Replace external issuers page with list of ALL issuers #1324
Conversation
jetstack-bot
added
dco-signoff: yes
✅ Deploy Preview for cert-manager-website ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
inteon
force-pushed
the
cleanup_issuers
branch
2 times, most recently
from
2dfc7dd
to
87bb6fc
Compare
|
As discussed in standup: I find the current layout pretty unreadable. Firefox 118, macOS 14 Sonoma. 
|
inteon
force-pushed
the
cleanup_issuers
branch
from
7615687
to
81e6129
Compare
|
I think the current PR is ready for feedback.
We would like to get some more issuers into the 🥇-tier before merging the PR. |
inteon
force-pushed
the
cleanup_issuers
branch
3 times, most recently
from
a35a039
to
0475e01
Compare
inteon
force-pushed
the
cleanup_issuers
branch
from
0475e01
to
264221e
Compare
|
My notes form Slack:
|
|
Hey everyone, in general I support the move to a tiered system for cert-manager issuers/clusterissuers; it's a mature move and could result in higher adoption in general since all issuers are compiled to a single list. I have a few comments/suggestions to add some clarity to the new system. Release cadence required for 🥈-tier supportExternal issuers are well-defined extensions to cert-manager and don’t typically require new features after the initial release. In general, there are three overarching reasons for a new release of an external issuer:
The cert-manager CertificateRequest API is not likely to change, and in most cases target APIs won’t make breaking changes requiring a new release, even less likely within a given three-month release cycle. Further, following cert-manager’s release cycle, even in-tree issuers would have been marked stale (tier-3) between cert-manager 1.12-1.13, since more than three months elapsed between releases. I would propose a relaxed release cycle for external issuers targeting tier-2 status or remove the 3-month criterion and consider having only two tiers. Lacking clear definition of “end-to-end”In general, I agree with @hawksight about forcing maintainers to keep their documentation up-to-date, especially because there's nothing worse than following misleading docs. However, in general, documentation written against a supported version of software for production use typically implies active maintenance anyway. My comment is that if tier-1 issuers will require an end-to-end tutorial, I think that there needs to be a clear definition of "end-to-end." Ambiguity with result of tier-1 issuer failing tier-2 issuer requirementsIn many cases, the requirements for tier-2 seem more stringent than those for tier-1. For example, since cert-manager releases are typically supported for more than 3 months, a given tier-1 issuer would usually fail the tier-2 requirement for a recent release BEFORE failing the tier-1 requirement of providing documentation with a supported version of cert-manager. So, the question then becomes if a tier-1 issuer with end-to-end documentation on configuration for production environments misses the three-month release cycle, do they get marked as a tier-3 issuer? Cheers! |
inteon
force-pushed
the
cleanup_issuers
branch
from
6e00cd3
to
103eac7
Compare
|
Thanks @m8rmclaren! I agree that the tier-2 requirements might have been too strict. I applied the simplest fix: extend the 3 months requirement to 12 months. Also, thank you for explaining the lack of clarity wrt. an "e2e tutorial" I added a list of things that must be included in your tutorial for it to be an e2e tutorial. You can see the changes here: 103eac7 |
jetstack-bot
added
the
needs-rebase
…s to indicate the quality of issuers and their documentation Signed-off-by: Tim Ramlot <[email protected]>
Signed-off-by: Tim Ramlot <[email protected]>
…s to 12 months & add more info about what the e2e docs should look like Signed-off-by: Tim Ramlot <[email protected]>
Signed-off-by: Tim Ramlot <[email protected]>
inteon
force-pushed
the
cleanup_issuers
branch
from
103eac7
to
e3fa379
Compare
jetstack-bot
removed
the
needs-rebase
Signed-off-by: Tim Ramlot <[email protected]>
|
Looks like all remaining feedback has been resolved. |
|
I don't think closed-source issuers belong to this page. I'm OK having venafi-enhanced-issuer shown at the bottom of the page in a "Commercial issuers". |
I think all issuers are commercial. The advantage of an open-source issuer integration will often not be significant compared to a closed-source integration, because none of these integrations are actually usable if you are not a commercial customer of the corresponding CA. The advantage of an open-source integration is that you can more easily contribute and audit the integration (note that this is often still possible for closed-source integrations too). |
|
I think I lack objectivity in this discussion, and no one from the end-users has voiced concerns or agreement. We have already asked in #cert-manager but no one chimed in... 😅 |
|
After asking some folks in the community, I think it is OK to self-promote closed-source products as long as other commercial actors are also able to do that too. Since the criteria for being promoted as "top tier" have been explicitly laid out, I am in favor of approving your PR. /lgtm I'd like to also state that other commercial offerings will want to have their logo to show in the landing page as Venafi does. We should also make it clear what the rules to appear on the landing page are. |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: inteon The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
jetstack-bot
added
the
approved
This PR aims to achieve the following:
Preview: https://deploy-preview-1324--cert-manager-website.netlify.app/docs/configuration/issuers/