Skip to content

Zero Trust Workload Identity Manager release notes

The Zero Trust Workload Identity Manager leverages Secure Production Identity Framework for Everyone (SPIFFE) and the SPIFFE Runtime Environment (SPIRE) to provide a comprehensive identity management solution for distributed systems.

These release notes track the development of Zero Trust Workload Identity Manager.

Zero Trust Workload Identity Manager 1.0.0 (General Availability)

Issued: 2025-12-17

This release introduces capabilities for enterprise readiness, security, and operational flexibility. It includes SPIRE federation for cross-cluster identity, PostgreSQL support for production persistence, and enhanced security through stricter constraints and API validation.

The following advisories are available for the Zero Trust Workload Identity Manager.

Zero Trust Workload Identity Manager supports the following components and versions:

Component Version

SPIRE Server

1.13.3

SPIRE Agent

1.13.3

SPIRE Controller Manager

0.6.3

SPIRE OIDC Discovery Provider

1.13.3

SPIFFE CSI Driver

0.2.8

New features and enhancements

SPIRE federation support

The Operator now includes support for SPIRE federation, enabling workloads across distinct trust domains to securely communicate and authenticate with each other.

  • Key capabilities:

    • Configuration of bundle endpoints using https_spiffe (TLS) or https_web (Web PKI) profiles.

    • Automatic certificate management via the ACME protocol (e.g., Let’s Encrypt).

    • Automatic OpenShift Container Platform route creation for federation endpoints.

    • Ability to configure relationships with multiple federated trust domains.

  • Customer action required:

    • Review the federation configuration within the SpireServer Custom Resource (CR).

    • Ensure proper DNS resolution and network connectivity to federated trust domains.

PostgreSQL database support

SPIRE Server now supports PostgreSQL as an external database backend, accommodating production deployments that necessitate enterprise-grade data persistence and high availability.

  • Supported Types: sqlite3 (default), postgres, mysql.

  • Customer action required:

    • For production, evaluation of migration from SQLite to PostgreSQL is recommended.

    • Creation and configuration of Kubernetes Secrets for database TLS certificates and credentials are required.

Configurable agent socket path and Container Storage Interface (CSI) plugin name

The SPIRE Agent socket path and the SPIFFE CSI Driver plugin name are now configurable, providing operational flexibility for environments with specific directory requirements or co-existence with multiple SPIFFE deployments.

  • Key configuration points:

    • SpireAgent.spec.socketPath

    • SpiffeCSIDriver.spec.agentSocketPath

    • SpiffeCSIDriver.spec.pluginName

  • Customer action required:

    • Ensure consistency between socketPath in the SpireAgent CR and agentSocketPath in the SpiffeCSIDriver CR.

Workload attestors verification API

A new API has been introduced to configure kubelet certificate verification for workload attestation, enhancing security and supporting various OpenShift configurations.

  • Verification types:

    • auto (default): Verification utilizes OpenShift defaults (/etc/kubernetes/kubelet-ca.crt).

    • hostCert: Uses a custom CA certificate path.

    • skip: Skips TLS verification (not recommended for production use).

Configurable Certificate Authority and JSON Web Token key types

Administrators can now configure the cryptographic key types used for the SPIRE Server Certificate Authority (CA) and JSON Web Token (JWT) signing, ensuring compliance with organizational security policies.

  • Supported Key Types: rsa-2048 (default), rsa-4096, ec-p256, ec-p384.

  • Customer action required:

    • Review organizational security policies to determine required key types.

Custom namespace deployment

  • The Operator and all associated operands can now be deployed within a custom namespace, providing flexibility for organizations with specific namespace governance requirements.

Proxy-aware Operator and operands

  • The Operator and all managed operands are now proxy-aware and automatically inherit cluster-wide proxy settings when configured.

Enhanced Security Context Constraints

  • SPIRE Agent and SPIFFE CSI Driver now run with Security Context Constraints (SCC) that prevent root user execution, though privileged container mode remains enabled for necessary host-level operations.

  • The Operator and all operand containers are configured with the ReadOnlyRootFilesystem set to true.

Enhanced API validation

Comprehensive Common Expression Language (CEL) validation has been integrated into all Custom Resource Definitions (CRDs) to prevent configuration errors during admission control.

  • Key validations:

    • All Operator CRDs are enforced as singletons (must be named cluster).

    • Immutable Fields: Fields including trustDomain, clusterName, bundleConfigMap, federation, bundleEndpoint profile, and all Persistence settings (size, accessMode, and storageClass) are now immutable after initial creation.

  • Customer action required:

    • Review existing CR configurations to ensure compliance with the new validation rules.

Common configuration consolidation

  • Standard configuration options (labels, resources, affinity, tolerations, nodeSelector) are now standardized across all operand CRs via a shared CommonConfig structure.

Configuring log level and log format for the operands

This release introduces flexible logging controls to improve observability and debugging across the platform:

  • SPIRE Components: Users can now configure the logLevel (debug, info, warn, error) and logFormat (text, JSON) independently for SpireServer, SpireAgent, and SpireOIDCDiscoveryProvider directly within their CR specifications. The defaults are set to "info" for the logLevel and "text" for the logFormat.

  • Operator: The operator’s log verbosity is now configurable via the OPERATOR_LOG_LEVEL environment variable using klog’s textlogger.

Refactor for create-only mode

By setting the CREATE_ONLY_MODE environment variable, users can prevent the operator from reconciling updates. This allows for manual resource modification without interference. If this mode is disabled, the Operator resumes enforcing the state and overwrites any manual changes.

Status and observability improvements

Enhanced status reporting

  • The main CR now aggregates status information from all operand CRs.

  • New status conditions include Upgradeable (indicating a safe upgrade path) and Progressing (detailing deployment progress).

Operator metrics

  • Operator metrics are now exposed and secured with appropriate RBAC configuration.

  • Integration is supported with the OpenShift monitoring stack.

Fixed issues

Enhanced Security Context Constraints for SPIRE Agent

Before this update, the SPIRE Agent and SPIFFE CSI Driver containers were running as root user, leading to potential security violations. With this release, Security Context Constraints (SCC) have been configured to ensure these components no longer run as root. While privileged container mode is still required for necessary capabilities, this change reduces potential security risks for the end user.

(SPIRE-60)

SpireServer updates now propagate without operator restart

  • Before this update, the operator failed to trigger reconciliation after updating the operand CR spec. As a consequence, user updates to SpireServer CR resources were not propagated to the StatefulSet, causing reconciliation to fail and changes to be ignored, leading to inconsistent resource allocation. With this release, the race condition between the manager and reconciler’s cache to trigger reconciliation after CR updates has been fixed. As a result, day2 patch operations on SpireServer CRs will reliably trigger reconciliation, ensuring updated values are applied to the StatefulSet without manual operator restart.

    (SPIRE-68)

Removed unnecessary security context constraint for OpenID Connect discovery provider

  • Before this update, the system unnecessarily created a custom security context constraint (SCC) for the OpenID Connect (OIDC) discovery provider, which increased the security footprint and configuration complexity even though the deployment did not require it. With this release, the custom SCC creation logic has been removed, resulting in a configuration where the OIDC discovery provider operates successfully without the extra security constraints.

    (SPIRE-190)

Fixed ConfigMap Reconciliation for SPIRE Controller Manager

Before this update, Spire-controller manager ConfigMap reconciliation failed due to an unhandled edge case in the previous implementation. As a consequence, users experienced configuration inconsistencies. With this release, the Spire-controller manager ConfigMap reconciliation issue has been resolved. As a result, end users now experience seamless Spire-controller manager configuration.

(SPIRE-195)

OIDC discovery provider now restarts automatically on configuration changes

  • Before this update, the SPIRE OIDC discovery provider failed to automatically restart following configmap changes, leading to persistent authentication failures. With this release, updates to the CR now trigger an automatic pod restart, ensuring that configmap changes are applied immediately, providing a seamless experience for end users.

    (SPIRE-225)

Corrected update rollback for DaemonSets, Deployments, and StatefulSets

  • Before this update, daemonset, deployment, and statefulsets were not properly reverted to their original form in all valid scenarios due to an oversight in the update logic. As a consequence, user data loss or inconsistency occurred in valid scenarios. With this release, the update logic has been corrected, ensuring all valid scenarios revert to their original form.

    (SPIRE-248)

  • Other bug fixes included:

    • Fixed issues related to continuous reconciliation and unnecessary updates.

    • Eliminated requeue logic for user input validation errors.

Zero Trust Workload Identity Manager 0.2.0 (Technology Preview)

Issued: 2025-09-08

The following advisories are available for the Zero Trust Workload Identity Manager.

This release of Zero Trust Workload Identity Manager is a Technology Preview.

New features and enhancements

Support for the managed OIDC Discovery Provider Route

  • The Operator exposes the SPIREOIDCDiscoveryProvider spec through OpenShift Routes under the domain *.apps.<cluster_domain> for the selected default installation.

  • The managedRoute and externalSecretRef fields have been added to the spireOidcDiscoveryProvider spec.

  • The managedRoute field is boolean and is set to true by default. If set to false, the Operator stops managing the route and the existing route will not be deleted automatically. If set back to true, the Operator resumes managing the route. If a route does not exist, the Operator creates a new one. If a route already exists, the Operator will override the user configuration if a conflict exists.

  • The externalSecretRef references an externally managed Secret that has the TLS certificate for the oidc-discovery-provider Route host. When provided, this populates the route’s .Spec.TLS.ExternalCertificate field. For more information, see Creating a route with externally managed certificate

Enabling the custom Certificate Authority Time-To-Live for the SPIRE bundle

  • The following Time-To-Live (TTL) fields have been added to the SpireServer custom resource definition (CRD) API for SPIRE Server certificate management:

    • CAValidity (default: 24h)

    • DefaultX509Validity (default: 1h)

    • DefaultJWTValidity (default: 5m)

  • The default values can be replaced in the server configuration with user-configurable options that give users the flexibility to customize certificate and SPIFFE Verifiable Identity Document (SVID) lifetimes based on their security requirements.

Enabling Manual User Configurations

  • The Operator controller switches to create-only mode once the ztwim.openshift.io/create-only=true annotation is present on the Operator’s APIs. This allows resource creation while skipping the updates. A user can update the resources manually to test their configuration. This annotation supports APIs such as SpireServer, SpireAgents, SpiffeCSIDriver, SpireOIDCDiscoveryProvider, and ZeroTrustWorkloadIdentityManager.

  • When the annotation is applied, all derived resources including resources created and managed by the Operator.

  • Once the annotation is removed and the pod restarts, the operator tries to come back to the required state. The annotation is applied only once during start or a restart.

Fixed issues

JSON Web Token Issuer field now requires a valid URL

  • Before this update, the JwtIssuer field for both the SpireServer and the SpireOidcDiscoveryProvider did not need to be a URL causing an error in configurations. With this release, the user must manually enter an issuer URL in the JwtIssuer field in both custom resources.

    (SPIRE-117)

Zero Trust Workload Identity Manager 0.1.0 (Technology Preview)

Important

The Zero Trust Workload Identity Manager is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

Issued: 2025-06-16

The following advisories are available for the Zero Trust Workload Identity Manager:

This initial release of Zero Trust Workload Identity Manager is a Technology Preview. This version has the following known limitations:

  • Support for SPIRE federation is not enabled.

  • Key manager supports only the disk storage type.

  • Telemetry is supported only through Prometheus.

  • High availability (HA) configuration for SPIRE Servers or the OpenID Connect (OIDC) Discovery provider is not supported.

  • External datastore is not supported. This version uses the internal sqlite datastore deployed by SPIRE.

  • This version operates using a fixed configuration. User-defined configurations are not allowed.

  • The log level of operands are not configurable. The default value is DEBUG.