Improve docs and config (#18)

ThomasVitale · web-flow · commit 85c15ff015e9 · 2023-03-15T17:40:02.000+01:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -18,6 +18,6 @@ jobs:
       registry-server: ghcr.io
       registry-username: ${{ github.actor }}
       image: ${{ github.repository }}
-      version: 1.11.0+kadras.1
+      version: 1.11.0+kadras.2
     secrets:
       pull-request-token: ${{ secrets.GH_ORG_PAT }}
diff --git a/Makefile b/Makefile
@@ -14,6 +14,10 @@ prepare: test/setup
 dev: package
 	cd package && kctrl dev -f package-resources.yml --local -y
 
+# Clean development environment
+clean:
+	cd package && kctrl dev -f package-resources.yml --local -y --delete 
+
 # Process the configuration manifests with ytt
 ytt:
 	ytt --file package/config
diff --git a/docs/corporate-proxy.md b/docs/corporate-proxy.md
@@ -0,0 +1,10 @@
+# Using a corporate proxy
+
+When running Cert Manager behind a corporate proxy, you can configure the controller to proxy communications with external services.
+
+```yaml
+proxy:
+  http_proxy: "proxy.kadras.io"
+  https_proxy: "proxy.kadras.io"
+  no_proxy: ".svc, .cluster.local"
+```
diff --git a/docs/high-availability.md b/docs/high-availability.md
@@ -12,7 +12,7 @@ The leader election strategy is enabled by default and can be customized.
 leader_election:
   lease_duration: "60s"
   renew_deadline: "40s"
-  retry_period: "10s"
+  retry_period: "15s"
 ```
 
 ## High availability for the webhooks
diff --git a/docs/policies.md b/docs/policies.md
@@ -1,12 +1,10 @@
 # Policies
 
-Validate and secure the Cert Manager installation.
+Validate and secure the package installation.
 
 ## Kyverno
 
-This package provides an optional set of out-of-the-box policies to validate and secure the Cert Manager installation and functionality. The policies requires [Kyverno](https://kyverno.io) to be installed in your Kubernetes cluster.
-
-The following configuration instructs the package to include the set of Kyverno policies.
+This package provides an optional set of out-of-the-box policies to validate and secure the package installation and its functionality. The policies requires [Kyverno](https://kyverno.io) to be installed in your Kubernetes cluster.
 
 ```yaml
 policies:
diff --git a/docs/verify-release.md b/docs/verify-release.md
@@ -12,20 +12,26 @@ The result:
 
 ```shell
 📦 Supply Chain Security Related artifacts for an image: ghcr.io/kadras-io/package-for-cert-manager
-└── 💾 Attestations for an image tag: ghcr.io/kadras-io/package-for-cert-manager:sha256-76d5d060d8a864933699715d29ef3fdc805378ed47600e029b03aadad020e77e.att
-   └── 🍒 sha256:2daae1cfdfb38b1a51cb7f273cac0081a2216017e4db5f78b4e1430fabcd99d1
-└── 🔐 Signatures for an image tag: ghcr.io/kadras-io/package-for-cert-manager:sha256-76d5d060d8a864933699715d29ef3fdc805378ed47600e029b03aadad020e77e.sig
-   └── 🍒 sha256:7390da18a629450c393c8ee9a9712e8bc27f1fbfedbd07312e54f57e9a6be5d5
+└── 💾 Attestations for an image tag: ghcr.io/kadras-io/package-for-cert-manager:sha256-3cc778ffeb099e827e357518ea32e4e4b5688ea1ef947270139732bb8719c355.att
+   └── 🍒 sha256:050052870dc08a4d59d9c59189d14f02c17e89e5c75e17b429263484190dfda5
+└── 🔐 Signatures for an image tag: ghcr.io/kadras-io/package-for-cert-manager:sha256-3cc778ffeb099e827e357518ea32e4e4b5688ea1ef947270139732bb8719c355.sig
+   └── 🍒 sha256:84b91f7dab26d39bf107e0b631f24baf3a6e74c13496a7e4ad0d314f21f784d4
 ```
 
 You can verify the signature and its claims:
 
 ```shell
-COSIGN_EXPERIMENTAL=1 cosign verify ghcr.io/kadras-io/package-for-cert-manager | jq
+cosign verify \
+   --certificate-identity-regexp https://github.com/kadras-io \
+   --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+   ghcr.io/kadras-io/package-for-cert-manager | jq
 ```
 
 You can also verify the SLSA Provenance attestation associated with the image.
 
 ```shell
-COSIGN_EXPERIMENTAL=1 cosign verify-attestation --type slsaprovenance ghcr.io/kadras-io/package-for-cert-manager | jq .payload -r | base64 --decode | jq
+cosign verify-attestation --type slsaprovenance \
+   --certificate-identity-regexp https://github.com/slsa-framework \
+   --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+   ghcr.io/kadras-io/package-for-cert-manager | jq .payload -r | base64 --decode | jq
 ```
diff --git a/package/config/overlays/corporate-proxy.yml b/package/config/overlays/corporate-proxy.yml
diff --git a/package/config/overlays/namespace.yml b/package/config/overlays/namespace.yml
@@ -19,7 +19,7 @@ metadata:
 #@overlay/match by=overlay.or_op(cluster_role_binding, role_binding), expects=13
 ---
 subjects:
-#@overlay/match by=overlay.subset({"namespace": "cert-manager"})
+#@overlay/match by=overlay.subset({"namespace":"cert-manager"})
 - kind: ServiceAccount
   namespace: #@ data.values.namespace
 
diff --git a/package/config/overlays/registry-credentials.yml b/package/config/overlays/registry-credentials.yml
@@ -20,7 +20,7 @@ type: kubernetes.io/dockerconfigjson
 data:
   .dockerconfigjson: e30K
 
-#@overlay/match by=overlay.subset({"kind":"Deployment"}),expects="3+"
+#@overlay/match by=overlay.subset({"kind":"Deployment"}), expects="3+"
 ---
 spec:
   template:
diff --git a/package/config/private-ca/bootstrap.yml b/package/config/private-ca/bootstrap.yml
@@ -18,9 +18,13 @@ metadata:
   namespace: #@ data.values.namespace
 spec:
   isCA: true
-  commonName: kadras-root-ca
+  commonName: Kadras CA
   secretName: kadras-root-ca
   duration: 8760h #! 365 days
+  renewBefore: 360h #! 15 days
+  subject:
+    organizations:
+    - Kadras
   privateKey:
     algorithm: Ed25519
     encoding: PKCS8
diff --git a/package/config/values-schema.yml b/package/config/values-schema.yml
@@ -2,6 +2,7 @@
 
 ---
 #@schema/desc "The namespace in which to deploy Cert Manager."
+#@schema/validation min_len=1
 namespace: cert-manager
 
 #@schema/desc "Settings for the Kyverno policies."
@@ -36,10 +37,14 @@ webhook:
 #@schema/desc "Leader election configuration for the cert-manager and cert-manager-cainjector Deployments."
 leader_election:
   #@schema/desc "Namespace used to perform leader election. The default namespace needs changing in environments like GKE. More information: https://cert-manager.io/docs/installation/compatibility/#gke."
+  #@schema/validation min_len=1
   namespace: kube-system
   #@schema/desc "The duration that non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate."
+  #@schema/validation min_len=2
   lease_duration: "60s"
   #@schema/desc "The interval between attempts by the acting leader to renew a leadership slot before it stops leading."
+  #@schema/validation min_len=2
   renew_deadline: "40s"
   #@schema/desc "The duration the clients should wait between attempting acquisition and renewal of a leadership."
+  #@schema/validation min_len=2
   retry_period: "15s"
