Skip to content

Configuring the egress proxy for the {zero-trust-full}

Operator Lifecycle Manager (OLM) automatically configures managed Operators with proxy settings when you use a cluster-wide egress proxy. To support proxying HTTPS connections, you can inject certificate authority (CA) certificates into the Zero Trust Workload Identity Manager.

Injecting a custom CA certificate for the Zero Trust Workload Identity Manager

Inject certificate authority (CA) certificates into the Zero Trust Workload Identity Manager to support proxying HTTPS connections. This configuration helps ensure that the Identity Manager can communicate securely when you enable a cluster-wide proxy.

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.

  • You have enabled the cluster-wide proxy for OpenShift Container Platform.

  • You have installed Zero Trust Workload Identity Manager 1.0.0 or later.

  • You have deployed the SPIRE Server, SPIRE Agent, SPIFFEE CSI Driver, and the SPIRE OIDC Discovery Provider operands in the cluster.

Procedure

  1. Create a config map in the zero-trust-workload-identity-manager namespace by running the following command:

    $ oc create configmap trusted-ca -n zero-trust-workload-identity-manager

  2. Inject the CA bundle that is trusted by OpenShift Container Platform into the config map by running the following command:

    $ oc label cm trusted-ca config.openshift.io/inject-trusted-cabundle=true -n zero-trust-workload-identity-manager

  3. Update the subscription for the Zero Trust Workload Identity Manager to use the config map by running the following command:

    $ oc -n zero-trust-workload-identity-manager patch subscription openshift-zero-trust-workload-identity-manager --type='merge' -p '{"spec":{"config":{"env":[{"name":"TRUSTED_CA_BUNDLE_CONFIGMAP","value":"trusted-ca"}]}}}'
Verification

  1. Verify that the operands have finished rolling out by running the following command:

    $ oc rollout status deployment/zero-trust-workload-identity-manager-controller-manager -n zero-trust-workload-identity-manager && \
$ oc rollout status statefulset/spireserver -n zero-trust-workload-identity-manager && \
$ oc rollout status daemonset/spire-agent -n zero-trust-workload-identity-manager && \
$ oc rollout status deployment/spire-spiffe-oidc-discovery-provider -n zero-trust-workload-identity-manager
    Example output
    deployment "zero-trust-workload-identity-manager-controller-manager" successfully rolled out
statefulset "spire-server" successfully rolled out
daemonset "spire-agent" successfully rolled out
deployment "spire-spiffe-oidc-discovery-provider" successfully rolled out

  2. Verify that the CA bundle was mounted as a volume by running the following command:

    $ oc get deployment zero-trust-workload-identity-manager -n zero-trust-workload-identity-manager -o=jsonpath={.spec.template.spec.'containers[0].volumeMounts'}
    $ oc get statefulset spire-server -n zero-trust-workload-identity-manager -o jsonpath='{.spec.template.spec.containers[*].volumeMounts[?(@.name=="trusted-ca-bundle")]}'
    $ oc get daemonset spire-agent -n zero-trust-workload-identity-manager -o jsonpath='{.spec.template.spec.containers[*].volumeMounts[?(@.name=="trusted-ca-bundle")]}'
    $ oc get daemonset spire-spiffe-csi-driver -n zero-trust-workload-identity-manager -o jsonpath='{.spec.template.spec.containers[*].volumeMounts[?(@.name=="trusted-ca-bundle")]}'
    Example output
    [{{"mountPath":"/etc/pki/ca-trust/extracted/pem","name":"trusted-ca-bundle","readOnly":true}]

  3. Verify that the source of the CA bundle is the trusted-ca config map by running the following command:

    $ oc get deployment zero-trust-workload-identity-manager -n zero-trust-workload-identity-manager -o=jsonpath={.spec.template.spec.volumes}
    $ oc get statefulset spire-server -n zero-trust-workload-identity-manager -o=jsonpath='{.spec.template.spec.volumes}' | jq '.[] | select(.name=="trusted-ca-bundle")'
    $ oc get daemonset spire-agent -n zero-trust-workload-identity-manager -o=jsonpath='{.spec.template.spec.volumes}' | jq '.[] | select(.name=="trusted-ca-bundle")'
    $ oc get deployment spire-spiffe-oidc-discovery-provider -n zero-trust-workload-identity-manager -o=jsonpath='{.spec.template.spec.volumes}' | jq '.[] | select(.name=="trusted-ca-bundle")'
    Example output
    {
  "configMap": {
    "defaultMode": 420,
    "items": [
      {
        "key": "ca-bundle.crt",
        "path": "tls-ca-bundle.pem"
      }
    ],
    "name": "trusted-ca"
  },
  "name": "trusted-ca-bundle"
}

Additional resources