openshift-docs/security/zero_trust_workload_identity_manager/zero-trust-manager-release-notes.adoc

:_mod-docs-content-type: ASSEMBLY
[id="zero-trust-manager-release-notes"]
= Zero Trust Workload Identity Manager release notes

include::_attributes/common-attributes.adoc[]
:context: zero-trust-manager-release-notes

toc::[]

The {zero-trust-full} leverages Secure Production Identity Framework for Everyone (SPIFFE) and the SPIFFE Runtime Environment (SPIRE) to provide a comprehensive identity management solution for distributed systems. {zero-trust-full} supports SPIRE version 1.12.4 running as an operand.

These release notes track the development of {zero-trust-full}.

:FeatureName: Zero Trust Workload Identity Manager
include::snippets/technology-preview.adoc[]

[id="zero-trust-manager-release-notes-0-2-0"]
== {zero-trust-full} 0.2.0 (Technology Preview)

Issued: 2025-09-08

The following advisories are available for the {zero-trust-full}.

* https://access.redhat.com/errata/RHBA-2025:15425[RHBA-2025:15425]
* https://access.redhat.com/errata/RHBA-2025:15426[RHBA-2025:15426]
* https://access.redhat.com/errata/RHBA-2025:15427[RHBA-2025:15427]
* https://access.redhat.com/errata/RHBA-2025:15428[RHBA-2025:15428]

This release of {zero-trust-full} is a Technology Preview.

[id="zero-trust-manager-0-2-0-features-enhancements_{context}"]
=== New features and enhancements

[id="zero-trust-manager-0-2-0-features-oidc-discovery_{context}"]
==== Support for the managed OIDC Discovery Provider Route

* The Operator exposes the `SPIREOIDCDiscoveryProvider` spec through OpenShift Routes under the domain `*.apps.<cluster_domain>` for the selected default installation.

* The `managedRoute` and  `externalSecretRef` fields have been added to the `spireOidcDiscoveryProvider` spec.

* The `managedRoute` field is boolean and is set to `true` by default. If set to `false`, the Operator stops managing the route and the existing route will not be deleted automatically. If set back to `true`, the Operator resumes managing the route. If a route does not exist, the Operator creates a new one. If a route already exists, the Operator will override the user configuration if a conflict exists.

* The `externalSecretRef` references an externally managed Secret that has the TLS certificate for the `oidc-discovery-provider` Route host. When provided, this populates the route's `.Spec.TLS.ExternalCertificate` field. For more information, see link:https://docs.redhat.com/en/documentation/openshift_container_platform/4.20/html-single/ingress_and_load_balancing/index#nw-ingress-route-secret-load-external-cert_secured-routes[Creating a route with externally managed certificate]

[id="zero-trust-manager-0-2-0-features-ca-ttl_{context}"]
==== Enabling the custom Certificate Authority Time-To-Live for the SPIRE bundle

* The following Time-To-Live (TTL) fields have been added to the `SpireServer` custom resource definition (CRD) API for SPIRE Server certificate management:

** `CAValidity` (default: 24h)

** `DefaultX509Validity` (default: 1h)

** `DefaultJWTValidity` (default: 5m)

* The default values can be replaced in the server configuration with user-configurable options that give users the flexibility to customize certificate and {svid-full} lifetimes based on their security requirements.

[id="zero-trust-manager-0-2-0-features-manual-configurations_{context}"]
==== Enabling Manual User Configurations

* The Operator controller switches to `create-only` mode once the `ztwim.openshift.io/create-only=true` annotation is present on the Operator's APIs. This allows resource creation while skipping the updates. A user can update the resources manually to test their configuration. This annotation supports APIs such as `SpireServer`, `SpireAgents`, `SpiffeCSIDriver`, `SpireOIDCDiscoveryProvider`, and `ZeroTrustWorkloadIdentityManager`.

* When the annotation is applied, all derived resources including resources created and managed by the Operator.

* Once the annotation is removed and the pod restarts, the operator tries to come back to the required state. The annotation is applied only once during start or a restart.

[id="zero-trust-manager-0-2-0-bug-fixes_{context}"]
=== Bug fixes

* Before this update, the `JwtIssuer` field for both the `SpireServer` and the `SpireOidcDiscoveryProvider` did not need to be a URL causing an error in configurations. With this release, the user must manually enter an issuer URL in the `JwtIssuer` field in both custom resources. (link:https://issues.redhat.com/browse/SPIRE-117[SPIRE-117])

[id="zero-trust-manager-release-notes-1"]
== {zero-trust-full} 0.1.0 (Technology Preview)

Issued: 2025-06-16

The following advisories are available for the {zero-trust-full}:

* https://access.redhat.com/errata/RHBA-2025:9088[RHBA-2025:9088]
* https://access.redhat.com/errata/RHBA-2025:9085[RHBA-2025:9085]
* https://access.redhat.com/errata/RHBA-2025:9090[RHBA-2025:9090]
* https://access.redhat.com/errata/RHBA-2025:9084[RHBA-2025:9084]
* https://access.redhat.com/errata/RHBA-2025:9089[RHBA-2025:9089]
* https://access.redhat.com/errata/RHBA-2025:9087[RHBA-2025:9087]
* https://access.redhat.com/errata/RHBA-2025:9101[RHBA-2025:9101]
* https://access.redhat.com/errata/RHBA-2025:9104[RHBA-2025:9104]

This initial release of {zero-trust-full} is a Technology Preview. This version has the following known limitations:

* Support for SPIRE federation is not enabled.

* Key manager supports only the `disk` storage type.

* Telemetry is supported only through Prometheus.

* High availability (HA) configuration for SPIRE Servers or the OpenID Connect (OIDC) Discovery provider is not supported.

* External datastore is not supported. This version uses the internal `sqlite` datastore deployed by SPIRE.

* This version operates using a fixed configuration. User-defined configurations are not allowed.

* The log level of operands are not configurable. The default value is `DEBUG`.