{"id":19039903,"url":"https://github.com/cert-manager/infrastructure","last_synced_at":"2025-07-27T01:03:49.737Z","repository":{"id":39584677,"uuid":"374966235","full_name":"cert-manager/infrastructure","owner":"cert-manager","description":"cert-manager infrastructure","archived":false,"fork":false,"pushed_at":"2025-06-12T08:02:07.000Z","size":131,"stargazers_count":5,"open_issues_count":0,"forks_count":9,"subscribers_count":6,"default_branch":"main","last_synced_at":"2025-07-03T02:27:58.294Z","etag":null,"topics":["infrastructure","infrastructure-as-code"],"latest_commit_sha":null,"homepage":"","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cert-manager.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2021-06-08T10:09:42.000Z","updated_at":"2025-06-12T08:02:11.000Z","dependencies_parsed_at":"2024-01-17T23:30:42.111Z","dependency_job_id":"47079b11-e83e-498e-ac2c-99bde3558aad","html_url":"https://github.com/cert-manager/infrastructure","commit_stats":{"total_commits":54,"total_committers":8,"mean_commits":6.75,"dds":0.7962962962962963,"last_synced_commit":"edf011a86155ce6a34e0006b2455534f4e1ece0b"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/cert-manager/infrastructure","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cert-manager%2Finfrastructure","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cert-manager%2Finfrastructure/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cert-manager%2Finfrastructure/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cert-manager%2Finfrastructure/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cert-manager","download_url":"https://codeload.github.com/cert-manager/infrastructure/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cert-manager%2Finfrastructure/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":264083999,"owners_count":23554925,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["infrastructure","infrastructure-as-code"],"created_at":"2024-11-08T22:19:26.744Z","updated_at":"2025-07-27T01:03:49.656Z","avatar_url":"https://github.com/cert-manager.png","language":"HCL","funding_links":["https://opencollective.com/cert-manager"],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003cimg src=\"https://raw.githubusercontent.com/cert-manager/cert-manager/d53c0b9270f8cd90d908460d69502694e1838f5f/logo/logo-small.png\" height=\"256\" width=\"256\" alt=\"cert-manager project logo\" /\u003e\n\u003c/p\u003e\n\n# cert-manager Infrastructure\n\nAll infrastructure required by the cert-manager project. This includes:\n\n- infrastructure-as-code (Terraform)\n- details of services used by the project\n\n## Services We Use\n\nAs a project, cert-manager relies on several external services for different tasks. Some require\naccess controls, which should ideally be open to any recognised cert-manager maintainer.\n\nHere, we list any services we know about and the method by which we change / configure / interact with those services.\n\n### Google Groups: cert-manager-maintainers\n\n[`cert-manager-maintainers`](https://groups.google.com/g/cert-manager-maintainers) is the ultimate decider of who's a recognised maintainer.\nAll other memberships should be based off this group, and if a maintainer retires from the project, they should be removed from this group.\n\nThere should be automation added to ensure that members of this group are:\n\n- able to access any secrets they need (e.g. login credentials)\n- listed in the CNCF Maintainers list (see details below)\n- admins of the cert-manager GitHub org.\n- owners of other cert-manager Google Groups\n\nThis group is managed by existing group owners.\n\n### Google Groups: cert-manager-security\n\n[`cert-manager-security`](https://groups.google.com/g/cert-manager-security) is the single point of contact for people wanting to report\nsecurity vulnerabilities, as documented in the [Vulnerability Reporting Process](https://github.com/jetstack/cert-manager/blob/master/SECURITY.md).\n\nMembers of this group should also be maintainers, and thus this group should be a subset of `cert-manager-maintainers`.\n\nManaged by existing group owners.\n\n### Google Groups: cert-manager-dev\n\n[`cert-manager-dev`](https://groups.google.com/g/cert-manager-dev) is the open-to-the-public group encompassing anyone who's interested\nin cert-manager development. It's a place for people to ask questions and get updates about the project, outside of Slack.\n\nOwners should be those in the `cert-manager-maintainers` group, but anyone is free to join the group.\n\n### Mailing Lists: cncf-cert-manager-maintainers\n\nThere's a [CNCF-hosted mailing list](https://lists.cncf.io/g/cncf-cert-manager-maintainers/directory) for cert-manager maintainers\nwhich uses groups.io\n\nIt contains a mixture of CNCF people and cert-manager people. In the future it might be good to sync this mailing list with\nthe cert-manager-maintainers Google group.\n\n## 1Password\n\nMaintainers get access to the cert-manager team on 1Password and are equally given the \"Owner\" role.\n1Password offers a free team plan for open-source projects. The team URL is https://cert-manager.1password.com.\n\n### Quay\n\nCurrently, cert-manager container images are hosted on quay.io under the Jetstack organization which is controlled by Venafi. Admin\ncredentials are available on the cert-manager 1Password team.\n\nIt's a goal of the cert-manager project to migrate images to be hosted under a `cert-manager` organization, but this introduces\nnon-trivial operational challenges which we'd have to face to perform a migration.\n\ncert-manager container images are pushed to Quay via a robot account which is configured in Google Cloud Build.\n\nOther projects (e.g. trust-manager, csi-driver, etc) use GitHub actions to automatically build their OCI images and push them to quay.io (using scoped quay.io robot credentials available as GH action secrets).\n\n### Zoom\n\nWe are using Zoom for the dev biweekly meetings. The CNCF pays for a Zoom pro account. The email is `cncf-certmanager-project@cncf.io`,\nand the password is in the cert-manager 1Password team.\n\n### CNCF Calendar\n\nThe dev biweekly meetings show on the [CNCF calendar]([https://www.cncf.io/calendar/](https://tockify.com/cncf.public.events/monthly?search=cert-manager)). This calendar is manually managed by the CNCF through the CNCF service desk. Changes to the invitations sent to `cert-manager-dev@googlegroups.com` need to be manually propagated by opening a ticket on the CNCF service desk.\n\n### Slack\n\nWe have 2 Slack channels on Kubernetes slack:\n\n- [`cert-manager`](https://kubernetes.slack.com/archives/C4NV3DWUC) for user questions, chat and support\n- [`cert-manager-dev`](https://kubernetes.slack.com/archives/CDEQJ0Q8M) for discussion on cert-manager development.\n\nAdministration of both is done by Kubernetes slack admins.\n\nMaintainers should also have access to the [CNCF slack](https://cloud-native.slack.com/archives/C08PSKWQL), although this isn't used much.\n\nWe also have the Slack user group `@cert-manager-maintainers` defined in [kubernetes/community#7360](https://github.com/kubernetes/community/issues/7360).\nThe list of Slack usernames in this file was extracted from the GitHub usernames and there\nmight need some adjustments since the Slack usernames are private to each Slack user.\n\n### Netlify\n\nThe main site `cert-manager.io` is served through Netlify and lives in the CNCF-owned \"CNCF Projects 2\" Netlify organisation. An account with Developer permissions for this website is stored in the cert-manager 1Password team.\n\n### ArtifactHub\n\nWe distribute our built helm charts [on ArtifactHub](https://artifacthub.io/packages/helm/cert-manager/cert-manager).\n\nLogin details are stored in the cert-manager 1Password team.\n\n### Algolia\n\nProvides an API for searching the cert-manager website. We're in [DocSearch](https://docsearch.algolia.com/docs/what-is-docsearch/)\nwhich is Algolia's free tool provided open-source projects.\n\nThe cert-manager maintainers have access to configure Algolia through a login stored in the cert-manager 1Password team.\n\nCrawlers can be configured here: [https://crawler.algolia.com/admin/crawlers](https://crawler.algolia.com/admin/crawlers)\n\nThe Algolia app (Team, API Keys) can be configured here: [https://www.algolia.com/apps/01YP6XYAE7/dashboard](https://www.algolia.com/apps/01YP6XYAE7/dashboard)\n\nThe Algolia API Key must be configured as an environment variable in Netlify.\n\nThe other Algolia settings can be configured here: [https://github.com/cert-manager/website/blob/master/netlify.toml](https://github.com/cert-manager/website/blob/master/netlify.toml)\n\n### Google Cloud Platform\n\nHosts test infrastructure, release infrastructure, past releases, and DNS for our domains.\n\n- The infrastructure is managed by Terraform/ Tofu, in the `./gcp` directory of this repository (see [README](./gcp/README.md) for more details).\n- Some resources are still running in the Jetstack org, but we are actively moving them to the terraform in this repository.\n\n### GitHub Org\n\nThe [cert-manager GitHub org](https://github.com/cert-manager/) holds all project repos. Configuration is done by admins, and the list of admins should\nmatch the membership of the cert-manager-maintainers Google group.\n\nWe also have a bot - `cert-manager-bot` - with high levels of access to the cert-manager org. It is used by prow (eg. [the mounted bot PAT](https://github.com/cert-manager/testing/blob/091d46e46d154f8d77401b108b61383080a80777/prow/cluster/cherrypicker_deployment.yaml#L74-L76)) in combination with the cert-manager-prow GitHub app (eg. [the mounted GH app token](https://github.com/cert-manager/testing/blob/091d46e46d154f8d77401b108b61383080a80777/prow/cluster/tide_deployment.yaml#L58-L60)).\n\n### CNCF Maintainers\n\nAt the very least, all recognised cert-manager maintainers should be listed in the CNCF [`project-maintainers.csv`](https://github.com/cncf/foundation/blob/main/project-maintainers.csv).\n\nThis can be added to by existing maintainers, such as in [this PR](https://github.com/cncf/foundation/pull/213).\n\nThere are also CNCF mailing lists, although we don't currently have an exhaustive list of which ones are relevant.\n\n### Social Media\n\nCredentials for all social media accounts are stored in the cert-manager 1Password team.\n\n#### Twitter / X\n\n[`@CertManager`](https://twitter.com/CertManager/) is used by maintainers to tweet about\nimportant releases or community updates. The password for the account is available in the\ncert-manager 1Password team.\n\n#### Mastodon / infosec.exchange\n\n[`@CertManager@infosec.exchange`](https://infosec.exchange/@CertManager) is used by maintainers\nto toot about important releases or community updates. The password for the account is available\nin the cert-manager 1Password team.\n\n### cert-manager YouTube Account\n\nAll cert-manager maintainers should be able to access the cert-manager [brand YouTube account](https://www.youtube.com/channel/UCNPMkzGrAsQxVUFMPn7n88Q)\nif desired. Access is managed by existing maintainers who can administer that account by visiting the\n[Brand Accounts](https://myaccount.google.com/brandaccounts) page.\n\nNote that to upload videos or do other actions, you need to click on your profile in the top right of YouTube\nand \"switch account\" to the cert-manager brand account.\n\nCurrently, videos from biweekly meetings are being manually uploaded to YouTube by maintainers.\n\n### TestGrid\n\nTestgrid is hosted [here](https://testgrid.k8s.io/cert-manager) with dashboards for all supported releases.\n\nThe testgrid config lives in the [testing repo](https://github.com/cert-manager/testing/blob/091d46e46d154f8d77401b108b61383080a80777/config/testgrid/dashboards.yaml).\n\nTestgrid loads the data from a GCS bucket `gs://cert-manager-prow-testgrid/`. A reference to this bucket is configured here: [canary.yaml](https://github.com/kubernetes/test-infra/blob/f866c8dd811c9ed6339d9b3e353a4205a8aa8bbf/config/mergelists/canary.yaml#L13-L14) and [prod.yaml](https://github.com/kubernetes/test-infra/blob/f866c8dd811c9ed6339d9b3e353a4205a8aa8bbf/config/mergelists/prod.yaml#L13-L14).\n\n### Open Collective\n\nOn 4 May 2022 we opened an [Open Collective account for the cert-manager organization][Open Collective cert-manager page]\nin order to [manage the funds][GSoD: Grants for organizations] for our [Google Season of Docs 2022 project][].\n\nWe set up the account as an _Open Source Collective_,  with Open Collective as our fiscal host.\nThis means they hold funds on our behalf.\nNo fees from Open Source Collective will apply to our GSoD grant payment.\nYou can read more at [GSoD: Grants for organizations][].\n\nAt time of writing [Richard Wall](https://github.com/wallrj) and [Mael Valais](https://github.com/maelvls) are administrators.\n\n[Open Collective cert-manager page]: https://opencollective.com/cert-manager\n[Google Season of Docs 2022 project]: https://cert-manager.io/docs/contributing/google-season-of-docs/2022/improve-navigation-and-structure/index\n[GSoD: Grants for organizations]: https://developers.google.com/season-of-docs/docs/org-payments\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcert-manager%2Finfrastructure","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcert-manager%2Finfrastructure","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcert-manager%2Finfrastructure/lists"}