A step-by-step guide to integrating Red Hat's zero trust workload identity manager (SPIFFE/SPIRE) with OpenShift GitOps (Argo CD) to enable short-lived, token-free authentication between a management OpenShift cluster and remote spoke clusters. The setup involves deploying the zero trust workload identity manager operator, configuring an Argo CD instance in a custom namespace to receive SPIFFE identities via CSI driver, enabling external OIDC authentication on the spoke cluster, and creating RBAC bindings for SPIFFE-based identities. The result is that Argo CD can manage remote clusters using cryptographically-attested workload identities instead of long-lived static tokens, improving security posture. A current limitation is that enabling external authentication restricts the spoke cluster to SPIFFE-only authentication until multi-provider support arrives in a future OpenShift release.
Table of contents
Architectural overviewPrerequisitesManagement cluster configurationDeploy zero trust workload identity managerOpenShift GitOps deploymentSpoke cluster configurationExternal authenticationEnable external authenticationVerify external authentication using SPIFFE identitiesAssigning privileges to SPIFFE identitiesOpenShift GitOps remote cluster managementConclusionSort: