Merge pull request #1170 from SgtCoDFish/trust-manager-api-docs

Trust manager API doc generation
cert-manager · Jan 24, 2023 · a0eead8 · a0eead8
2 parents 895eade + efefbf7
commit a0eead8
Show file tree

Hide file tree

Showing 11 changed files with 720 additions and 10 deletions.
diff --git a/.spelling b/.spelling
@@ -71,6 +71,10 @@ AzureDNS
 BKPR
 Bazel
 Bitnami
+BundleSource
+BundleTarget
+BundleCondition
+NamespaceSelector
 CAs
 CNAME
 CNAMEs

diff --git a/content/docs/configuration/ca.md b/content/docs/configuration/ca.md
@@ -13,8 +13,10 @@ The CA issuer represents a Certificate Authority whose certificate and
 private key are stored inside the cluster as a Kubernetes `Secret`.
 
 Certificates issued by a CA issuer will not be publicly trusted and so are unlikely to be trusted
-by your applications without further configuration work. Consider the [trust-manager](../projects/trust-manager.md)
-project for distributing trust stores.
+by your applications without further configuration.
+
+Consider [trust-manager](../projects/trust-manager/README.md) for distributing your CA certificate safely
+across your cluster!
 
 ## Deployment
 

diff --git a/content/docs/configuration/selfsigned.md b/content/docs/configuration/selfsigned.md
@@ -136,12 +136,14 @@ spec:
 ### Trust
 
 Clients consuming `SelfSigned` certificates have _no way_ to trust them
-without already having the certificates beforehand. This becomes hard to
-manage when the client of the server using the certificate exists in a
-different namespace. This limitation can be tackled by using [trust-manager](../projects/trust-manager.md)
-to distribute the `ca.crt` to other namespaces. The alternative is to use
-"TOFU" (trust on first use), which has security implications in the event
-of a man-in-the-middle attack.
+without already having the certificates beforehand, which can be hard to
+manage when the client is in a different namespace to the server.
+
+This limitation can be tackled by using [trust-manager](../projects/trust-manager/README.md) to distribute `ca.crt`
+to other namespaces.
+
+There is no secure alternative to solving the problem of distributing trust stores; it's possible
+to "TOFU" (trust-on-first-use) a certificate, but that approach is vulnerable to man-in-the-middle attacks.
 
 ### Certificate Validity
 

diff --git a/content/docs/manifest.json b/content/docs/manifest.json
@@ -343,7 +343,16 @@
  },
  {
  "title": "trust-manager",
- "path": "/docs/projects/trust-manager.md"
+ "routes": [
+ {
+ "title": "Introduction",
+ "path": "/docs/projects/trust-manager/README.md"
+ },
+ {
+ "title": "API Reference",
+ "path": "/docs/projects/trust-manager/api-reference.md"
+ }
+ ]
  }
  ]
  },

diff --git a/content/docs/projects/README.md b/content/docs/projects/README.md
@@ -28,6 +28,7 @@ These tools help with security, compliance and control.
  in the form of X.509 certificate key pairs to mounting Kubernetes Pods. The
  end result is all and any Pod running in Kubernetes can securely request their
  SPIFFE identity document from a Trust Domain with minimal configuration.
-- [trust-manager](./trust-manager.md): an
+- [trust-manager](./trust-manager/README.md): an
  operator to distribute trust bundles, like CA certificates, across a
  Kubernetes cluster.
+- [trust-manager API reference](./trust-manager/api-reference.md): full documentation of the trust-manager CRD(s)
diff --git a/content/docs/projects/trust-manager.md → ...ent/docs/projects/trust-manager/README.md b/content/docs/projects/trust-manager.md → ...ent/docs/projects/trust-manager/README.md