Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reorganise the usage section & move missing topics to this section #1291

Merged
merged 4 commits into from
Oct 12, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .spelling
Original file line number Diff line number Diff line change
Expand Up @@ -656,6 +656,10 @@ arukiidou
Richardds
kahirokunn
selfsigned-issuer
apiVersion
gateway.networking.k8s.io
networking.k8s.io
certificates.k8s.io

# TEMPORARY
# these are temporarily ignored because the spellchecker
Expand Down
2 changes: 1 addition & 1 deletion content/docs/concepts/acme-orders-challenges.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ In order to complete these challenges, cert-manager introduces two
validation can be found on the Let's Encrypt website
[here](https://letsencrypt.org/how-it-works/). An order represents a single
certificate request which will be created automatically once a new
[`CertificateRequest`](./certificaterequest.md) resource referencing an ACME
[`CertificateRequest`](../usage/certificaterequest.md) resource referencing an ACME
issuer has been created. `CertificateRequest` resources are created
automatically by cert-manager once a [`Certificate`](./certificate.md) resource
is created, has its specification changed, or needs renewal.
Expand Down
6 changes: 3 additions & 3 deletions content/docs/contributing/external-issuers.md
Original file line number Diff line number Diff line change
Expand Up @@ -49,13 +49,13 @@ on how to write an external issuer using Kubebuilder and controller-runtime.
## Approval

Before signing a certificate, Issuers **must** also ensure that the `CertificateRequest` is
[`Approved`](../concepts/certificaterequest.md#approval).
[`Approved`](../usage/certificaterequest.md#approval).

If the `CertificateRequest` is not `Approved`, the issuer **must** not process it. Issuers are not
responsible for approving `CertificateRequests` and should refuse to proceed if they find a certificate
that is not approved.

If a `CertificateRequest` created for an issuance associated with a `Certificate` gets [`Denied`](../concepts/certificaterequest.md#approval), the issuance will be failed by cert-manager's issuing controller.
If a `CertificateRequest` created for an issuance associated with a `Certificate` gets [`Denied`](../usage/certificaterequest.md#approval), the issuance will be failed by cert-manager's issuing controller.

## Conditions

Expand All @@ -65,7 +65,7 @@ status of that resource to a ready state, as this is what is used to signal to h
controllers - such as the `Certificate` controller - that the resource is ready to be consumed.

Conversely, if the `CertificateRequest` fails, it is as important to mark the resource as such, as this will
also be used as a signal to higher order controllers. Valid condition states are listed under [concepts](../concepts/certificaterequest.md#conditions).
also be used as a signal to higher order controllers. Valid condition states are listed under [concepts](../usage/certificaterequest.md#conditions).

## Implementation

Expand Down
16 changes: 8 additions & 8 deletions content/docs/manifest.json
Original file line number Diff line number Diff line change
Expand Up @@ -411,19 +411,23 @@
"path": "/docs/usage/README.md"
},
{
"title": "Certificate Resources",
"title": "Certificate",
"path": "/docs/usage/certificate.md"
},
{
"title": "Securing Ingress Resources",
"title": "CertificateRequest",
"path": "/docs/usage/certificaterequest.md"
},
{
"title": "Ingress",
"path": "/docs/usage/ingress.md"
},
{
"title": "Securing Gateway Resources",
"title": "Gateway",
"path": "/docs/usage/gateway.md"
},
{
"title": "Kubernetes CertificateSigningRequests",
"title": "CertificateSigningRequests",
"path": "/docs/usage/kube-csr.md"
},
{
Expand Down Expand Up @@ -782,10 +786,6 @@
"title": "Certificate",
"path": "/docs/concepts/certificate.md"
},
{
"title": "CertificateRequest",
"path": "/docs/concepts/certificaterequest.md"
},
{
"title": "ACME Orders and Challenges",
"path": "/docs/concepts/acme-orders-challenges.md"
Expand Down
4 changes: 2 additions & 2 deletions content/docs/policy/approval/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,10 +13,10 @@ that rejects the request.

## Rejecting requests before sending the X.509 Certificate Signing Request (CSR) to the issuer

cert-manager requires that a [CertificateRequest](../../concepts/certificaterequest.md)
cert-manager requires that a [CertificateRequest](../../usage/certificaterequest.md)
is approved before it is sent to the issuer. Also, CertificateSigningRequests must
be approved before they are sent to the issuer. This approval is done by adding an
[approval condition](../../concepts/certificaterequest.md#approval) to the resource.
[approval condition](../../usage/certificaterequest.md#approval) to the resource.

In a default installation, cert-manager automatically approves all CertificateRequests
and CertificateSigningRequests that use any of its built-in issuers. This is done to
Expand Down
6 changes: 3 additions & 3 deletions content/docs/policy/approval/approver-policy/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,14 +4,14 @@ description: 'Policy plugin for cert-manager'
---

approver-policy is a cert-manager
[approver](../../../concepts/certificaterequest.md#approval)
[approver](../../../usage/certificaterequest.md#approval)
that will approve or deny CertificateRequests based on policies defined in
the `CertificateRequestPolicy` custom resource.

## Prerequisites

[cert-manager must be installed](../../../installation/README.md), and
the [the default approver in cert-manager must be disabled](../../../concepts/certificaterequest.md#approver-controller).
the [the default approver in cert-manager must be disabled](../../../usage/certificaterequest.md#approver-controller).

> ⚠️ If the default approver is not disabled in cert-manager, approver-policy will
> race with cert-manager and policy will be ineffective.
Expand Down Expand Up @@ -69,7 +69,7 @@ If you are using approver-policy with [external
issuers](../../../configuration/external.md), you _must_
include their signer names so that approver-policy has permissions to approve
and deny CertificateRequests that
[reference them](../../../concepts/certificaterequest.md#rbac-syntax).
[reference them](../../../usage/certificaterequest.md#rbac-syntax).
For example, if using approver-policy for the internal issuer types, along with
[google-cas-issuer](https://github.com/jetstack/google-cas-issuer), and
[aws-privateca-issuer](https://github.com/cert-manager/aws-privateca-issuer),
Expand Down
2 changes: 1 addition & 1 deletion content/docs/reference/cmctl.md
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,7 @@ Use "cmctl [command] --help" for more information about a command.
### Approve and Deny CertificateRequests

CertificateRequests can be
[approved or denied](../concepts/certificaterequest.md#approval) using their
[approved or denied](../usage/certificaterequest.md#approval) using their
respective cmctl commands:

> **Note**: The internal cert-manager approver may automatically approve all
Expand Down
5 changes: 4 additions & 1 deletion content/docs/usage/certificate.md
Original file line number Diff line number Diff line change
@@ -1,8 +1,11 @@
---
title: Certificate Resources
title: Certificate resource
description: 'cert-manager usage: Certificates'
---

> **apiVersion:** cert-manager.io/v1
> **kind:** Certificate

In cert-manager, the [`Certificate`](../concepts/certificate.md) resource
represents a human readable definition of a certificate request that is to be
honored by an issuer which is to be kept up-to-date. This is the usual way that
Expand Down
Original file line number Diff line number Diff line change
@@ -1,10 +1,13 @@
---
title: CertificateRequest
title: CertificateRequest resource
description: 'cert-manager core concepts: CertificateRequests'
---

> **apiVersion:** cert-manager.io/v1
> **kind:** CertificateRequest

The `CertificateRequest` is a namespaced resource in cert-manager that is used
to request X.509 certificates from an [`Issuer`](./issuer.md). The resource
to request X.509 certificates from an [`Issuer`](../concepts/issuer.md). The resource
contains a base64 encoded string of a PEM encoded certificate request which is
sent to the referenced issuer. A successful issuance will return a signed
certificate, based on the certificate signing request. `CertificateRequests` are
Expand Down
10 changes: 5 additions & 5 deletions content/docs/usage/csi-driver-spiffe.md
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,7 @@ which is used to create and mount Pod volumes from.

When a Pod is created with the CSI volume configured, the
driver will locally generate a private key, and create a cert-manager
[CertificateRequest](../concepts/certificaterequest.md)
[CertificateRequest](../usage/certificaterequest.md)
in the same Namespace as the Pod.

The driver uses [CSI Token Request](https://kubernetes-csi.github.io/docs/token-requests.html) to both
Expand All @@ -61,7 +61,7 @@ expiry of the signed certificate.

#### Approver

A distinct [cert-manager approver](../concepts/certificaterequest.md#approval)
A distinct [cert-manager approver](../usage/certificaterequest.md#approval)
Deployment is responsible for managing the approval and denial condition of
created CertificateRequests that target the configured SPIFFE Trust Domain
signer.
Expand All @@ -78,7 +78,7 @@ The approver ensures that requests have:

If any of these checks do not pass, the CertificateRequest will be marked as
Denied, else it will be marked as Approved. The approver will only manage
CertificateRequests who request from the same [IssuerRef](../concepts/certificaterequest.md)
CertificateRequests who request from the same [IssuerRef](../usage/certificaterequest.md)
that has been configured.

## Installation
Expand All @@ -98,7 +98,7 @@ cert-manager `v1.3` or higher is also required.
csi-driver-spiffe requires cert-manager to be [installed](../installation/README.md) but
a default installation of cert-manager **will not work**.

> ⚠️ It is **vital** that the [default approver is disabled in cert-manager](../concepts/certificaterequest.md#approver-controller) ⚠️
> ⚠️ It is **vital** that the [default approver is disabled in cert-manager](../usage/certificaterequest.md#approver-controller) ⚠️

If the default approver is not disabled, the csi-driver-spiffe approver will
race with cert-manager and policy enforcement will become useless.
Expand Down Expand Up @@ -149,7 +149,7 @@ cmctl approve -n cert-manager \

Install csi-driver-spiffe into the cluster using the issuer we configured. We
must also configure the issuer resource type and name of the issuer we
configured so that the approver has [permissions to approve referencing CertificateRequests](../concepts/certificaterequest.md#rbac-syntax).
configured so that the approver has [permissions to approve referencing CertificateRequests](../usage/certificaterequest.md#rbac-syntax).

Note that the `issuer.name`, `issuer.kind` and `issuer.group` will need to be changed to match
the issuer you're actually using!
Expand Down
2 changes: 1 addition & 1 deletion content/docs/usage/csi-driver.md
Original file line number Diff line number Diff line change
Expand Up @@ -182,7 +182,7 @@ volumeAttributes:
## Requesting Certificates using the mounting Pod's ServiceAccount

If the flag `--use-token-request` is enabled on the csi-driver DaemonSet, the
[CertificateRequest](../concepts/certificaterequest.md) resource will be created
[CertificateRequest](../usage/certificaterequest.md) resource will be created
by the mounting Pod's ServiceAccount. This can be paired with
[approver-policy](../policy/approval/approver-policy/README.md) to enable advanced policy control
on a per-ServiceAccount basis.
Expand Down
5 changes: 4 additions & 1 deletion content/docs/usage/gateway.md
Original file line number Diff line number Diff line change
@@ -1,8 +1,11 @@
---
title: Securing gateway.networking.k8s.io Gateway Resources
title: Annotated Gateway resource
description: 'cert-manager usage: Kubernetes Gateways'
---

> **apiVersion:** gateway.networking.k8s.io/v1alpha2
> **kind:** Gateway

**FEATURE STATE**: cert-manager 1.5 [alpha]

<div className="info">
Expand Down
5 changes: 4 additions & 1 deletion content/docs/usage/ingress.md
Original file line number Diff line number Diff line change
@@ -1,8 +1,11 @@
---
title: Securing Ingress Resources
title: Annotated Ingress resource
description: 'cert-manager usage: Kubernetes Ingress'
---

> **apiVersion:** networking.k8s.io/v1
> **kind:** Ingress

A common use-case for cert-manager is requesting TLS signed certificates to
secure your ingress resources. This can be done by simply adding annotations to
your `Ingress` resources and cert-manager will facilitate creating the
Expand Down
7 changes: 5 additions & 2 deletions content/docs/usage/kube-csr.md
Original file line number Diff line number Diff line change
@@ -1,12 +1,15 @@
---
title: Kubernetes CertificateSigningRequests
title: CertificateSigningRequest resource
description: 'cert-manager usage: Kubernetes CertificateSigningRequest resources'
---

> **apiVersion:** certificates.k8s.io/v1
> **kind:** CertificateSigningRequest

Kubernetes has an in-built
[CertificateSigningRequest](https://kubernetes.io/docs/reference/access-authn-authz/certificate-signing-requests/)
resource. This resource is similar to the cert-manager
[CertificateRequest](../concepts/certificaterequest.md) in that it is used to
[CertificateRequest](../usage/certificaterequest.md) in that it is used to
request an X.509 signed certificate from a referenced Certificate Authority
(CA).

Expand Down
3 changes: 3 additions & 0 deletions public/_redirects
Original file line number Diff line number Diff line change
Expand Up @@ -215,3 +215,6 @@ https://docs.cert-manager.io/* https://cert-manager.io/docs/:splat 302!
/docs/installation/upgrading/* /docs/releases/upgrading/:splat 301!
/docs/release-notes/* /docs/releases/release-notes/:splat 301!
/docs/installation/supported-releases/ /docs/releases/ 301!

# Moved the concept pages into the main website
/docs/concepts/certificaterequest/ /docs/usage/certificaterequest/ 301!