Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Governance Review]: cert-manager #675

Open
maelvls opened this issue Jul 11, 2024 · 7 comments
Open

[Governance Review]: cert-manager #675

maelvls opened this issue Jul 11, 2024 · 7 comments
Assignees
@jberkus
Labels
project-governance-review wg/governance

Comments

@maelvls
Copy link

maelvls commented Jul 11, 2024
edited
Loading

Project Name

cert-manager

Project Website

https://cert-manager.io

Contact Details 1

@maelvls

Contact Details 2

@SgtCoDFish

Links to communication channels

https://kubernetes.slack.com/archives/CDEQJ0Q8M (channel cert-manager-dev in the Kubernetes Slack)

Reason for governance review request

Application for moving levels from Incubation to Graduation

Are there any sub-projects, plugins, and related?

The project includes the following notable sub-projects:

Governance model

Our governance model is inspired from the CNCF template Maintainer Council with the addition of a steering committee made of end-users and (soon to be elected) maintainers.

The idea behind the steering committee is to counter-balance the fact that all the current maintainers are either employed by the same vendor or ex-employees of that same vendor.

Governance documents

https://github.com/cert-manager/community/blob/main/STEERING.md
https://github.com/cert-manager/community/blob/main/GOVERNANCE.md
https://github.com/cert-manager/community/blob/main/maintainers.csv

Governance Execution Examples

The biweekly dev meeting recordings are available on the cert-manager YouTube channel.

The quarterly steering committee recordings are listed under "Past Meetings" in the STEERING.md page.

Votes from maintainers:

Discussions with the steering committee:

Governance Evolution

We haven't made adjustments to the steering committee charter nor the governance charter yet.

Any specific aspects of your governance structure are you seeking feedback on?

We would like to receive feedback on the way we intend to balance the fact that most of the maintainers are employed by the same vendor. What do you think about our steering committee model? The concern is that we haven't found a good way to give the steering committee a good amount of ownership and power over the project.

Do you have any concerns or specific areas where you feel your governance could be improved?

We have discussed multiple concerns over the past 6 months:

  • Concerns over the fact that the steering committee meetings might not "do anything" and end up not happening after the first iteration.

Additional notes and resources

On 3 May 2024, we had an initial meeting with TAG Contributor Strategy: cert-manager/community#14 (comment)

  • Josh and Dawn (TAG contributor strategy) said that they didn't realize that cert-manager had been able to get a maintainer from outside Venafi. To them, it showed that the cert-manager project has a "path" for people to become maintainers, which was the main concern they had coming to the meeting.
  • To the question "what power do we give to steering committee members?", steering the roadmap is a power we can give. No need to find other areas (such as branding, conformance tests, etc as mentioned previously) to give to steering committee.
  • The main concern around the roadmap (and why it's good to have a steering committee to have power on) is that Venafi's roadmap and cert-manager's roadmap may be confused as the same. The project needs its own roadmap, separate from Venafi's.
  • A good read to build a vendor-neutral open roadmap: https://contribute.cncf.io/maintainers/community/contributor-growth-framework/open-source-roadmaps/ written by Riaan Kleinhans.
  • Riaan is a technical project manager who offered help in implementing the project board roadmap.
  • The first steering committee meeting will take place on 9 May 2024. Erik, one of the members of the steering committee, said he was very interested to work on the roadmap during that meeting. I'll report back here once it's done.

Meeting notes: here.
Recording: https://youtu.be/wWiCZDKN27Y?si=TEYm5E-IP4XiGt7Y.
@jberkus
Copy link
Contributor

jberkus commented Jul 22, 2024

I've started on this review.

/assign

@SgtCoDFish
Copy link

Thanks Josh! If you need anything from us don't hesitate to ask and we'll do everything we can 😁

@aliok aliok assigned jberkus and unassigned jberkus, geekygirldawn and aliok Jul 25, 2024
@SgtCoDFish
Copy link

Hey @jberkus - thanks again for looking into this!

I'm just wondering about the timeline for this? Not trying to rush you at all - I know we're all busy! My question mainly comes from this being one of the last things we need before going to a public comment period, and we're really hoping to get graduated before KubeCon NA if at all possible so the timelines are getting tighter for us.

As above, if there's anything we can do that would be helpful we'd be glad to help!

@jberkus
Copy link
Contributor

jberkus commented Aug 12, 2024

I'm planning to finish it this week. Your setup is pretty straightforwards, it's just a question of available time.

@SgtCoDFish
Copy link

Thanks very much Josh, appreciate it! 👍

@jberkus jberkus mentioned this issue Aug 16, 2024
Merged
@jberkus
Copy link
Contributor

jberkus commented Aug 16, 2024

Draft is done, see link.

@dims dims mentioned this issue Sep 3, 2024
Open
53 tasks
@maelvls maelvls mentioned this issue Sep 20, 2024
Open
4 tasks
@maelvls
Copy link
Author

maelvls commented Sep 20, 2024
edited
Loading

Updates After Two Months

In July 2024, the Contributor Strategy Review document listed 4 "partially complete" governance areas:

Governance Area Coverage Documents Finding Notes
Project Purpose Partial README Good statement of what Cert-Manager does. No Values or Scope.
Contributor Ladder Mostly Complete Governance Could use qualifications for each level
Maintainer Lifecycle Partial Governance Does not cover Maintainer removal for cause, missing maintainer qualifications
Decision-making Partial Governance Could use naming official channels, record

Since then, we worked on each of these areas:

  • Project Purpose: Scope and values were somewhat touched on during the 1st Steering Committee meeting. Scope and values aren't showing on the README yet, but we now have a Goals and Objectives in ROADMAP.md: "cert-manager is the easiest way to automatically manage certificates in Kubernetes clusters."
  • Contributor Ladder: We haven't improved the qualifications for each level yet. But the consensus is that there are too many levels: we will be removing the "Admin" level soon, and keep a single intermediate level for leveling purposes (i.e., either remove "Reviewer" or "Approver").
  • Maintainer Lifecycle: We now have a section Timing out, subsection "Maintainers" that plays the role of "Removal for inactivity". We also added the section Removal that plays the role of "Removal for misconduct".
  • Decision-making:
    • No central decision log yet. We are thinking about it. Right now, someone who would like to know what decisions were taken in the past months would have to (1) go to the Kubernetes Slack and search "lazy consensus" in:#cert-manager-dev, and (2) go to GitHub and run search in PRs and search in Issues.
    • About "naming official channels", we haven't yet added links to the list of official channels and meetings in the contributor docs from GOVERNANCE.md.

Other discussions

Gaining Admin Privileges:

Regarding "Maintainers" privileges, we used to give all admin privileges since we were all Venafi colleagues. Since then, Erik joined, and we agreed during the 22nd Aug dev biweekly meeting (notes + recording) to change the way we grant admin privileges: old and new maintainer can no longer ask for new privileges from other maintainers. Instead, they have to go to the CNCF service desk to ask for this privilege. The plan goes like this:

  • Give the "admin" role to the CNCF to all the services we use,
  • Following the principle of least privilege, maintainers now start with no privileges (including GitHub admin).
  • Later, we will do an audit of the existing maintainer's privileges to remove any existing needless privilege.
  • Maintainers no longer ask other maintainers to get admin privileges; instead, maintainers have to go to servicedesk.cncf.io and open a ticket, and the CNCF will give them the admin privilege or access to this service.
  • We will change GOVERNANCE.md to merge "maintainer" and "admin" and explain that privileges are requested to the CNCF on a need basis in a self-service way.
  • We talked about a pair review of the CNCF privilege escalation tickets, maybe we can ask the CNCF if it's possible for them to ask for a review from another maintainer when a maintainer requests access or requests more privileges.
  • Ask the CNCF to be admin of the https://cert-manager.1password.com/ account.

This change will need a vote, but we have already started reviewing each tool and privilege.

FYI @jberkus

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jberkus jberkus

Labels
project-governance-review wg/governance
Projects
TAG Contributor Strategy Project Board
Status: 🆕 New
Milestone
No milestone
Development

No branches or pull requests
6 participants
@jberkus @aliok @geekygirldawn @SgtCoDFish @maelvls @riaankleinhans