[Docs] OSSM with ZTWIM federation #828
[Docs] OSSM with ZTWIM federation #828Dimss wants to merge 1 commit intoopenshift-service-mesh:ossm-spire-federation-docsfrom
Conversation
Adding OSSM with ZTWIM for federation setup docs Signed-off-by: Dmitry Kartsev <dkartsev@redhat.com>
fjglira
left a comment
fjglira
left a comment
There was a problem hiding this comment.
First pass, all the comment are suggestions to make the documentation easier for users
There was a problem hiding this comment.
This file lives upstream. Deleting I think is not the rigth approach, if we need to add something OSSM specific it should be in the ossm folder just with the ossm specific information
There was a problem hiding this comment.
You can leave this one here and create the federation specific in the ossm folder
| Create two OpenShift clusters. | ||
| Create a directory `ossm-ztwim-federation`, cd into directory `ossm-ztwim-federation`. | ||
| To easily access both clusters, | ||
| create two files `cluster-a.kubeconfig` | ||
| and `cluster-b.kubeconfig`. | ||
| Store the kubeconfig content accordingly |
There was a problem hiding this comment.
| Create two OpenShift clusters. | |
| Create a directory `ossm-ztwim-federation`, cd into directory `ossm-ztwim-federation`. | |
| To easily access both clusters, | |
| create two files `cluster-a.kubeconfig` | |
| and `cluster-b.kubeconfig`. | |
| Store the kubeconfig content accordingly | |
| * Create two OpenShift clusters. | |
| * Create a directory `ossm-ztwim-federation`, cd into the directory `ossm-ztwim-federation`. | |
| To easily access both clusters, create two files `cluster-a.kubeconfig` and `cluster-b.kubeconfig`. | |
| * Store the kubeconfig content accordingly |
| export OSSM_NS=istio-system | ||
| export OSSM_CNI=istio-cni |
There was a problem hiding this comment.
| export OSSM_NS=istio-system | |
| export OSSM_CNI=istio-cni | |
| export OSSM_NS=istio-system | |
| export OSSM_CNI_NS=istio-cni |
To keep the same format and be more explicit. This will need to be replaced across the etnire document where the var is used
|
|
||
| ==== [[fed-install-ztwim-operator]]Install ZTWIM Operator on both clusters | ||
|
|
||
| [source,bash] |
There was a problem hiding this comment.
I think it is better explained step by step. But if we already have a section in the main document on How to install the operator, you can mentione and redirect people to that section install of adding a bash with a for for this in both cluster. Mention something like: for each cluster, you will need to install the Operator following the steps mentioned here for each one of the clusters
|
|
||
| ==== [[fed-install-ztwim]]Create `ZeroTrustWorkloadIdentityManager` CR | ||
|
|
||
| [source,bash] |
There was a problem hiding this comment.
Something similar here, for documentation is better to separate the steps and tell users to: create the CR on cluster A and the command annd another step create the CR on cluster B and the command
|
|
||
| ==== [[fed-install-spireserver]]Install `SpireServer` CR | ||
|
|
||
| [source,bash] |
| done | ||
| ---- | ||
|
|
||
| _Note, once the `SpireAgent` deployed we must patch the agent configuration and |
There was a problem hiding this comment.
| _Note, once the `SpireAgent` deployed we must patch the agent configuration and | |
| _Note, once the `SpireAgent` is deployed, we must patch the agent configuration and |
|
|
||
| ==== [[fed-install-cluster-federation]]Install `ClusterFederatedTrustDomain` CR | ||
|
|
||
| [source,bash] |
There was a problem hiding this comment.
Similar here, I think each configuration step should be a bullet point install a huge code block with comments
|
|
||
| ==== [[fed-install-istiod]]Install Istiod | ||
|
|
||
| [source,bash] |
There was a problem hiding this comment.
Same here, separated bullet will make it easier to go over steps
| WORKLOAD_IDENTITY_SOCKET_FILE: "spire-agent.sock" | ||
| trustDomain: $ISTIO_TRUST_DOMAIN_NAME | ||
| trustDomainAliases: | ||
| - $ISTIO_TRUST_DOMAIN_NAME_ALIAS |
There was a problem hiding this comment.
Hi @Dimss ,
using trustDomainAliases will make the spire federation work with Istio but was that the main intention of trustDomainAliases field? I believe it was designed for trust domain migration.
Adding federated trust domains in trustDomainAliases would mean:
- AuthorizationPolicy cannot distinguish between clusters meaning, any policy allowing one trust domain implicitly allows the other
- TLS accepts any identity from any aliased trust domain meaning, inbound connections from aliased domains pass the SAN check
cc: @PillaiManish
3 participants
Removing duplicates and outdated spire docs
Adding OSSM with ZTWIM for federation setup docs
What type of PR is this?