-trust-manager-configure-azure_{context}"]
+= Using Entra ID with {azure-first}
+
+[role="_abstract"]
+Integrate Entra ID with {azure-short} by logging in to the Azure CLI, defining environment variables for your resources, and creating a resource group to manage your workload identity components.
+
+.Prerequisites
+
+* You have configured the SPIRE OIDC Discovery Provider Route to serve the TLS certificates from a publicly trusted CA.
+
+.Procedure
+
+. Log in to Azure by running the following command:
++
+[source,terminal]
+----
+$ az login
+----
+
+. Configure variables for your Azure subscription and tenant by running the following commands:
++
+[source,terminal]
+----
+$ export SUBSCRIPTION_ID=$(az account list --query "[?isDefault].id" -o tsv)
+----
++
+[source,terminal]
+----
+$ export TENANT_ID=$(az account list --query "[?isDefault].tenantId" -o tsv)
+----
++
+[source,terminal]
+----
+$ export LOCATION=centralus
+----
++
+where:
+
+`SUBSCRIPTION_ID`:: Specifies your unique subscription identifier.
+
+`TENANT_ID`:: Specifies the ID for your Azure Active Directory instance.
+
+`LOCATION`:: The Azure region where your resource is created.
+
+. Define resource variable names by running the following commands:
++
+[source,terminal]
+----
+$ export NAME=ztwim
+----
++
+[source,terminal]
+----
+$ export RESOURCE_GROUP="${NAME}-rg"
+----
++
+[source,terminal]
+----
+$ export STORAGE_ACCOUNT="${NAME}storage"
+----
++
+[source,terminal]
+----
+$ export STORAGE_CONTAINER="${NAME}storagecontainer"
+----
++
+[source,terminal]
+----
+$ export USER_ASSIGNED_IDENTITY_NAME="${NAME}-identity"
+----
++
+where:
+
+`NAME`:: Specifies A base name for all resources.
+
+`RESOURCE_GROUP`:: Specifies the name of the resource group.
+
+`STORAGE_ACCOUNT`:: Specifies the name for the storage account.
+
+`STORAGE_CONTAINER`:: Specifies the name for the storage container.
+
+`USER_ASSIGNED_IDENTITY_NAME`:: Specifies the name for a managed identity.
+
+. Create the resource group by running the following command:
++
+[source,terminal]
+----
+$ az group create \
+  --name "${RESOURCE_GROUP}" \
+  --location "${LOCATION}"
+----
diff --git a/modules/zero-trust-manager-create-demo-app.adoc b/modules/zero-trust-manager-create-demo-app.adoc
@@ -0,0 +1,51 @@
+// Module included in the following assemblies:
+//
+// * security/zero_trust_workload_identity_manageer/zero-trust-manager-oidc-federation.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="zero-trust-manager-create-demo-app_{context}"]
+= Creating the demonstration application
+
+[role="_abstract"]
+Verify your zero trust configuration by creating a demonstration application. This procedure includes creating a dedicated namespace and a Secret that stores the Azure tenant, client, and storage identifiers required for authentication.
+
+.Procedure
+
+. Set the application name and namespace by running the following commands:
++
+[source,terminal]
+----
+$ export APP_NAME=workload-app
+----
++
+[source,terminal]
+----
+$ export APP_NAMESPACE=demo
+----
+
+. Create the namespace by running the following command:
++
+[source,terminal]
+----
+$ oc create namespace $APP_NAMESPACE
+----
+
+. Create the application Secret by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f - << EOF
+apiVersion: v1
+kind: Secret
+metadata:
+  name: $APP_NAME
+  namespace: $APP_NAMESPACE
+stringData:
+  AAD_AUTHORITY: https://login.microsoftonline.com/
+  AZURE_AUDIENCE: "api://AzureADTokenExchange"
+  AZURE_TENANT_ID: "${TENANT_ID}"
+  AZURE_CLIENT_ID: "${IDENTITY_CLIENT_ID}"
+  BLOB_STORE_ACCOUNT: "${STORAGE_ACCOUNT}"
+  BLOB_STORE_CONTAINER: "${STORAGE_CONTAINER}"
+EOF
+----
diff --git a/modules/zero-trust-manager-create-route-oidc.adoc b/modules/zero-trust-manager-create-route-oidc.adoc
@@ -0,0 +1,84 @@
+// Module included in the following assemblies:
+//
+// * security/zero_trust_workload_identity_manageer/zero-trust-manager-oidc-federation.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="zero-trust-manager-create-route-oidc_{context}"]
+= Configuring the external certificate for the managed OIDC discovery provider route
+
+[role="_abstract"]
+To secure OIDC federation, configure an external TLS certificate for the SPIRE OIDC Discovery Provider route by setting up necessary role-based access control (RBAC) permissions and updating the discovery provider custom resource.
+
+.Prerequisites
+
+* You have installed {zero-trust-full} 0.2.0 or later.
+
+* You have deployed the SPIRE Server, SPIRE Agent, SPIFFEE CSI Driver, and the SPIRE OIDC Discovery Provider operands in the cluster.
+
+* You have installed the {cert-manager-operator}. For more information, link:https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html-single/security_and_compliance/index#cert-manager-operator-install[Installing the cert-manager Operator for Red{nbsp}Hat OpenShift].
+
+* You have created a `ClusterIssuer` or `Issuer` configured with a publicly trusted CA service. For example, an Automated Certificate Management Environment (ACME) type `Issuer` with the "Let's Encrypt ACME" service. For more information, see link:https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html-single/security_and_compliance/index#cert-manager-operator-issuer-acme[Configuring an ACME issuer]
+
+.Procedure
+
+. Create a `Role` to provide the router service account permissions to read the referenced secret by running the following command:
++
+[source,terminal]
+----
+$ oc create role secret-reader \
+  --verb=get,list,watch \
+  --resource=secrets \
+  --resource-name=$TLS_SECRET_NAME \
+  -n zero-trust-workload-identity-manager
+----
+
+. Create a `RoleBinding` resource to bind the router service account with the newly created Role resource by running the following command:
++
+[source,terminal]
+----
+$ oc create rolebinding secret-reader-binding \
+  --role=secret-reader \
+  --serviceaccount=openshift-ingress:router \
+  -n zero-trust-workload-identity-manager
+----
+
+. Configure the `SpireOIDCDIscoveryProvider` Custom Resource (CR) object to reference the Secret generated in the earlier step by running the following command:
++
+[source,terminal]
+----
+$ oc patch SpireOIDCDiscoveryProvider cluster --type=merge -p='
+spec:
+  externalSecretRef: ${TLS_SECRET_NAME}
+'
+----
+
+.Verification
+
+. In the `SpireOIDCDiscoveryProvider` CR, check if the `ManageRouteReady` condition is set to `True` by running the following command:
++
+[source,terminal]
+----
+$ oc wait --for=jsonpath='{.status.conditions[?(@.type=="ManagedRouteReady")].status}'=True SpireOIDCDiscoveryProvider/cluster --timeout=120s
+----
+
+. Verify that the OIDC endpoint can be accessed securely through HTTPS by running the following command:
++
+[source,terminal]
+----
+$ curl https://$JWT_ISSUER_ENDPOINT/.well-known/openid-configuration
+
+{
+  "issuer": "https://$JWT_ISSUER_ENDPOINT",
+  "jwks_uri": "https://$JWT_ISSUER_ENDPOINT/keys",
+  "authorization_endpoint": "",
+  "response_types_supported": [
+    "id_token"
+  ],
+  "subject_types_supported": [],
+  "id_token_signing_alg_values_supported": [
+    "RS256",
+    "ES256",
+    "ES384"
+  ]
+}%
+----