All infrastructure required by the cert-manager project. This includes:
- infrastructure-as-code (Terraform)
- details of services used by the project
As a project, cert-manager relies on several external services for different tasks. Some require access controls, which should ideally be open to any recognised cert-manager maintainer.
Here, we list any services we know about and the method by which we change / configure / interact with those services.
cert-manager-maintainers
is the ultimate decider of who's a recognised maintainer.
All other memberships should be based off this group, and if a maintainer retires from the project, they should be removed from this group.
There should be automation added to ensure that members of this group are:
- able to access any secrets they need (e.g. login credentials)
- listed in the CNCF Maintainers list (see details below)
- admins of the cert-manager GitHub org.
- owners of other cert-manager Google Groups
This group is managed by existing group owners.
cert-manager-security
is the single point of contact for people wanting to report
security vulnerabilities, as documented in the Vulnerability Reporting Process.
Members of this group should also be maintainers, and thus this group should be a subset of cert-manager-maintainers
.
Managed by existing group owners.
cert-manager-dev
is the open-to-the-public group encompassing anyone who's interested
in cert-manager development. It's a place for people to ask questions and get updates about the project, outside of Slack.
Owners should be those in the cert-manager-maintainers
group, but anyone is free to join the group.
There's a CNCF-hosted mailing list for cert-manager maintainers which uses groups.io
It contains a mixture of CNCF people and cert-manager people. In the future it might be good to sync this mailing list with the cert-manager-maintainers Google group.
Maintainers get access to the cert-manager team on 1Password and are equally given the "Owner" role. 1Password offers a free team plan for open-source projects. The team URL is https://cert-manager.1password.com.
Currently, cert-manager container images are hosted on quay.io under the Jetstack organization which is controlled by Venafi. Admin credentials are available on the cert-manager 1Password team.
It's a goal of the cert-manager project to migrate images to be hosted under a cert-manager
organization, but this introduces
non-trivial operational challenges which we'd have to face to perform a migration.
cert-manager container images are pushed to Quay via a robot account which is configured in Google Cloud Build.
Other projects (e.g. trust-manager, csi-driver, etc) use GitHub actions to automatically build their OCI images and push them to quay.io (using scoped quay.io robot credentials available as GH action secrets).
We are using Zoom for the dev biweekly meetings. The CNCF pays for a Zoom pro account. The email is cncf-certmanager-project@cncf.io
,
and the password is in the cert-manager 1Password team.
The dev biweekly meetings show on the CNCF calendar. This calendar is manually managed by the CNCF through the CNCF service desk. Changes to the invitations sent to cert-manager-dev@googlegroups.com
need to be manually propagated by opening a ticket on the CNCF service desk.
We have 2 Slack channels on Kubernetes slack:
cert-manager
for user questions, chat and supportcert-manager-dev
for discussion on cert-manager development.
Administration of both is done by Kubernetes slack admins.
Maintainers should also have access to the CNCF slack, although this isn't used much.
We also have the Slack user group @cert-manager-maintainers
defined in kubernetes/community#7360.
The list of Slack usernames in this file was extracted from the GitHub usernames and there
might need some adjustments since the Slack usernames are private to each Slack user.
The main site cert-manager.io
is served through Netlify and lives in the CNCF-owned "CNCF Projects 2" Netlify organisation. An account with Developer permissions for this website is stored in the cert-manager 1Password team.
We distribute our built helm charts on ArtifactHub.
Login details are stored in the cert-manager 1Password team.
Provides an API for searching the cert-manager website. We're in DocSearch which is Algolia's free tool provided open-source projects.
The cert-manager maintainers have access to configure Algolia through a login stored in the cert-manager 1Password team.
Crawlers can be configured here: https://crawler.algolia.com/admin/crawlers
The Algolia app (Team, API Keys) can be configured here: https://www.algolia.com/apps/01YP6XYAE7/dashboard
The Algolia API Key must be configured as an environment variable in Netlify.
The other Algolia settings can be configured here: https://github.com/cert-manager/website/blob/master/netlify.toml
Hosts test infrastructure, release infrastructure, past releases, and DNS for our domains.
- The infrastructure is managed by Terraform/ Tofu, in the
./gcp
directory of this repository (see README for more details). - Some resources are still running in the Jetstack org, but we are actively moving them to the terraform in this repository.
The cert-manager GitHub org holds all project repos. Configuration is done by admins, and the list of admins should match the membership of the cert-manager-maintainers Google group.
We also have a bot - cert-manager-bot
- with high levels of access to the cert-manager org. It is used by prow (eg. the mounted bot PAT) in combination with the cert-manager-prow GitHub app (eg. the mounted GH app token).
At the very least, all recognised cert-manager maintainers should be listed in the CNCF project-maintainers.csv
.
This can be added to by existing maintainers, such as in this PR.
There are also CNCF mailing lists, although we don't currently have an exhaustive list of which ones are relevant.
Credentials for all social media accounts are stored in the cert-manager 1Password team.
@CertManager
is used by maintainers to tweet about
important releases or community updates. The password for the account is available in the
cert-manager 1Password team.
@CertManager@infosec.exchange
is used by maintainers
to toot about important releases or community updates. The password for the account is available
in the cert-manager 1Password team.
All cert-manager maintainers should be able to access the cert-manager brand YouTube account if desired. Access is managed by existing maintainers who can administer that account by visiting the Brand Accounts page.
Note that to upload videos or do other actions, you need to click on your profile in the top right of YouTube and "switch account" to the cert-manager brand account.
Currently, videos from biweekly meetings are being manually uploaded to YouTube by maintainers.
Testgrid is hosted here with dashboards for all supported releases.
The testgrid config lives in the testing repo.
Testgrid loads the data from a GCS bucket gs://cert-manager-prow-testgrid/
. A reference to this bucket is configured here: canary.yaml and prod.yaml.
On 4 May 2022 we opened an Open Collective account for the cert-manager organization in order to manage the funds for our Google Season of Docs 2022 project.
We set up the account as an Open Source Collective, with Open Collective as our fiscal host. This means they hold funds on our behalf. No fees from Open Source Collective will apply to our GSoD grant payment. You can read more at GSoD: Grants for organizations.
At time of writing Richard Wall and Mael Valais are administrators.