From 1eed94bc97e4ae22d3d6a382f3a94ef859c1ae3e Mon Sep 17 00:00:00 2001 From: Josh Berkus Date: Fri, 16 Aug 2024 14:27:50 -0700 Subject: [PATCH] Final draft of Cert-Manager review. Signed-off-by: Josh Berkus --- .../projects/cert-manager/2024-07-22.md | 161 ++++++++++++++++++ 1 file changed, 161 insertions(+) create mode 100644 governance/assessments/projects/cert-manager/2024-07-22.md diff --git a/governance/assessments/projects/cert-manager/2024-07-22.md b/governance/assessments/projects/cert-manager/2024-07-22.md new file mode 100644 index 00000000..ac91b397 --- /dev/null +++ b/governance/assessments/projects/cert-manager/2024-07-22.md @@ -0,0 +1,161 @@ +# Governance Review Template + +What follows is a governance review and assessment for the Cert-Manager project. This review is carried out by members of the Governance Working Group of TAG Contributor Strategy. The review may have been done because of a change in maturity level for the project, at the request of the TOC, or as a request by the project itself. If requested by the project, the review will be provided to the project maintainers. Otherwise, the review will be submitted to the TOC for their follow-up. + +Governance reviews contribute to the health and sustainibility of the CNCF projects. By providing guidance on effective governance practices, TAG Contributor Strategy aims to ensure that projects operate efficiently, encourage diverse participation, and uphold the values of the CNCF. The governance review process is designed to be constructive and supportive, aiming to assist projects in refining their governance models and addressing any challenges they may face. + +Projects may ask TAG Contributor Strategy for assistance in resolving any issues uncovered by the review. The TAG is available via our [slack channel](https://cloud-native.slack.com/archives/CT6CWS1JN), [email](https://lists.cncf.io/g/cncf-tag-contributor-strategy), [GitHub](https://github.com/cncf/tag-contributor-strategy), or by joining our weekly meetings (listed on the [CNCF public calendar](https://www.cncf.io/calendar/)). + +## Summary and Assessment + +Status: Satisfactory + +Cert-manager demonstrates open, appropriate governance for a small-medium sized CNCF project. They have exceptional contributor documentation and end-user engagement. While they have some improvements to work on, none are critical. + +### Executing the Assessment + +This assessment [was requested by maintainer Maƫl Valais](https://github.com/cncf/tag-contributor-strategy/issues/675) as part of the project's assessment for Graduation on July 11. It was completed by TAG-CS member Josh Berkus over the period of August 1 to August 16. + +### Critical Items + +There are no critical items that would prevent project Graduation. + +### Points of Excellence + +The following aspects of governance are exemplary, and can be referenced as examples for other projects to copy: + +* Cert-manager has an exceptionally complete [contributing guide](https://cert-manager.io/docs/contributing/), including information about communications, feature approval, expectations, testing, release process, and coding standards. This is a good example to other projects about what a complete contribution guide should look like. +* The project does an excellent job of making sure that its public meetings are accessible, with notes, videos, and easy to find meeting links. +* While it's a recent change, the project has developed a good structure for End User input into the roadmap through their Steering Committee. + +### Areas for Improvement + +Over the next year, the project should work on the following issues to improve its governance, these are considered non-blocking: + +* Add in/out of scope information to the readme, roadmap, or contributor documentation. +* Add role qualifications for each step on the contributor ladder. This is particularly important for the maintainers, where other docs refer to Maintainer qualifications that don't exist. +* Add a process for removing Maintainers (and SC members) for reasons other than inactivity, such as violating the CoC or disruptive behavior. +* Link to the list of official channels and meetings in the contributor docs from the Governance document. +* Gradually build up the subprojects into their own entities, allowing new contributors to take ownership of them. This will require adding to the main Governance for these roles. +* Have another Steering meeting, in order to keep Steering members engaged. +* Make sure that the Community repo is linked from appropriate other places, like the main development repos and the contributor docs. +* Figure out a low-effort way to record maintainer decisions for posterity, such as a simple text log. + +Details of these issues can be found in the [Findings Table](#Governance-Findings-Table) and the related sections below. + +## Review + +### Governance Description + +The Cert-Manager project governance is essentially a [Maintainer Council](https://github.com/cert-manager/community/blob/main/GOVERNANCE.md), modified through a user advisory board called the [Steering Committee](https://github.com/cert-manager/community/blob/main/STEERING.md). + +The collective maintainers are responsible for all aspects of leadership of the project, including security response. The group of maintainers is self-selecting, based on meeting the contributor ladder qualifications to be a maintainer. + +The Steering Committee is a group of end-users who help the maintainers develop the [roadmap](https://github.com/cert-manager/community/blob/main/ROADMAP.md). Both groups are included on any roadmap level decisions, including decisions about things like release cadence. + +### Discoverability + +#### Governance Location + +Governance documentation is in the [community repo](https://github.com/cert-manager/community/tree/main), which is a common pattern with CNCF projects. + +#### Governance Discovery + +The Community repo pattern is common in the CNCF, and easy to find for that reason. Some documents are interlinked from other repositories, but not all of them where it's relevant. Notably, the otherwise exemplary contributor docs do not obviously link to the Community repo. + +### Documentation Content + +The following table details the governance areas expected for a project. Coverage is indicated by Complete, Partial, Missing, and Unknown. +* Complete - the content of the governance documentation is fully detailed and does not leave any question to the reader. +* Partial - the content of the governance documentation is missing some information and would leave the reader with questions or some level of misunderstanding. +* Missing - the documentation is absent, wholly undiscoverable, or woefully inadequate in meeting the objectives of that governance content. The reader cannot act on the content that is available. +* Unknown - status cannot be assessed at this time + +| Governance Area | Coverage | Documents | Finding Notes | +|:----------------|:--------:|:------:|:--------------| +| Project Purpose | Partial | [README](https://github.com/cert-manager/cert-manager/blob/master/README.md) | Good statement of what Cert-Manager does. No Values or Scope. | +| Maintainer List | Complete | [maintainers](https://github.com/cert-manager/community/blob/main/maintainers.csv) | | +| Code of Conduct | Complete | [CoC](https://github.com/cert-manager/community/blob/main/CODE_OF_CONDUCT.md) | Leaves conduct to the CNCF CoCC | +| Contributor Guide | Complete | [Contributor Guide](https://cert-manager.io/docs/contributing/) | Exceptionally complete | +| Contributor Ladder | Mostly Complete | [Governance](https://github.com/cert-manager/community/blob/main/GOVERNANCE.md) | Could use qualifications for each level | +| Maintainer Lifecycle | Partial | [Governance](https://github.com/cert-manager/community/blob/main/GOVERNANCE.md) | Does not cover Maintainer removal for cause, missing maintainer qualifications | +| Decision-making | Partial | [Governance](https://github.com/cert-manager/community/blob/main/GOVERNANCE.md) | Could use naming official channels, record of decisions, links to ROADMAP | +| Code and Docs Ownership | Complete | [OWNERS](https://github.com/cert-manager/cert-manager/blob/master/OWNERS) | Uses Prow | +| Security Reporting and response | Complete | [Security](https://github.com/cert-manager/community/blob/main/SECURITY.md) | Maintainers are the SRC | +| Communication and Meetings | Complete | [README](https://github.com/cert-manager/community/blob/main/README.md), [notes](https://docs.google.com/document/d/1Tc5t6ylY9dhXAan1OjOoldeaoys1Yh4Ir710ATfBa5U/edit#heading=h.7h8rkitcxn99) | Very good community meeting notes | + +#### Sub-projects, plugins, and related + +The project includes the following sub-projects, plugins, and other notable divisions: + +* [Trust Manager](https://github.com/cert-manager/trust-manager) +* [Approver Policy](https://github.com/cert-manager/approver-policy) +* [CSI Driver](https://github.com/cert-manager/csi-driver) +* [SPIFFE CSI Driver](https://github.com/cert-manager/csi-driver-spiffe) +* [Istio CSR](https://github.com/cert-manager/istio-csr) + +At this time, none of these subprojects are separated from the main project, so they do not yet have specific maintainers, communications channels, or contributor ladders. The project aspires to develop these things as a method of growing the contributor base. + +### Operation + +#### Transparency and freshness + +Transparency for a project is exemplified in the public documentation, record, and communications, allowing observers and contributors to monitor the project's adherence to their stated governance. Freshness indicates governance activities mirror the documented governance for the project, and have been reviewed or updated recently. + +Governance is clearly documented and project leadership is clearly identified. The project has multiple public channels, and community meetings are called out, recorded, and have good notes. The only transparency flaw is that most maintainer decisions and votes happen on a Slack channel, which has no archives. Adding a log of decisions somewhere would remedy this. + +#### Governance Drift + +Governance Drift can occur when the executed and observable governance of a project deviates from the documented governance of the project. + +We did not see any evidence of Governance Drift. Governance practices seem to be taking place as documented. + +#### Ownership + +The project uses Prow to manage code approval, and ownership files match current maintainer lists. + +Cert-manager seems to have had the intention of installing Tempelis to manage GH admin permissions, but not completed it. They should consider using either Tempelis or Sheriff in the future to audit admin permissions. + +### Maintainer List(s) + +The project's [maintainer list(s)](https://github.com/cert-manager/community/blob/main/maintainers.csv) are current. Individuals on the maintainer list are all active contributors to the project. The maintainer affiliations (employers) reflect some diversity. Additionally, the current Steering Committee all appear to be active in the community and fulfilling their role of roadmap guidance. + +Currently, the maintainers include five people who work for Venafi, and three working for other organizations. While this is sufficient diversity for requirements, the project would like to increase maintainer diversity and has reached out to TAG-CS to assist with maintainer recruitment. + +Over the last year, the project has added one maintainer and removed two inactive maintainers. + +### Evolution + +Governance evolution is the observable changes and improvements the project makes to its governance over the project's lifespan. It is expected that changes will occur over the project's life and that such changes are iterative, tested, and adjusted. + +Major milestones in the project's governance over time include: + +* Adoption of current governance documentation in the Community repository, September 2023. +* Addition of the steering committee in December 2023. + +Recent changes to the governance include: + +* First steering committee meeting and roadmap review, including a change to the release cadence, in May 2024. + +Areas of potential future development include: + +* Enhancing the subprojects to have their own ownership and approval, allowing for faster development and opportunities for contributor promotion. + +### Governance Findings Table + +| Finding Title | Importance | Description | Links | Notes & Impact | +|:------------- |:----------:|:------------|:------|:---------------| +| No Scope | Low | Project README/Roadmap doesn't have scope of project. | [README](https://github.com/cert-manager/cert-manager/blob/master/README.md) [Roadmap](https://github.com/cert-manager/community/blob/main/ROADMAP.md) | | +| No Qualifications | Medium | Roles don't have qualifications | [Governance](https://github.com/cert-manager/community/blob/main/GOVERNANCE.md) | Roles have duties and privs, but no qualifications | +| Removal for Cause | Low | Maintainers only removed for absence |[Governance](https://github.com/cert-manager/community/blob/main/GOVERNANCE.md) | Needs to include possibility of removing maintainer for other reasons | +| Name Governance Channels | Low | Gov docs should name discussion channels | [Governance](https://github.com/cert-manager/community/blob/main/GOVERNANCE.md) | Important since maintainer votes are on slack | +| Developing Subprojects | Med | Subprojects need meetings, channels, owners | [Trust Manager](https://github.com/cert-manager/trust-manager/tree/main) | This is already planned by the project | +| Next SC Meeting? | Low | SC needs to have a 2nd meeting | [Steering Committee](https://github.com/cert-manager/community/blob/main/STEERING.md) | SC will fade away without engagement | +| Interlink Gov Docs | Low | Make sure community repo is linked from other repos, main docs | | just make it easier to find | +| Archival decisions | Low | Maintainer decisions are on slack and not archived | | | + +### Previous Reviews + +| Date | Requested By | Reason | Link | +|:-------|:--------------|:------------------------------------------:|:---------------------| +| *Date* | *TOC/Project* | *Maturity change / project request / etc.* | *link to review doc* |