diff --git a/content/en/docs/configuration/acme/http01/_index.md b/content/en/docs/configuration/acme/http01/_index.md index 26b4c39ac43..1c9101f8a16 100644 --- a/content/en/docs/configuration/acme/http01/_index.md +++ b/content/en/docs/configuration/acme/http01/_index.md @@ -10,7 +10,7 @@ type: "docs" 📌 This page focuses on solving ACME HTTP-01 challenges. If you are looking for how to automatically create Certificate resources by annotating Ingress or Gateway resources, see [Securing Ingress Resources](/docs/usage/ingress/) and -[Securing Gateway Resources](/docs/usage/gateway/). +[Securing Gateway Resources](../../../usage/gateway/). {{% /pageinfo %}} diff --git a/content/en/docs/contributing/release-process.md b/content/en/docs/contributing/release-process.md index 92749b08e20..32eda3ca016 100644 --- a/content/en/docs/contributing/release-process.md +++ b/content/en/docs/contributing/release-process.md @@ -87,7 +87,7 @@ release: 2. Install our [`cmrel`](https://github.com/cert-manager/release) CLI: ```sh - go install github.com/cert-manager/release/cmd/cmrel@master + go install github.com/cert-manager/release/cmd/cmrel@latest ``` 3. Clone the `cert-manager/release` repo: @@ -302,8 +302,9 @@ page if a step is missing or if it is outdated. ``` This step takes ~10 minutes. It will build all Docker images and create - all the manifest files and upload them to a storage bucket on Google - Cloud. These artifacts will be published and released in the next steps. + all the manifest files, sign Helm charts and upload everything to a storage + bucket on Google Cloud. These artifacts will then be published and released + in the next steps.

🔰 Remember to keep open the terminal where you run cmrel stage. Its output will be used in the next step. @@ -352,7 +353,7 @@ page if a step is missing or if it is outdated. ```sh # Must be run from the "cert-manager/release" repo folder. - cmrel publish --release-name "$CMREL_RELEASE_NAME" + cmrel publish --skip-signing --release-name "$CMREL_RELEASE_NAME" ``` You can view the progress by clicking the Google Cloud Build URL in the @@ -371,7 +372,8 @@ page if a step is missing or if it is outdated. ```bash # Must be run from the "cert-manager/release" repo folder. - cmrel publish --nomock --release-name "$CMREL_RELEASE_NAME" + # Skip signing while quay.io doesn't support cosign signatures + cmrel publish --nomock --skip-signing --release-name "$CMREL_RELEASE_NAME" ```

diff --git a/content/en/docs/installation/code-signing.md b/content/en/docs/installation/code-signing.md index 9bd80f06915..e0e86921efa 100644 --- a/content/en/docs/installation/code-signing.md +++ b/content/en/docs/installation/code-signing.md @@ -16,31 +16,19 @@ Signing keys required for verification are all available on this website, but th on the artifact you're trying to validate in the future. At the time of writing, all signing is done using the same underlying key. -## Container Images / Cosign - -For all cert-manager versions from `v1.6.0` and later, container images are verifiable using [`cosign`](https://docs.sigstore.dev/cosign/overview). - -The simplest way to verify signatures is to download the public key and then pass it to the cosign CLI: - -```console -curl -sSL https://cert-manager.io/public-keys/cert-manager-pubkey-2021-09-20.pem > cert-manager-pubkey-2021-09-20.pem -cosign verify -key cert-manager-pubkey-2021-09-20.pem quay.io/jetstack/cert-manager-controller -# repeat for other images as desired -``` - -For a more fully-featured signature verification process in Kubernetes, check out [`connaisseur`](https://sse-secure-systems.github.io/connaisseur/). - -- PEM-encoded public key: [`cert-manager-pubkey-2021-09-20.pem`](/public-keys/cert-manager-pubkey-2021-09-20.pem) - ## Helm Charts + -For all cert-manager versions from `v1.6.0` and later, helm charts are signed and verifiable through the helm CLI. +For all cert-manager versions from `v1.6.0` and later, Helm charts are signed and verifiable through the Helm CLI. The easiest way to verify is to grab the GPG keyring directly, which can then be passed into `helm verify` like so: @@ -49,5 +37,28 @@ curl -sSL https://cert-manager.io/public-keys/cert-manager-keyring-2021-09-20-10 helm verify --keyring cert-manager-keyring-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.gpg /path/to/cert-manager-vx.y.z.tgz ``` -- ASCII-armored signing key: [`cert-manager-pgp-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.asc`](/public-keys/cert-manager-pgp-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.asc) -- GPG keyring: [`cert-manager-keyring-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.gpg`](/public-keys/cert-manager-keyring-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.gpg) +- ASCII-armored signing key: [`cert-manager-pgp-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.asc`](../../../public-keys/cert-manager-pgp-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.asc) +- GPG keyring: [`cert-manager-keyring-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.gpg`](../../../public-keys/cert-manager-keyring-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.gpg) + +## Container Images / Cosign + +Soon, all container images which make up cert-manager will be verifiable using [`cosign`](https://docs.sigstore.dev/cosign/overview). + +Unfortunately, this isn't possible today because the images are hosted on `quay.io` which doesn't have the proper support for cosign signatures yet. When signatures are +added, this section will contain details of how to verify them. + + diff --git a/content/en/docs/installation/helm.md b/content/en/docs/installation/helm.md index dd3354d4da0..8cdeaff3c9f 100644 --- a/content/en/docs/installation/helm.md +++ b/content/en/docs/installation/helm.md @@ -82,7 +82,7 @@ $ helm install \ --create-namespace \ --version v1.5.4 \ --set prometheus.enabled=false \ # Example: disabling prometheus using a Helm parameter - --set webhook.timeoutSeconds=4s # Example: changing the wehbook timeout using a Helm parameter + --set webhook.timeoutSeconds=4 # Example: changing the wehbook timeout using a Helm parameter ``` Once you have deployed cert-manager, you can [verify](../verify/) the installation. diff --git a/content/en/docs/usage/certificate.md b/content/en/docs/usage/certificate.md index 9bf50e7043c..b8a3d850e6c 100644 --- a/content/en/docs/usage/certificate.md +++ b/content/en/docs/usage/certificate.md @@ -219,7 +219,7 @@ certificate object is reissued under the following circumstances: kubectl cert-manager renew cert-1 ``` Note that the above command requires the [kubectl - cert-manager](/docs/usage/kubectl-plugin/#renew) plugin. + cert-manager](../kubectl-plugin/#renew) plugin. {{% pageinfo color="warning" %}} @@ -227,7 +227,7 @@ certificate object is reissued under the following circumstances: **not a recommended solution** for manually rotating the private key. The recommended way to manually rotate the private key is to trigger the reissuance of the Certificate resource with the following command (requires the [`kubectl -cert-manager`](/docs/usage/kubectl-plugin/#renew) plugin): +cert-manager`](../kubectl-plugin/#renew) plugin): ```sh kubectl cert-manager renew cert-1 diff --git a/content/en/docs/usage/gateway.md b/content/en/docs/usage/gateway.md index c14dad85665..d171b404154 100644 --- a/content/en/docs/usage/gateway.md +++ b/content/en/docs/usage/gateway.md @@ -29,7 +29,7 @@ the Ingress API. The Gateway resource holds the TLS configuration, as illustrated in the following diagram (source: https://gateway-api.sigs.k8s.io): -![Gateway vs. HTTPRoute](/images/gateway-roles.png) +![Gateway vs. HTTPRoute](../../../images/gateway-roles.png) Note that cert-manager only supports setting up the TLS configuration on the Gateway resource when the Gateway is configured to terminate the TLS connection.