From 0f83082d069476d043e01e1132a6fc84e8ae3c8c Mon Sep 17 00:00:00 2001 From: Miguel Frias Mosquea Date: Sat, 16 Oct 2021 18:11:59 +0200 Subject: [PATCH 1/5] Update helm.md Timeout seconds expects an integer, not a string, not "4s" but just a 4. --- content/en/docs/installation/helm.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/en/docs/installation/helm.md b/content/en/docs/installation/helm.md index dd3354d4da0..8cdeaff3c9f 100644 --- a/content/en/docs/installation/helm.md +++ b/content/en/docs/installation/helm.md @@ -82,7 +82,7 @@ $ helm install \ --create-namespace \ --version v1.5.4 \ --set prometheus.enabled=false \ # Example: disabling prometheus using a Helm parameter - --set webhook.timeoutSeconds=4s # Example: changing the wehbook timeout using a Helm parameter + --set webhook.timeoutSeconds=4 # Example: changing the wehbook timeout using a Helm parameter ``` Once you have deployed cert-manager, you can [verify](../verify/) the installation. From 38aa8763cf15d731610300573109e494f2a6c07d Mon Sep 17 00:00:00 2001 From: joshvanl Date: Tue, 19 Oct 2021 15:26:21 +0100 Subject: [PATCH 2/5] Change links in usage certificate to kubectl plugin #renew to be relative Signed-off-by: joshvanl --- content/en/docs/usage/certificate.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/content/en/docs/usage/certificate.md b/content/en/docs/usage/certificate.md index 0942eb9be3d..aad8ef65b2d 100644 --- a/content/en/docs/usage/certificate.md +++ b/content/en/docs/usage/certificate.md @@ -200,7 +200,7 @@ certificate object is reissued under the following circumstances: kubectl cert-manager renew cert-1 ``` Note that the above command requires the [kubectl - cert-manager](/docs/usage/kubectl-plugin/#renew) plugin. + cert-manager](../kubectl-plugin/#renew) plugin. {{% pageinfo color="warning" %}} @@ -208,7 +208,7 @@ certificate object is reissued under the following circumstances: **not a recommended solution** for manually rotating the private key. The recommended way to manually rotate the private key is to trigger the reissuance of the Certificate resource with the following command (requires the [`kubectl -cert-manager`](/docs/usage/kubectl-plugin/#renew) plugin): +cert-manager`](../kubectl-plugin/#renew) plugin): ```sh kubectl cert-manager renew cert-1 @@ -265,4 +265,4 @@ cert-manager will automatically renew `Certificate`s. It will calculate _when_ t Minimum value for `spec.duration` is 1 hour and minimum value for `spec.renewBefore` is 5 minutes. It is also required that `spec.duration` > `spec.renewBefore`. -Once an X.509 certificate has been issued, cert-manager will calculate the renewal time for the `Certificate`. By default this will be 2/3 through the X.509 certificate's duration. If `spec.renewBefore` has been set, it will be `spec.renewBefore` amount of time before expiry. cert-manager will set `Certificate`'s `status.RenewalTime` to the time when the renewal will be attempted. \ No newline at end of file +Once an X.509 certificate has been issued, cert-manager will calculate the renewal time for the `Certificate`. By default this will be 2/3 through the X.509 certificate's duration. If `spec.renewBefore` has been set, it will be `spec.renewBefore` amount of time before expiry. cert-manager will set `Certificate`'s `status.RenewalTime` to the time when the renewal will be attempted. From 8798fe5701ff55754ea4ca1726983442eeece115 Mon Sep 17 00:00:00 2001 From: Ashley Davis Date: Thu, 14 Oct 2021 12:06:15 +0100 Subject: [PATCH 3/5] updates arising from the signing release process Signed-off-by: Ashley Davis --- .../en/docs/contributing/release-process.md | 5 +- content/en/docs/installation/code-signing.md | 47 ++++++++++++------- 2 files changed, 32 insertions(+), 20 deletions(-) diff --git a/content/en/docs/contributing/release-process.md b/content/en/docs/contributing/release-process.md index 92749b08e20..68be13f0cc7 100644 --- a/content/en/docs/contributing/release-process.md +++ b/content/en/docs/contributing/release-process.md @@ -302,8 +302,9 @@ page if a step is missing or if it is outdated. ``` This step takes ~10 minutes. It will build all Docker images and create - all the manifest files and upload them to a storage bucket on Google - Cloud. These artifacts will be published and released in the next steps. + all the manifest files, sign Helm charts and upload everything to a storage + bucket on Google Cloud. These artifacts will then be published and released + in the next steps.

🔰 Remember to keep open the terminal where you run cmrel stage. Its output will be used in the next step. diff --git a/content/en/docs/installation/code-signing.md b/content/en/docs/installation/code-signing.md index 9bd80f06915..c4caf57c04b 100644 --- a/content/en/docs/installation/code-signing.md +++ b/content/en/docs/installation/code-signing.md @@ -16,31 +16,19 @@ Signing keys required for verification are all available on this website, but th on the artifact you're trying to validate in the future. At the time of writing, all signing is done using the same underlying key. -## Container Images / Cosign - -For all cert-manager versions from `v1.6.0` and later, container images are verifiable using [`cosign`](https://docs.sigstore.dev/cosign/overview). - -The simplest way to verify signatures is to download the public key and then pass it to the cosign CLI: - -```console -curl -sSL https://cert-manager.io/public-keys/cert-manager-pubkey-2021-09-20.pem > cert-manager-pubkey-2021-09-20.pem -cosign verify -key cert-manager-pubkey-2021-09-20.pem quay.io/jetstack/cert-manager-controller -# repeat for other images as desired -``` - -For a more fully-featured signature verification process in Kubernetes, check out [`connaisseur`](https://sse-secure-systems.github.io/connaisseur/). - -- PEM-encoded public key: [`cert-manager-pubkey-2021-09-20.pem`](/public-keys/cert-manager-pubkey-2021-09-20.pem) - ## Helm Charts + -For all cert-manager versions from `v1.6.0` and later, helm charts are signed and verifiable through the helm CLI. +For all cert-manager versions from `v1.6.0` and later, Helm charts are signed and verifiable through the Helm CLI. The easiest way to verify is to grab the GPG keyring directly, which can then be passed into `helm verify` like so: @@ -51,3 +39,26 @@ helm verify --keyring cert-manager-keyring-2021-09-20-1020CF3C033D4F35BAE1C19E12 - ASCII-armored signing key: [`cert-manager-pgp-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.asc`](/public-keys/cert-manager-pgp-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.asc) - GPG keyring: [`cert-manager-keyring-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.gpg`](/public-keys/cert-manager-keyring-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.gpg) + +## Container Images / Cosign + +Soon, all container images which make up cert-manager will be verifiable using [`cosign`](https://docs.sigstore.dev/cosign/overview). + +Unfortunately, this isn't possible today because the images are hosted on `quay.io` which doesn't have the proper support for cosign signatures yet. When signatures are +added, this section will contain details of how to verify them. + + From 37cfa157a1b28e4286016185a95fdc82a54f1b4c Mon Sep 17 00:00:00 2001 From: joshvanl Date: Tue, 26 Oct 2021 11:41:57 +0100 Subject: [PATCH 4/5] Replace some absolute path with relative paths to not cause issues with versioned pages Signed-off-by: joshvanl --- content/en/docs/configuration/acme/http01/_index.md | 2 +- content/en/docs/installation/code-signing.md | 6 +++--- content/en/docs/usage/gateway.md | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/content/en/docs/configuration/acme/http01/_index.md b/content/en/docs/configuration/acme/http01/_index.md index 26b4c39ac43..1c9101f8a16 100644 --- a/content/en/docs/configuration/acme/http01/_index.md +++ b/content/en/docs/configuration/acme/http01/_index.md @@ -10,7 +10,7 @@ type: "docs" 📌 This page focuses on solving ACME HTTP-01 challenges. If you are looking for how to automatically create Certificate resources by annotating Ingress or Gateway resources, see [Securing Ingress Resources](/docs/usage/ingress/) and -[Securing Gateway Resources](/docs/usage/gateway/). +[Securing Gateway Resources](../../../usage/gateway/). {{% /pageinfo %}} diff --git a/content/en/docs/installation/code-signing.md b/content/en/docs/installation/code-signing.md index c4caf57c04b..e0e86921efa 100644 --- a/content/en/docs/installation/code-signing.md +++ b/content/en/docs/installation/code-signing.md @@ -37,8 +37,8 @@ curl -sSL https://cert-manager.io/public-keys/cert-manager-keyring-2021-09-20-10 helm verify --keyring cert-manager-keyring-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.gpg /path/to/cert-manager-vx.y.z.tgz ``` -- ASCII-armored signing key: [`cert-manager-pgp-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.asc`](/public-keys/cert-manager-pgp-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.asc) -- GPG keyring: [`cert-manager-keyring-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.gpg`](/public-keys/cert-manager-keyring-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.gpg) +- ASCII-armored signing key: [`cert-manager-pgp-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.asc`](../../../public-keys/cert-manager-pgp-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.asc) +- GPG keyring: [`cert-manager-keyring-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.gpg`](../../../public-keys/cert-manager-keyring-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.gpg) ## Container Images / Cosign @@ -60,5 +60,5 @@ cosign verify -key cert-manager-pubkey-2021-09-20.pem quay.io/jetstack/cert-mana For a more fully-featured signature verification process in Kubernetes, check out [`connaisseur`](https://sse-secure-systems.github.io/connaisseur/). -- PEM-encoded public key: [`cert-manager-pubkey-2021-09-20.pem`](/public-keys/cert-manager-pubkey-2021-09-20.pem) +- PEM-encoded public key: [`cert-manager-pubkey-2021-09-20.pem`](../../../public-keys/cert-manager-pubkey-2021-09-20.pem) --> diff --git a/content/en/docs/usage/gateway.md b/content/en/docs/usage/gateway.md index c14dad85665..d171b404154 100644 --- a/content/en/docs/usage/gateway.md +++ b/content/en/docs/usage/gateway.md @@ -29,7 +29,7 @@ the Ingress API. The Gateway resource holds the TLS configuration, as illustrated in the following diagram (source: https://gateway-api.sigs.k8s.io): -![Gateway vs. HTTPRoute](/images/gateway-roles.png) +![Gateway vs. HTTPRoute](../../../images/gateway-roles.png) Note that cert-manager only supports setting up the TLS configuration on the Gateway resource when the Gateway is configured to terminate the TLS connection. From e084967ced1b42cab891272d7f80d971df403551 Mon Sep 17 00:00:00 2001 From: Ashley Davis Date: Tue, 26 Oct 2021 10:59:13 +0100 Subject: [PATCH 5/5] update release notes to account for quay.io also update version for installing cmrel Signed-off-by: Ashley Davis --- content/en/docs/contributing/release-process.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/content/en/docs/contributing/release-process.md b/content/en/docs/contributing/release-process.md index 68be13f0cc7..32eda3ca016 100644 --- a/content/en/docs/contributing/release-process.md +++ b/content/en/docs/contributing/release-process.md @@ -87,7 +87,7 @@ release: 2. Install our [`cmrel`](https://github.com/cert-manager/release) CLI: ```sh - go install github.com/cert-manager/release/cmd/cmrel@master + go install github.com/cert-manager/release/cmd/cmrel@latest ``` 3. Clone the `cert-manager/release` repo: @@ -353,7 +353,7 @@ page if a step is missing or if it is outdated. ```sh # Must be run from the "cert-manager/release" repo folder. - cmrel publish --release-name "$CMREL_RELEASE_NAME" + cmrel publish --skip-signing --release-name "$CMREL_RELEASE_NAME" ``` You can view the progress by clicking the Google Cloud Build URL in the @@ -372,7 +372,8 @@ page if a step is missing or if it is outdated. ```bash # Must be run from the "cert-manager/release" repo folder. - cmrel publish --nomock --release-name "$CMREL_RELEASE_NAME" + # Skip signing while quay.io doesn't support cosign signatures + cmrel publish --nomock --skip-signing --release-name "$CMREL_RELEASE_NAME" ```