modules/zero-trust-manager-create-route-oidc.adoc

// Module included in the following assemblies:
//
// * security/zero_trust_workload_identity_manageer/zero-trust-manager-oidc-federation.adoc

:_mod-docs-content-type: PROCEDURE
[id="zero-trust-manager-create-route-oidc_{context}"]
= Configuring the external certificate for the managed OIDC discovery provider route

The managed route uses the External Route Certificate feature to set the `tls.externalCertificate` field to an externally managed Transfer Layer Security (TLS) secret's name.

.Prerequisites

* You have installed {zero-trust-full} 0.2.0 or later.

* You have deployed the SPIRE Server, SPIRE Agent, SPIFFEE CSI Driver, and the SPIRE OIDC Discovery Provider operands in the cluster.

* You have installed the {cert-manager-operator}. For more information, link:https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html-single/security_and_compliance/index#cert-manager-operator-install[Installing the cert-manager Operator for Red{nbsp}Hat OpenShift].

* You have created a `ClusterIssuer` or `Issuer` configured with a publicly trusted CA service. For example, an Automated Certificate Management Environment (ACME) type `Issuer` with the "Let's Encrypt ACME" service. For more information, see link:https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html-single/security_and_compliance/index#cert-manager-operator-issuer-acme[Configuring an ACME issuer]

.Procedure

. Create a `Role` to provide the router service account permissions to read the referenced secret by running the following command:
+
[source,terminal]
----
$ oc create role secret-reader \
  --verb=get,list,watch \
  --resource=secrets \
  --resource-name=$TLS_SECRET_NAME \
  -n zero-trust-workload-identity-manager
----

. Create a `RoleBinding` resource to bind the router service account with the newly created Role resource by running the following command:
+
[source,terminal]
----
$ oc create rolebinding secret-reader-binding \
  --role=secret-reader \
  --serviceaccount=openshift-ingress:router \
  -n zero-trust-workload-identity-manager
----

. Configure the `SpireOIDCDIscoveryProvider` Custom Resource (CR) object to reference the Secret generated in the earlier step by running the following command:
+
[source,terminal]
----
$ oc patch SpireOIDCDiscoveryProvider cluster --type=merge -p='
spec:
  externalSecretRef: ${TLS_SECRET_NAME}
'
----

.Verification

. In the `SpireOIDCDiscoveryProvider` CR, check if the `ManageRouteReady` condition is set to `True` by running the following command:
+
[source,terminal]
----
$ oc wait --for=jsonpath='{.status.conditions[?(@.type=="ManagedRouteReady")].status}'=True SpireOIDCDiscoveryProvider/cluster --timeout=120s
----

. Verify that the OIDC endpoint can be accessed securely through HTTPS by running the following command:
+
[source,terminal]
----
$ curl https://$JWT_ISSUER_ENDPOINT/.well-known/openid-configuration

{
  "issuer": "https://$JWT_ISSUER_ENDPOINT",
  "jwks_uri": "https://$JWT_ISSUER_ENDPOINT/keys",
  "authorization_endpoint": "",
  "response_types_supported": [
    "id_token"
  ],
  "subject_types_supported": [],
  "id_token_signing_alg_values_supported": [
    "RS256",
    "ES256",
    "ES384"
  ]
}%
----
OSDOCS-15381 updated modules 2025-08-11 13:24:08 -04:00			`// Module included in the following assemblies:`
			`//`
			`// * security/zero_trust_workload_identity_manageer/zero-trust-manager-oidc-federation.adoc`

			`:_mod-docs-content-type: PROCEDURE`
			`[id="zero-trust-manager-create-route-oidc_{context}"]`
			`= Configuring the external certificate for the managed OIDC discovery provider route`

			The managed route uses the External Route Certificate feature to set the `tls.externalCertificate` field to an externally managed Transfer Layer Security (TLS) secret's name.

			`.Prerequisites`

			`* You have installed {zero-trust-full} 0.2.0 or later.`

			`* You have deployed the SPIRE Server, SPIRE Agent, SPIFFEE CSI Driver, and the SPIRE OIDC Discovery Provider operands in the cluster.`

OSDOCS-15085 Cross-check and update version number references and package names for 4.21 2026-01-26 16:10:54 -05:00			`* You have installed the {cert-manager-operator}. For more information, link:https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html-single/security_and_compliance/index#cert-manager-operator-install[Installing the cert-manager Operator for Red{nbsp}Hat OpenShift].`
OSDOCS-15381 updated modules 2025-08-11 13:24:08 -04:00
OSDOCS-15085 Cross-check and update version number references and package names for 4.21 2026-01-26 16:10:54 -05:00			* You have created a `ClusterIssuer` or `Issuer` configured with a publicly trusted CA service. For example, an Automated Certificate Management Environment (ACME) type `Issuer` with the "Let's Encrypt ACME" service. For more information, see link:https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html-single/security_and_compliance/index#cert-manager-operator-issuer-acme[Configuring an ACME issuer]
OSDOCS-15381 updated modules 2025-08-11 13:24:08 -04:00
			`.Procedure`

			. Create a `Role` to provide the router service account permissions to read the referenced secret by running the following command:
			`+`
			`[source,terminal]`
			`----`
			`$ oc create role secret-reader \`
			`--verb=get,list,watch \`
			`--resource=secrets \`
			`--resource-name=$TLS_SECRET_NAME \`
			`-n zero-trust-workload-identity-manager`
			`----`

			. Create a `RoleBinding` resource to bind the router service account with the newly created Role resource by running the following command:
			`+`
			`[source,terminal]`
			`----`
			`$ oc create rolebinding secret-reader-binding \`
			`--role=secret-reader \`
			`--serviceaccount=openshift-ingress:router \`
			`-n zero-trust-workload-identity-manager`
			`----`

OSDOCS-16120 updated modules 2025-09-10 08:30:43 -04:00			. Configure the `SpireOIDCDIscoveryProvider` Custom Resource (CR) object to reference the Secret generated in the earlier step by running the following command:
OSDOCS-15381 updated modules 2025-08-11 13:24:08 -04:00			`+`
			`[source,terminal]`
			`----`
			`$ oc patch SpireOIDCDiscoveryProvider cluster --type=merge -p='`
			`spec:`
			`externalSecretRef: ${TLS_SECRET_NAME}`
			`'`
			`----`

			`.Verification`

OSDOCS-16120 updated modules 2025-09-10 08:30:43 -04:00			. In the `SpireOIDCDiscoveryProvider` CR, check if the `ManageRouteReady` condition is set to `True` by running the following command:
OSDOCS-15381 updated modules 2025-08-11 13:24:08 -04:00			`+`
			`[source,terminal]`
			`----`
			`$ oc wait --for=jsonpath='{.status.conditions[?(@.type=="ManagedRouteReady")].status}'=True SpireOIDCDiscoveryProvider/cluster --timeout=120s`
			`----`

OSDOCS-16120 updated modules 2025-09-10 08:30:43 -04:00			`. Verify that the OIDC endpoint can be accessed securely through HTTPS by running the following command:`
OSDOCS-15381 updated modules 2025-08-11 13:24:08 -04:00			`+`
			`[source,terminal]`
			`----`
			`$ curl https://$JWT_ISSUER_ENDPOINT/.well-known/openid-configuration`

			`{`
			`"issuer": "https://$JWT_ISSUER_ENDPOINT",`
			`"jwks_uri": "https://$JWT_ISSUER_ENDPOINT/keys",`
			`"authorization_endpoint": "",`
			`"response_types_supported": [`
			`"id_token"`
			`],`
			`"subject_types_supported": [],`
			`"id_token_signing_alg_values_supported": [`
			`"RS256",`
			`"ES256",`
			`"ES384"`
			`]`
			`}%`
			`----`