/infrastructure

cert-manager infrastructure

Primary LanguageHCLApache License 2.0Apache-2.0

cert-manager project logo

cert-manager Infrastructure

All infrastructure required by the cert-manager project. This includes:

  • infrastructure-as-code (Terraform)
  • details of services used by the project

Services We Use

As a project, cert-manager relies on several external services for different tasks. Some require access controls, which should ideally be open to any recognised cert-manager maintainer.

Here, we list any services we know about and the method by which we change / configure / interact with those services.

Google Groups: cert-manager-maintainers

cert-manager-maintainers is the ultimate decider of who's a recognised maintainer. All other memberships should be based off this group, and if a maintainer retires from the project, they should be removed from this group.

There should be automation added to ensure that members of this group are:

  • able to access any secrets they need (e.g. login credentials)
  • listed in the CNCF Maintainers list (see details below)
  • admins of the cert-manager GitHub org.
  • owners of other cert-manager Google Groups

This group is managed by existing group owners.

Google Groups: cert-manager-security

cert-manager-security is the single point of contact for people wanting to report security vulnerabilities, as documented in the Vulnerability Reporting Process.

Members of this group should also be maintainers, and thus this group should be a subset of cert-manager-maintainers.

Managed by existing group owners.

Google Groups: cert-manager-dev

cert-manager-dev is the open-to-the-public group encompassing anyone who's interested in cert-manager development. It's a place for people to ask questions and get updates about the project, outside of Slack.

Owners should be those in the cert-manager-maintainers group, but anyone is free to join the group.

Mailing Lists: cncf-cert-manager-maintainers

There's a CNCF-hosted mailing list for cert-manager maintainers which uses groups.io

It contains a mixture of CNCF people and cert-manager people. In the future it might be good to sync this mailing list with the cert-manager-maintainers Google group.

1Password

Maintainers get access to the cert-manager team on 1Password and are equally given the "Owner" role. 1Password offers a free team plan for open-source projects. The team URL is https://cert-manager.1password.com.

Quay

Currently, cert-manager container images are hosted on quay.io under the Jetstack organization which is controlled by Venafi. Admin credentials are available on the cert-manager 1Password team.

It's a goal of the cert-manager project to migrate images to be hosted under a cert-manager organization, but this introduces non-trivial operational challenges which we'd have to face to perform a migration.

cert-manager container images are pushed to Quay via a robot account which is configured in Google Cloud Build.

Other projects (e.g. trust-manager, csi-driver, etc) use GitHub actions to automatically build their OCI images and push them to quay.io (using scoped quay.io robot credentials available as GH action secrets).

Zoom

We are using Zoom for the dev biweekly meetings. The CNCF pays for a Zoom pro account. The email is cncf-certmanager-project@cncf.io, and the password is in the cert-manager 1Password team.

CNCF Calendar

The dev biweekly meetings show on the CNCF calendar. This calendar is manually managed by the CNCF through the CNCF service desk. Changes to the invitations sent to cert-manager-dev@googlegroups.com need to be manually propagated by opening a ticket on the CNCF service desk.

Slack

We have 2 Slack channels on Kubernetes slack:

Administration of both is done by Kubernetes slack admins.

Maintainers should also have access to the CNCF slack, although this isn't used much.

We also have the Slack user group @cert-manager-maintainers defined in kubernetes/community#7360. The list of Slack usernames in this file was extracted from the GitHub usernames and there might need some adjustments since the Slack usernames are private to each Slack user.

Netlify

The main site cert-manager.io is served through Netlify and lives in the CNCF-owned "CNCF Projects 2" Netlify organisation. An account with Developer permissions for this website is stored in the cert-manager 1Password team.

ArtifactHub

We distribute our built helm charts on ArtifactHub.

Login details are stored in the cert-manager 1Password team.

Algolia

Provides an API for searching the cert-manager website. We're in DocSearch which is Algolia's free tool provided open-source projects.

The cert-manager maintainers have access to configure Algolia through a login stored in the cert-manager 1Password team.

Crawlers can be configured here: https://crawler.algolia.com/admin/crawlers

The Algolia app (Team, API Keys) can be configured here: https://www.algolia.com/apps/01YP6XYAE7/dashboard

The Algolia API Key must be configured as an environment variable in Netlify.

The other Algolia settings can be configured here: https://github.com/cert-manager/website/blob/master/netlify.toml

Google Cloud Platform

Hosts test infrastructure, release infrastructure, past releases, and DNS for our domains.

  • The infrastructure is managed by Terraform/ Tofu, in the ./gcp directory of this repository (see README for more details).
  • Some resources are still running in the Jetstack org, but we are actively moving them to the terraform in this repository.

GitHub Org

The cert-manager GitHub org holds all project repos. Configuration is done by admins, and the list of admins should match the membership of the cert-manager-maintainers Google group.

We also have a bot - cert-manager-bot - with high levels of access to the cert-manager org. It is used by prow (eg. the mounted bot PAT) in combination with the cert-manager-prow GitHub app (eg. the mounted GH app token).

CNCF Maintainers

At the very least, all recognised cert-manager maintainers should be listed in the CNCF project-maintainers.csv.

This can be added to by existing maintainers, such as in this PR.

There are also CNCF mailing lists, although we don't currently have an exhaustive list of which ones are relevant.

Social Media

Credentials for all social media accounts are stored in the cert-manager 1Password team.

Twitter / X

@CertManager is used by maintainers to tweet about important releases or community updates. The password for the account is available in the cert-manager 1Password team.

Mastodon / infosec.exchange

@CertManager@infosec.exchange is used by maintainers to toot about important releases or community updates. The password for the account is available in the cert-manager 1Password team.

cert-manager YouTube Account

All cert-manager maintainers should be able to access the cert-manager brand YouTube account if desired. Access is managed by existing maintainers who can administer that account by visiting the Brand Accounts page.

Note that to upload videos or do other actions, you need to click on your profile in the top right of YouTube and "switch account" to the cert-manager brand account.

Currently, videos from biweekly meetings are being manually uploaded to YouTube by maintainers.

TestGrid

Testgrid is hosted here with dashboards for all supported releases.

The testgrid config lives in the testing repo.

Testgrid loads the data from a GCS bucket gs://cert-manager-prow-testgrid/. A reference to this bucket is configured here: canary.yaml and prod.yaml.

Open Collective

On 4 May 2022 we opened an Open Collective account for the cert-manager organization in order to manage the funds for our Google Season of Docs 2022 project.

We set up the account as an Open Source Collective, with Open Collective as our fiscal host. This means they hold funds on our behalf. No fees from Open Source Collective will apply to our GSoD grant payment. You can read more at GSoD: Grants for organizations.

At time of writing Richard Wall and Mael Valais are administrators.