openshift · wgabor0427 · May 6, 2025
diff --git a/_topic_maps/_topic_map.yml b/_topic_maps/_topic_map.yml
@@ -1264,6 +1264,10 @@ Topics:
   Topics:
   - Name: zero trust workload identity manager for Red Hat OpenShift overview
     File: zero-trust-manager-overview
+  - Name: zero trust workload identity manager for Red Hat OpenShift release notes
+    File: zero-trust-manager-release-notes
+  - Name: Using zero trust workload identity manager for Red Hat OpenShift plugins
+    File: zero-trust-manager-plugins
 ---
 Name: Authentication and authorization
 Dir: authentication

diff --git a/modules/zero-trust-manager-server-plugins.adoc b/modules/zero-trust-manager-server-plugins.adoc
@@ -0,0 +1,197 @@
+// Module included in the following assemblies:
+//
+// * security/zero_trust_workload_identity_manager/zero-trust-manager-plugins.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="zero-trust-manager-server-plugins_{context}"]
+= Using the {zero-trust-full} server plugins
+
+The SPIRE server's behavior and capabilities can be extended and customized through the use of plugins. The plugins allow SPIRE to interact with different types of systems for node attestation, workload attestation, key management, and more.
+
+The following table lists the SPIRE server plugin types:
+
+.Server plugin types
+[cols="1,2", options="header"]
+|===
+|Type
+|Description
+
+|DataStore
+|Provides persistent storage and HA features. Note: Pluggability for the DataStore is no longer supported. Only the built-in SQL plugin can be used.
+
+|KeyManager
+|Implements both signing and key storage logic for the server's signing operations. Useful for leveraging hardware-based key operations.
+
+|CredentialComposer
+|Allows customization of SVID and CA attributes.
+
+|NodeAttestor
+|Implements validation logic for nodes attempting to assert their identity. Generally paired with an agent plugin of the same type.
+
+|UpstreamAuthority
+|Allows SPIRE server to integrate with existing PKI systems.
+
+|Notifier
+|Notified by SPIRE server for certain events that are happening or have happened. For events that are happening, the notifier can advise SPIRE server on the outcome.
+
+|BundlePublisher
+|Publishes the local trust bundle to a store.
+|===
+
+The following table lists the SPIRE server built-in plugins:
+
+.Server built-in plugins
+[cols="1,1,2", options="header"]
+|===
+|Type
+|Name
+|Description
+
+|DataStore
+|sql
+|An SQL database storage for SQLite, PostgreSQL and MySQL databases for the SPIRE datastore
+
+|KeyManager
+|aws_kms
+|A key manager which manages keys in AWS KMS
+
+|KeyManager
+|disk
+|A key manager which manages keys persisted on disk
+
+|KeyManager
+|Memory
+|A key manager which manages unpersisted keys in memory
+
+|CredentialComposer
+|uniqueid
+|A key manager which manages unpersisted keys in memory
+
+|NodeAttestor
+|aws_iid
+|A node attestor which attests agent identity using an AWS Instance Identity Document
+
+|NodeAttestor
+|azure_msi
+|A node attestor which attests agent identity using an Azure MSI token
+
+|NodeAttestor
+|gcp_iit
+|A node attestor which attests agent identity using a GCP Instance Identity Token
+
+|NodeAttestor
+|join_token
+|A node attestor which validates agents attesting with server-generated join tokens
+
+|NodeAttestor
+|k8s_psat
+|A node attestor which attests agent identity using a Kubernetes Projected Service Account token
+
+|NodeAttestor
+|sshpop
+|A node attestor which attests agent identity using an existing ssh certificate
+
+|NodeAttestor
+|tpm_devid
+|A node attestor which attests agent identity using a TPM that has been provisioned with a DevID certificate
+
+|NodeAttestor
+|x509pop
+|A node attestor which attests agent identity using an existing X.509 certificate
+
+|UpstreamAuthority
+|disk
+|Uses a CA loaded from disk to sign SPIRE server intermediate certificates
+
+|UpstreamAuthority
+|aws_pca
+|Uses a Private Certificate Authority from AWS Certificate Manager to sign SPIRE server intermediate certificates
+
+|UpstreamAuthority
+|awssecret
+|Uses a CA loaded from AWS SecretsManager to sign SPIRE server intermediate certificates
+
+|UpstreamAuthority
+|gcp_cas
+|Uses a Private Certificate Authority from GCP Certificate Authority Service to sign SPIRE Server intermediate certificates
+
+|UpstreamAuthority
+|vault
+|Uses a PKI Secret Engine from HashiCorp Vault to sign SPIRE server intermediate certificates
+
+|UpstreamAuthority
+|spire
+|Uses an upstream SPIRE server in the same trust domain to obtain intermediate signing certificates for SPIRE server
+
+|UpstreamAuthority
+|cert-manager
+|Uses a referenced cert-manager Issuer to request intermediate signing certificates
+
+|Notifier
+|gcs_bundle
+|A notifier that pushes the latest trust bundle contents into an object in Google Cloud Storage
+
+|Notifier
+|k8sbundle
+|A notifier that pushes the latest trust bundle contents into a Kubernetes ConfigMap
+
+|BundlePublisher
+|aws_s3
+|Publishes the trust bundle to an Amazon S3 bucket
+
+|BundlePublisher
+|gcp_cloudstorage
+|Publishes the trust bundle to a Google Cloud Storage bucket
+
+|BundlePublisher
+|aws_rolesanywhere_trustanchor
+|Publishes the trust bundle to an AWS IAM Roles Anywhere trust anchor
+
+|===
+
+[id="plugin-configuration_{context}"]
+== How to configure plugins
+
+The server configuration file contains a configuration section for the various SPIRE server plugins. Plugins can be configured in the `plugins { ...}` section, which has the following format:
+
+[source,go]
+----
+plugins {
+    pluginType "pluginName" {
+        ...
+        plugin configuration options here
+        ...
+    }
+}
+----
+
+The following configuration options are available when configuring a plugin:
+
+.Plugin configuration options
+[cols="1,2", options="header"]
+|===
+|Configuration
+|Description
+
+|plug_cmd
+|Path to the plugin implementation binary (optional, not needed for built-ins)
+
+|plugin_checksum
+|An optional sha256 of the plugin binary (optional, not needed for built-ins)
+
+|enabled
+|Enable or disable the plugin (enabled by default)
+
+|plugin_data
+|Plugin-specific data (mutually exclusive with `plugin_data_file`)
+
+|plugin_data_file
+|Path to a file containing plugin-specific data (mutually exclusive with `plugin_data`)
+|===
+
+
+
+
+
+
+
diff --git a/security/zero_trust_workload_identity_manager/zero-trust-manager-plugins.adoc b/security/zero_trust_workload_identity_manager/zero-trust-manager-plugins.adoc
@@ -0,0 +1,14 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="zero-trust-manager-plugins"]
+= Configuring the {zero-trust-full} plugins
+
+include::_attributes/common-attributes.adoc[]
+:context: zero-trust-manager-plugins
+
+toc::[]
+
+{zero-trust-full} has a set of plugins that extend the functionality of the SPIFFE Runtime Environment (SPIRE) server and the SPIRE agent.
+
+// Using the server plugins
+include::modules/zero-trust-manager-server-plugins.adoc[leveloffset=+1]
+
diff --git a/...rity/zero_trust_workload_identity_manager/zero-trust-manager-release-notes.adoc b/...rity/zero_trust_workload_identity_manager/zero-trust-manager-release-notes.adoc
@@ -0,0 +1,11 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="zero-trust-workload-identity-manager-release-notes"]
+= {zero-trust-full} release notes
+include::_attributes/common-attributes.adoc[]
+:context: zero-trust-manager-release-notes
+
+toc::[]
+
+The {cert-manager-operator} is a cluster-wide service that provides application certificate lifecycle management.
+
+These release notes track the development of {zero-trust-full}.