From ffb7f4846ac111cddec9d602d795b8af3f0c245d Mon Sep 17 00:00:00 2001 From: Tim Ramlot <42113979+inteon@users.noreply.github.com> Date: Thu, 12 Oct 2023 14:26:04 +0200 Subject: [PATCH] replace external issuers page with list of ALL issuers, also add ranks to indicate the quality of issuers and to incentivise issuers to contribute to cert-manager Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com> --- content/docs/configuration/external.md | 52 ---------- content/docs/configuration/issuers.md | 117 +++++++++++++++++++++ content/docs/manifest.json | 137 +++++++++++++------------ public/_redirects | 3 + styles/global.scss | 18 ++++ 5 files changed, 209 insertions(+), 118 deletions(-) delete mode 100644 content/docs/configuration/external.md create mode 100644 content/docs/configuration/issuers.md diff --git a/content/docs/configuration/external.md b/content/docs/configuration/external.md deleted file mode 100644 index cf34b430bfd..00000000000 --- a/content/docs/configuration/external.md +++ /dev/null @@ -1,52 +0,0 @@ ---- -title: External -description: 'cert-manager configuration: External Issuers' ---- - -cert-manager supports external `Issuer` types. While external issuers are not -implemented in the main cert-manager repository, they are otherwise treated the -same as any other issuer. - -External issuers are typically deployed as a pod which is configured -to watch for `CertificateRequest` resources in the cluster whose `issuerRef` -matches the name of the issuer. External issuers exist outside of the -`cert-manager.io` group. - -Installation for each issuer may differ; check the documentation for each -external issuer for more details on installing, configuring and using it. - -## Known External Issuers - -If you've created an external issuer which you'd like to share, -[raise a Pull Request](https://github.com/cert-manager/website/pulls) to have -it added here! - -These external issuers are known to support and honor [approval](https://cert-manager.io/docs/concepts/certificaterequest/#approval). - -- [kms-issuer](https://github.com/Skyscanner/kms-issuer): Requests - certificates signed using an [AWS KMS](https://aws.amazon.com/kms/) asymmetric key. -- [aws-privateca-issuer](https://github.com/cert-manager/aws-privateca-issuer): Requests - certificates from [AWS Private Certificate Authority](https://aws.amazon.com/certificate-manager/private-certificate-authority/) - for cloud native/hybrid environments. -- [google-cas-issuer](https://github.com/jetstack/google-cas-issuer): Used - to request certificates signed by private CAs managed by the - [Google Cloud Certificate Authority Service](https://cloud.google.com/certificate-authority-service/). -- [origin-ca-issuer](https://github.com/cloudflare/origin-ca-issuer): Used - to request certificates signed by - [Cloudflare Origin CA](https://developers.cloudflare.com/ssl/origin-configuration/origin-ca) - to enable TLS between Cloudflare edge and your Kubernetes workloads. -- [step-issuer](https://github.com/smallstep/step-issuer): Requests - certificates from the [Smallstep](https://smallstep.com) [Certificate Authority server](https://github.com/smallstep/certificates). -- [freeipa-issuer](https://github.com/guilhem/freeipa-issuer): Requests - certificates signed by [FreeIPA](https://www.freeipa.org). -- [ADCS Issuer](https://github.com/nokia/adcs-issuer): Requests - certificates signed by [Microsoft Active Directory Certificate Service](https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/install-the-certification-authority). - [NOT MAINTAINED] -- [CFSSL Issuer](https://gerrit.wikimedia.org/r/plugins/gitiles/operations/software/cfssl-issuer/): Request certificates signed by a [CFSSL](https://github.com/cloudflare/cfssl) `multirootca` instance. -- [ncm-issuer](https://github.com/nokia/ncm-issuer): Requests certificates from the [Nokia](https://www.nokia.com/) [Netguard Certificate Manager](https://www.nokia.com/networks/security-portfolio/netguard/certificate-manager) -- [tcs-issuer](https://github.com/intel/trusted-certificate-issuer) Requests certificates signed securely using [Intel's SGX technology](https://www.intel.com/content/www/us/en/developer/tools/software-guard-extensions/overview.html). -- [ejbca-issuer](https://github.com/Keyfactor/ejbca-cert-manager-issuer): Request certificates from [EJBCA](https://www.ejbca.org/). - -## Building New External Issuers - -If you're interested in building a new external issuer, check the [development documentation](../contributing/external-issuers.md). diff --git a/content/docs/configuration/issuers.md b/content/docs/configuration/issuers.md new file mode 100644 index 00000000000..7c7f33ecd74 --- /dev/null +++ b/content/docs/configuration/issuers.md @@ -0,0 +1,117 @@ +--- +title: Issuers +description: 'cert-manager configuration: Issuers' +--- + +The following list contains all known cert-manager issuer integrations. + +
+| Tier | Controller | Docs | Issuer | cert-manager
version used
in tutorial[^2] | Released within
3 months[^3] | Is Open Source | Supports and
honors approval | +|------|------------|------|--------|--------|--------|--------|--------| +| 🏅[^1] | venafi-enhanced-issuer | [📄][config:venafi-enhanced-issuer] | [Venafi TLS Protect](https://venafi.com/tls-protect/) | [v1.12.1][production:venafi-enhanced-issuer] | [✔️][release:venafi-enhanced-issuer] | ❌ | ✔️ | +| 🥇 | acme-issuer (in-tree) | [📄][config:acme-issuer] | [ACME](https://datatracker.ietf.org/doc/html/rfc8555) | [latest][production:acme-issuer] | [✔️][release:cert-manager] | ✔️ | ✔️ | +| 🥈 | aws-privateca-issuer | [📄][config:aws-privateca-issuer] | [AWS Private Certificate Authority](https://aws.amazon.com/certificate-manager/private-certificate-authority/) | - | [✔️][release:aws-privateca-issuer] | ✔️ | ✔️ | +| 🥈 | vault-issuer (in-tree) | [📄][config:vault-issuer] | [Hashicorp Vault](https://www.vaultproject.io/) | - | [✔️][release:cert-manager] | ✔️ | ✔️ | +| 🥈 | venafi-issuer (in-tree) | [📄][config:venafi-issuer] | [Venafi TLS Protect](https://venafi.com/tls-protect/) | - | [✔️][release:cert-manager] | ✔️ | ✔️ | +| 🥈 | selfsigned-issuer (in-tree) | [📄][config:selfsigned-issuer] | Self-Signed issuer | - | [✔️][release:cert-manager] | ✔️ | ✔️ | +| 🥈 | ca-issuer (in-tree) | [📄][config:ca-issuer] | CA issuer | - | [✔️][release:cert-manager] | ✔️ | ✔️ | +| 🥈 | step-issuer | [📄][config:step-issuer] | [Certificate Authority server](https://github.com/smallstep/certificates) | - | [✔️][release:step-issuer] | ✔️ | ✔️ | +| 🥈 | ncm-issuer | [📄][config:ncm-issuer] | [Nokia Netguard Certificate Manager](https://www.nokia.com/networks/security-portfolio/netguard/certificate-manager) | - | [✔️][release:ncm-issuer] | ✔️ | ✔️ | +| 🥈 | tcs-issuer | [📄][config:tcs-issuer] | [Intel's SGX technology](https://www.intel.com/content/www/us/en/developer/tools/software-guard-extensions/overview.html) | - | [✔️][release:tcs-issuer] | ✔️ | ✔️ | +| 🥈 | google-cas-issuer | [📄][config:google-cas-issuer] | [Google Cloud Certificate
Authority Service](https://cloud.google.com/certificate-authority-service/) | - | [✔️][release:google-cas-issuer] | ✔️ | ✔️ | +| 🥉 | ejbca-issuer | [📄][config:ejbca-issuer] | [EJBCA](https://www.ejbca.org/) | - | [❌][release:ejbca-issuer] | ✔️ | ✔️ | +| 🥉 | origin-ca-issuer | [📄][config:origin-ca-issuer] | [Cloudflare Origin CA](https://developers.cloudflare.com/ssl/origin-configuration/origin-ca) | - | [❌][release:origin-ca-issuer] | ✔️ | ✔️ | +| 🥉 | kms-issuer | [📄][config:kms-issuer] | [AWS KMS](https://aws.amazon.com/kms/) | - | [❌][release:kms-issuer] | ✔️ | ✔️ | +| 🥉 | freeipa-issuer | [📄][config:freeipa-issuer] | [FreeIPA](https://www.freeipa.org) | - | [❌][release:freeipa-issuer] | ✔️ | ✔️ | +| 🥉 | adcs-issuer | [📄][config:adcs-issuer] | [Microsoft Active Directory
Certificate Service](https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/install-the-certification-authority) | - | [❌][release:adcs-issuer] | ✔️ | ✔️ | +| 🥉 | cfssl-issuer | [📄][config:cfssl-issuer] | [CFSSL](https://github.com/cloudflare/cfssl) | - | [❌][release:cfssl-issuer] | ✔️ | ✔️ | +
+ +[production:venafi-enhanced-issuer]: https://platform.jetstack.io/documentation/academy/issue-and-approve-certificates-with-venafi-control-plane +[production:acme-issuer]: ../tutorials/getting-started-aks-letsencrypt/README.md + +[//]: # (Configuration docs) + +[config:venafi-enhanced-issuer]: https://platform.jetstack.io/documentation/configuration/venafi-enhanced-issuer +[config:acme-issuer]: ./acme.md + +[config:aws-privateca-issuer]: https://github.com/cert-manager/aws-privateca-issuer +[config:selfsigned-issuer]: ./selfsigned.md +[config:ca-issuer]: ./ca.md +[config:vault-issuer]: ./vault.md +[config:venafi-issuer]: ./venafi.md +[config:step-issuer]: https://github.com/smallstep/step-issuer +[config:origin-ca-issuer]: https://github.com/cloudflare/origin-ca-issuer +[config:ncm-issuer]: https://github.com/nokia/ncm-issuer +[config:tcs-issuer]: https://github.com/intel/trusted-certificate-issuer +[config:ejbca-issuer]: https://github.com/Keyfactor/ejbca-cert-manager-issuer +[config:google-cas-issuer]: https://github.com/jetstack/google-cas-issuer + +[config:kms-issuer]: https://github.com/Skyscanner/kms-issuer +[config:freeipa-issuer]: https://github.com/guilhem/freeipa-issuer +[config:adcs-issuer]: https://github.com/nokia/adcs-issuer +[config:cfssl-issuer]: https://gerrit.wikimedia.org/r/plugins/gitiles/operations/software/cfssl-issuer + +[//]: # (Release pages) + +[release:venafi-enhanced-issuer]: https://platform.jetstack.io/documentation/installation/venafi-enhanced-issuer/ +[release:cert-manager]: ../releases/README.md + +[release:aws-privateca-issuer]: https://github.com/cert-manager/aws-privateca-issuer/releases +[release:step-issuer]: https://github.com/smallstep/step-issuer/releases +[release:origin-ca-issuer]: https://github.com/cloudflare/origin-ca-issuer/releases +[release:ncm-issuer]: https://github.com/nokia/ncm-issuer/releases +[release:tcs-issuer]: https://github.com/intel/trusted-certificate-issuer/releases +[release:ejbca-issuer]: https://github.com/Keyfactor/ejbca-cert-manager-issuer/releases +[release:google-cas-issuer]: https://github.com/jetstack/google-cas-issuer/releases + +[release:kms-issuer]: https://github.com/Skyscanner/kms-issuer/releases +[release:freeipa-issuer]: https://github.com/guilhem/freeipa-issuer/releases +[release:adcs-issuer]: https://github.com/nokia/adcs-issuer/releases +[release:cfssl-issuer]: https://gerrit.wikimedia.org/r/plugins/gitiles/operations/software/cfssl-issuer/+refs + +If you've created an issuer which you'd like to share, +[raise a Pull Request](https://github.com/cert-manager/website/pulls) to have it added here! + +These issuers are known to support and honor [approval](https://cert-manager.io/docs/concepts/certificaterequest/#approval). + +## Building New External Issuers + +If you're interested in building a new external issuer, check the [development documentation](../contributing/external-issuers.md). + +## Issuer Tier system + +The cert-manager project has a tier system for issuers. This is to help users +understand the maturity of the issuer. +The tiers are 🥇, 🥈 and 🥉. + +Additionally, there is a special tier 🏅 for issuers that are vouched for by +an active cert-manager reviewer. The aim is to encourage issuer creators to also +contribute back to the cert-manager project. + +NOTE: The cert-manager maintainers can decide to change the criteria and number +of tiers at any time. + +### 🏅 Tier (Sponsor Production-ready) + +- 🥇 Tier criteria. +- [^1] A cert-manager active reviewer (see [GOVERNANCE document](https://github.com/cert-manager/community/blob/main/GOVERNANCE.md)) "vouches" for the issuer. +Each active reviewer can only vouch for one issuer at a time. + +### 🥇 Tier (Production-ready) + +- 🥈 Tier criteria. +- The issuer has an end-to-end tutorial on how to set it up with cert-manager for use in production. +At the time of checking all tutorials[^2], the used cert-manager version has to be non-EOL (see [Supported Releases](../releases/README.md)) + +### 🥈 Tier (Maintained) + +- The issuer has had a release in the last 3 months (at the time of checking all issuers[^3]). + +### 🥉 Tier (Unmaintained) + +Other + +[^1]: venafi-enhanced-issuer: vouched for by [@inteon](https://github.com/inteon) +[^2]: checked on 12th of October 2023 +[^3]: checked on 12th of October 2023 diff --git a/content/docs/manifest.json b/content/docs/manifest.json index 8d3ec903f1a..a168db7babd 100644 --- a/content/docs/manifest.json +++ b/content/docs/manifest.json @@ -315,87 +315,92 @@ "path": "/docs/configuration/README.md" }, { - "title": "SelfSigned", - "path": "/docs/configuration/selfsigned.md" + "title": "Issuers", + "path": "/docs/configuration/issuers.md" }, { - "title": "CA", - "path": "/docs/configuration/ca.md" - }, - { - "title": "Vault", - "path": "/docs/configuration/vault.md" - }, - { - "title": "Venafi", - "path": "/docs/configuration/venafi.md" - }, - { - "title": "External", - "path": "/docs/configuration/external.md" - }, - { - "title": "ACME", + "title": "In-tree Issuer Config", "routes": [ { - "title": "Introduction", - "path": "/docs/configuration/acme/README.md" + "title": "SelfSigned", + "path": "/docs/configuration/selfsigned.md" }, { - "title": "HTTP01", - "routes": [ - { - "title": "Introduction", - "path": "/docs/configuration/acme/http01/README.md" - }, - { - "title": "External Load Balancer", - "path": "/docs/configuration/acme/http01/externalloadbalancer.md" - } - ] + "title": "CA", + "path": "/docs/configuration/ca.md" + }, + { + "title": "Vault", + "path": "/docs/configuration/vault.md" + }, + { + "title": "Venafi", + "path": "/docs/configuration/venafi.md" }, { - "title": "DNS01", + "title": "ACME", "routes": [ { "title": "Introduction", - "path": "/docs/configuration/acme/dns01/README.md" - }, - { - "title": "ACMEDNS", - "path": "/docs/configuration/acme/dns01/acme-dns.md" - }, - { - "title": "Akamai", - "path": "/docs/configuration/acme/dns01/akamai.md" - }, - { - "title": "AzureDNS", - "path": "/docs/configuration/acme/dns01/azuredns.md" - }, - { - "title": "Cloudflare", - "path": "/docs/configuration/acme/dns01/cloudflare.md" - }, - { - "title": "DigitalOcean", - "path": "/docs/configuration/acme/dns01/digitalocean.md" - }, - { - "title": "Google CloudDNS", - "path": "/docs/configuration/acme/dns01/google.md" - }, - { - "title": "RFC-2136", - "path": "/docs/configuration/acme/dns01/rfc2136.md" + "path": "/docs/configuration/acme/README.md" }, { - "title": "Route53", - "path": "/docs/configuration/acme/dns01/route53.md" + "title": "HTTP01", + "routes": [ + { + "title": "Introduction", + "path": "/docs/configuration/acme/http01/README.md" + }, + { + "title": "External Load Balancer", + "path": "/docs/configuration/acme/http01/externalloadbalancer.md" + } + ] }, { - "title": "Webhook", - "path": "/docs/configuration/acme/dns01/webhook.md" + "title": "DNS01", + "routes": [ + { + "title": "Introduction", + "path": "/docs/configuration/acme/dns01/README.md" + }, + { + "title": "ACMEDNS", + "path": "/docs/configuration/acme/dns01/acme-dns.md" + }, + { + "title": "Akamai", + "path": "/docs/configuration/acme/dns01/akamai.md" + }, + { + "title": "AzureDNS", + "path": "/docs/configuration/acme/dns01/azuredns.md" + }, + { + "title": "Cloudflare", + "path": "/docs/configuration/acme/dns01/cloudflare.md" + }, + { + "title": "DigitalOcean", + "path": "/docs/configuration/acme/dns01/digitalocean.md" + }, + { + "title": "Google CloudDNS", + "path": "/docs/configuration/acme/dns01/google.md" + }, + { + "title": "RFC-2136", + "path": "/docs/configuration/acme/dns01/rfc2136.md" + }, + { + "title": "Route53", + "path": "/docs/configuration/acme/dns01/route53.md" + }, + { + "title": "Webhook", + "path": "/docs/configuration/acme/dns01/webhook.md" + } + ] } ] } diff --git a/public/_redirects b/public/_redirects index 2d80cbc1ad0..53bd61f0913 100644 --- a/public/_redirects +++ b/public/_redirects @@ -218,3 +218,6 @@ https://docs.cert-manager.io/* https://cert-manager.io/docs/:splat 302! # Moved the concept pages into the main website /docs/concepts/certificaterequest/ /docs/usage/certificaterequest/ 301! + +# Moved the external issuer section to the main issuers page +/docs/configuration/external/ /docs/configuration/issuers/ 301! diff --git a/styles/global.scss b/styles/global.scss index 0f8c3db7490..c90494e384c 100644 --- a/styles/global.scss +++ b/styles/global.scss @@ -151,3 +151,21 @@ a.hidden-link { .DocSearch-SearchBar { margin-bottom: 5px; } + +div.rotate th:nth-child(5),th:nth-child(6),th:nth-child(7),th:nth-child(8) { + writing-mode: tb-rl; + transform: rotate(180deg); + padding-top: 1.3em; + padding-bottom: 0; + line-height: 1.2em; + text-align: left; + vertical-align: middle; +} + +div.rotate th:nth-child(1),th:nth-child(3),td:nth-child(1),td:nth-child(3),td:nth-child(5),td:nth-child(6),td:nth-child(7),td:nth-child(8) { + text-align: center; +} + +div.rotate td:last-child { + padding-right: 0.5714286em !important; +}