openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
enterprise-4.21
openshift-docs/modules/zero-trust-manager-configure-endpoints.adoc
William Gabor 20cd924b26 OSDOCS-17246 updated modules
2025-12-18 19:28:21 +00:00

54 lines
2.1 KiB
Plaintext
Raw Permalink Blame History

// Module included in the following assemblies:
//
// * security/zero_trust_workload_identity_manager/zero-trust-manager-spire-federation.adoc
:_mod-docs-content-type: CONCEPT
[id="zero-trust-manager-configure-endpoints_{context}"]
= Understanding bundle endpoint profiles
[role="_abstract"]
The bundle endpoint profile determines how your cluster exposes its trust bundle to other SPIRE deployments and how it authenticates remote clusters accessing the bundle. Choose the profile that best matches your security requirements and infrastructure.
The {zero-trust-full} supports two authentication profiles for federation:
https_spiffe:: Uses SPIFFE-based TLS authentication. The SPIRE server presents its own SVID (SPIFFE Verifiable Identity Document) to authenticate itself to remote SPIRE servers. This profile provides strong cryptographic identity verification and is ideal for federation between SPIRE deployments.
https_web:: Uses standard Web PKI (X.509 certificates from public or private certificate Authorities). This profile supports both automatic certificate management via ACME (Let's Encrypt) and manual certificate management using tools like cert-manager.
The following table summarizes the key differences between the two profiles:
[cols="2,3,3",options="header"]
|===
|Criteria
|https_spiffe
|https_web
|Authentication method
|SPIFFE SVID (TLS)
|X.509 certificate from CA
|Certificate management
|Automatic (SPIRE-managed)
|ACME (automatic) or manual
|Trust model
|SPIFFE trust domain
|Web PKI / CA trust
|Best for
|Internal SPIRE-to-SPIRE federation
|External federation, public endpoints
|Security level
|Very high (cryptographic identity)
|High (CA-based trust)
|Setup complexity
|Medium (requires SPIFFE IDs)
|Low (ACME) to Medium (manual certs)
|===
[IMPORTANT]
====
After enablement, federation cannot be disabled. The bundle endpoint profile is immutable once configured. Changing the profile or disabling federation requires reinstallation of the system. However, peer configurations (`federatesWith`) remain dynamic and can be added or removed at any time. Plan your profile selection carefully based on your long-term federation requirements.
====
View Git Blame Copy Permalink