All infrastructure required by the cert-manager project. This includes:
As a project, cert-manager relies on several external services for different tasks. Some require access controls, which should ideally be open to any recognised cert-manager maintainer.
Here, we list any services we know about and the method by which we change / configure / interact with those services.
cert-manager-maintainers
is the ultimate decider of who's a recognised maintainer.
All other memberships should be based off this group, and if a maintainer retires from the project, they should be removed from this group.
There should be automation added to ensure that members of this group are:
This group is managed by existing group owners.
cert-manager-security
is the single point of contact for people wanting to report
security vulnerabilities, as documented in the Vulnerability Reporting Process.
Members of this group should also be maintainers, and thus this group should be a subset of cert-manager-maintainers
.
Managed by existing group owners.
cert-manager-dev
is the open-to-the-public group encompassing anyone who's interested
in cert-manager development. It's a place for people to ask questions and get updates about the project, outside of Slack.
Owners should be those in the cert-manager-maintainers
group, but anyone is free to join the group.
There's a CNCF-hosted mailing list for cert-manager maintainers which uses groups.io
It contains a mixture of CNCF people and cert-manager people. In the future it might be good to sync this mailing list with the cert-manager-maintainers Google group.
Maintainers get access to the cert-manager team on 1Password and are equally given the "Owner" role. 1Password offers a free team plan for open-source projects. The team URL is https://cert-manager.1password.com.
Currently, cert-manager container images are hosted on quay.io under the Jetstack organization which is controlled by Venafi. Admin credentials are available on the cert-manager 1Password team.
It's a goal of the cert-manager project to migrate images to be hosted under a cert-manager
organization, but this introduces
non-trivial operational challenges which we'd have to face to perform a migration.
cert-manager container images are pushed to Quay via a robot account which is configured in Google Cloud Build.
Other projects (e.g. trust-manager, csi-driver, etc) tend to be built locally and pushed using local credentials. It's a long-term ambition to change this in all instances.
We are using Zoom for the dev biweekly meetings. The CNCF pays for a Zoom pro account. The email is cncf-certmanager-project@cncf.io
,
and the password is in the cert-manager 1Password team.
The dev biweekly meetings show on the CNCF calendar. This calendar is manually managed by the CNCF through the CNCF service desk. Changes to the invitations sent to cert-manager-dev@googlegroups.com
need to be manually propagated by opening a ticket on the CNCF service desk.
We have 2 Slack channels on Kubernetes slack:
cert-manager
for user questions, chat and supportcert-manager-dev
for discussion on cert-manager development.Administration of both is done by Kubernetes slack admins.
Maintainers should also have access to the CNCF slack, although this isn't used much.
We also have the Slack user group @cert-manager-maintainers
defined in kubernetes/community#7360.
The list of Slack usernames in this file was extracted from the GitHub usernames and there
might need some adjustments since the Slack usernames are private to each Slack user.
We currently have two Netlify sites, both on different organizations.
cert-manager.netlify.app
(named cert-manager.io
) is the main Netlify site and belongs to the organization "Jetstack Platform" which is owned and paid for by Venafi (it has the Pro tier). This organization is used to publish the website on https://cert-manager.io/. It also creates a preview site for PRs that are opened against the master
branch; the preview link can be seen in the GitHub checks at the bottom of the PR UI. It is configured though through the Netlify console UI and also through the website repository (_redirects
file).cert-manager-website.netlify.app
(named cert-manager-website
) belongs to the organization "cert-manager-maintainers" is uses the free Started plan. This site doesn't serve any purpose at the moment. It will be the destination for the site "cert-manager.io" once we migrate it away from the "Jetstack Platform" organization. This account's credentials are stored in the cert-manager 1Password team.All cert-manager maintainers can get access to both organizations "Jetstack Platform" and "cert-manager-maintainers" by using the cert-manager 1Password.
We will migrate the site cert-manager.io away from the old org ("Jetstack Platform") to the new org ("cert-manager-maintainers") when possible.
We distribute our built helm charts on ArtifactHub.
Login details are stored in the cert-manager 1Password team.
Provides an API for searching the cert-manager website. We're in DocSearch which is Algolia's free tool provided open-source projects.
The cert-manager maintainers have access to configure Algolia. Access is managed manually and can be granted by another maintainer.
Configured here: https://crawler.algolia.com/admin/crawlers
The Algolia app (Team, API Keys) can be configured here: https://www.algolia.com/apps/01YP6XYAE7/dashboard
The Algolia API Key must be configured as an environment variable in Netlify.
The other Algolia settings can be configured here: https://github.com/cert-manager/website/blob/master/netlify.toml
Hosts test infrastructure, release infrastructure, past releases, and DNS for our domains.
./gcp
directory of this repository (see README for more details).The cert-manager GitHub org holds all project repos. Configuration is done by admins, and the list of admins should match the membership of the cert-manager-maintainers Google group.
We also have a bot - jetstack-bot
- with high levels of access to the cert-manager org. It may have been manually set up and might require further documentation to
detail what it does, what it requires and why we have it.
At the very least, all recognised cert-manager maintainers should be listed in the CNCF project-maintainers.csv
.
This can be added to by existing maintainers, such as in this PR.
There are also CNCF mailing lists, although we don't currently have an exhaustive list of which ones are relevant.
Credentials for all social media accounts are stored in the cert-manager 1Password team.
@CertManager
is used by maintainers to tweet about
important releases or community updates. The password for the account is available in the
cert-manager 1Password team.
@CertManager@infosec.exchange
is used by maintainers
to toot about important releases or community updates. The password for the account is available
in the cert-manager 1Password team.
All cert-manager maintainers should be able to access the cert-manager brand YouTube account if desired. Access is managed by existing maintainers who can administer that account by visiting the Brand Accounts page.
Note that to upload videos or do other actions, you need to click on your profile in the top right of YouTube and "switch account" to the cert-manager brand account.
Currently, videos from biweekly meetings are being manually uploaded to YouTube by maintainers.
Testgrid is hosted here with dashboards for all supported releases.
Configuration is updated with PRs like this one, which are generated by this prow job.
There's also testgrid config in the testing repo.
On 4 May 2022 we opened an Open Collective account for the cert-manager organization in order to manage the funds for our Google Season of Docs 2022 project.
We set up the account as an Open Source Collective, with Open Collective as our fiscal host. This means they hold funds on our behalf. No fees from Open Source Collective will apply to our GSoD grant payment. You can read more at GSoD: Grants for organizations.
At time of writing Richard Wall and Mael Valais are administrators.