All infrastructure required by the cert-manager project. This includes:
- infrastructure-as-code (Terraform)
- details of services used by the project
Currently, where this document states that credentials are stored in 1password, this means Venafi's private 1password org.
This is for legacy reasons, but it is convenient since these credentials are currently mostly used by cert-manager maintainers who work at Venafi.
It's the policy of the cert-manager project that these credentials should live in a place where they can be accessed by any maintainer, no matter where they work. In time, all credentials stored in Venafi's 1password org will be moved to an open-source friendly location.
As a project, cert-manager relies on several external services for different tasks. Some require access controls, which should ideally be open to any recognised cert-manager maintainer.
Here, we list any services we know about and the method by which we change / configure / interact with those services.
cert-manager-maintainers is the ultimate decider of who's a recognised maintainer.
All other memberships should be based off this group, and if a maintainer retires from the project, they should be removed from this group.
There should be automation added to ensure that members of this group are:
- able to access any secrets they need (e.g. login credentials)
- listed in the CNCF Maintainers list (see details below)
- admins of the cert-manager GitHub org.
- owners of other cert-manager Google Groups
This group is managed by existing group owners.
cert-manager-security is the single point of contact for people wanting to report
security vulnerabilities, as documented in the Vulnerability Reporting Process.
Members of this group should also be maintainers, and thus this group should be a subset of cert-manager-maintainers.
Managed by existing group owners.
cert-manager-dev is the open-to-the-public group encompassing anyone who's interested
in cert-manager development. It's a place for people to ask questions and get updates about the project, outside of Slack.
Owners should be those in the cert-manager-maintainers group, but anyone is free to join the group.
There's a CNCF-hosted mailing list for cert-manager maintainers which uses groups.io
It contains a mixture of CNCF people and cert-manager people. In the future it might be good to sync this mailing list with the cert-manager-maintainers Google group.
Currently, cert-manager container images are hosted on quay.io under the Jetstack organization which is controlled by Venafi. Admin credentials are available on Venafi's 1password.
It's a goal of the cert-manager project to migrate images to be hosted under a cert-manager organization, but this introduces
non-trivial operational challenges which we'd have to face to perform a migration.
cert-manager container images are pushed to Quay via a robot account which is configured in Google Cloud Build.
Other projects (e.g. trust-manager, csi-driver, etc) tend to be built locally and pushed using local credentials. It's a long-term ambition to change this in all instances.
We are using Zoom for the dev biweekly meetings. The CNCF pays for a Zoom pro account. The email is cncf-certmanager-project@cncf.io, and the password is in the Venafi 1Password in the vault team-cert-manager.
The dev biweekly meetings show on the CNCF calendar. This calendar is manually managed by the CNCF through the CNCF service desk. Changes to the invitations sent to cert-manager-dev@googlegroups.com need to be manually propagated by opening a ticket on the CNCF service desk.
We have 2 Slack channels on Kubernetes slack:
cert-managerfor user questions, chat and supportcert-manager-devfor discussion on cert-manager development.
Administration of both is done by Kubernetes slack admins.
Maintainers should also have access to the CNCF slack, although this isn't used much.
We also have the Slack user group @cert-manager-maintainers defined in kubernetes/community#7360.
The list of Slack usernames in this file was extracted from the GitHub usernames and there
might need some adjustments since the Slack usernames are private to each Slack user.
We currently have two Netlify sites, both on different accounts.
cert-manager.netlify.app is the main Netlify site and is tied to Jetstack's organizational account, owned by Venafi. The cert-manager maintainers at
Venafi can get access but this isn't available to other maintainers because the same org account is used for some Jetstack-internal sites.
We will migrate away from the old org when possible.
This account is used to publish the website on https://cert-manager.io. It also creates a preview site for PRs that are opened
against the master branch; the preview link can be seen in the GitHub checks at the bottom of the PR UI. It is configured though
through the Netlify console UI and also through the website repository (_redirects file).
Our secondary account is cert-manager-website.netlify.app, which will be the destination for the site after it's moved away from the
old org. This account's credentials are stored in Venafi's 1password org.
We distribute our built helm charts on ArtifactHub.
Login details are stored in Venafi 1password.
Provides an API for searching the cert-manager website. We're in DocSearch which is Algolia's free tool provided open-source projects.
The cert-manager maintainers have access to configure Algolia. Access is managed manually and can be granted by another maintainer.
Configured here: https://crawler.algolia.com/admin/crawlers
The Algolia app (Team, API Keys) can be configured here: https://www.algolia.com/apps/01YP6XYAE7/dashboard
The Algolia API Key must be configured as an environment variable in Netlify.
The other Algolia settings can be configured here: https://github.com/cert-manager/website/blob/master/netlify.toml
Hosts test infrastructure, release infrastructure, past releases, and DNS for our domains.
- The infrastructure is managed by Terraform/ Tofu, in the
./gcpdirectory of this repository (see README for more details). - Some resources are still running in the Jetstack org, but we are actively moving them to the terraform in this repository.
The cert-manager GitHub org holds all project repos. Configuration is done by admins, and the list of admins should match the membership of the cert-manager-maintainers Google group.
We also have a bot - jetstack-bot - with high levels of access to the cert-manager org. It may have been manually set up and might require further documentation to
detail what it does, what it requires and why we have it.
At the very least, all recognised cert-manager maintainers should be listed in the CNCF project-maintainers.csv.
This can be added to by existing maintainers, such as in this PR.
There are also CNCF mailing lists, although we don't currently have an exhaustive list of which ones are relevant.
Credentials for all social media accounts are stored in Venafi's 1password.
@CertManager is used by maintainers to tweet about important releases or community updates.
@CertManager@infosec.exchange is used by maintainers to toot about important releases or community updates.
All cert-manager maintainers should be able to access the cert-manager brand YouTube account if desired. Access is managed by existing maintainers who can administer that account by visiting the Brand Accounts page.
Note that to upload videos or do other actions, you need to click on your profile in the top right of YouTube and "switch account" to the cert-manager brand account.
Currently, videos from biweekly meetings are being manually uploaded to YouTube by maintainers.
Testgrid is hosted here with dashboards for all supported releases.
Configuration is updated with PRs like this one, which are generated by this prow job.
There's also testgrid config in the testing repo.
On 4 May 2022 we opened an Open Collective account for the cert-manager organization in order to manage the funds for our Google Season of Docs 2022 project.
We set up the account as an Open Source Collective, with Open Collective as our fiscal host. This means they hold funds on our behalf. No fees from Open Source Collective will apply to our GSoD grant payment. You can read more at GSoD: Grants for organizations.
At time of writing Richard Wall and Mael Valais are administrators.