Installing the {zero-trust-full}

Install Zero Trust Workload Identity Manager to help ensure secure communication between your workloads. You can install the Zero Trust Workload Identity Manager by using either the web console or CLI.

If you install the Operator into a custom namespace (for example, my-custom-namespace), all managed operand resources are deployed within that same namespace. All secrets and ConfigMaps referenced by the Custom Resources (CRs) must also exist in that custom namespace.

Important

The Operator installation is not supported in the openshift-* namespaces and the default namespace.

Installing the Zero Trust Workload Identity Manager by using the web console

Use the OperatorHub in the OpenShift Container Platform web console to install the Zero Trust Workload Identity Manager. This process streamlines deployment and helps ensure the Operator is installed in the correct namespace with the appropriate installation mode.

Note

A minimum of 1Gi persistent volume is required to install the SPIRE Server.

Prerequisites

You have access to the cluster with cluster-admin privileges.
You have access to the OpenShift Container Platform web console.

Procedure

Log in to the OpenShift Container Platform web console.
Go to Ecosystem → Software Catalog.
Search for Zero Trust Workload Identity Manager.
On the Install Operator page:
1. Update the Update channel, if necessary. The channel defaults to stable-v1, which installs the latest stable-v1 release of the Zero Trust Workload Identity Manager.
2. Choose the Installed Namespace for the Operator. The default Operator namespace is zero-trust-workload-identity-manager.
  
  If the zero-trust-workload-identity-manager namespace does not exist, it is created for you.
  
  Note
  
  The Operator and operands are deployed in the same namespace.
3. Select an Update Approval strategy
  - The Automatic strategy allows Operator Lifecycle Manager (OLM) to automatically update the Operator when a new version is available.
  - The Manual strategy requires a user with appropriate credentials to approve the Operator update.
Click Install.

Verification

Navigate to Ecosystem → Installed Operators.
1. Verify that Zero Trust Workload Identity Manager is listed with a Status of Succeeded in the zero-trust-workload-identity-manager namespace.
2. Verify that Zero Trust Workload Identity Manager controller manager deployment is ready and available by running the following command:
  $ oc get deployment -l name=zero-trust-workload-identity-manager -n zero-trust-workload-identity-manager
  Example output
  NAME READY UP-TO-DATE AVAILABLE AGE zero-trust-workload-identity-manager-controller-manager-6c4djb 1/1 1 1 43m

To check the Operator logs, run the following command:

$ oc logs -f deployment/zero-trust-workload-identity-manager -n zero-trust-workload-identity-manager

Installing the Zero Trust Workload Identity Manager by using the CLI

Prerequisites

You have access to the cluster with cluster-admin privileges.

Note

A minimum of 1Gi persistent volume is required to install the SPIRE Server.

Procedure

Create a new project named zero-trust-workload-identity-manager by running the following command:
```
$ oc new-project zero-trust-workload-identity-manager
```

Create an OperatorGroup object:

Create a YAML file, for example, operatorGroup.yaml, with the following content:

Example operatorGroup.yaml

apiVersion: operators.coreos.com/v1
kind: OperatorGroup
metadata:
  name: openshift-zero-trust-workload-identity-manager
  namespace: zero-trust-workload-identity-manager
spec:
  upgradeStrategy: Default

Create the OperatorGroup object by running the following command:
```
$ oc create -f operatorGroup.yaml
```

Create a Subscription object:

Create a YAML file, for example, subscription.yaml, that defines the Subscription object:

Example subscription.yaml

apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: openshift-zero-trust-workload-identity-manager
  namespace: zero-trust-workload-identity-manager
spec:
  channel: stable-v1
  name: openshift-zero-trust-workload-identity-manager
  source: redhat-operators
  sourceNamespace: openshift-marketplace
  installPlanApproval: Automatic

Create the Subscription object by running the following command:
```
$ oc create -f subscription.yaml
```

Verification

Verify that the OLM subscription is created by running the following command:

$ oc get subscription -n zero-trust-workload-identity-manager

Example output

NAME                                             PACKAGE                                SOURCE             CHANNEL
openshift-zero-trust-workload-identity-manager   zero-trust-workload-identity-manager   redhat-operators   stable-v1

Verify whether the Operator is successfully installed by running the following command:

$ oc get csv -n zero-trust-workload-identity-manager

Example output

NAME                                         DISPLAY                                VERSION  PHASE
zero-trust-workload-identity-manager.v1.0.0   Zero Trust Workload Identity Manager   1.0.0    Succeeded

Verify that the Zero Trust Workload Identity Manager controller manager is ready by running the following command:

$ oc get deployment -l name=zero-trust-workload-identity-manager -n zero-trust-workload-identity-manager

Example output

NAME                                                      READY   UP-TO-DATE   AVAILABLE   AGE
zero-trust-workload-identity-manager-controller-manager   1/1     1            1           43m