Documentation
¶
Overview ¶
Package policies provides functionality to evaluate Certificate's state
Index ¶
- Constants
- func CurrentCertificateRequestNotValidForSpec(input Input) (string, string, bool)
- func SecretAdditionalOutputFormatsDataMismatch(input Input) (string, string, bool)
- func SecretBaseLabelsAreMissing(input Input) (string, string, bool)
- func SecretDoesNotExist(input Input) (string, string, bool)
- func SecretIsMissingData(input Input) (string, string, bool)
- func SecretIssuerAnnotationsNotUpToDate(input Input) (string, string, bool)
- func SecretKeystoreFormatMatchesSpec(input Input) (string, string, bool)
- func SecretPrivateKeyMatchesSpec(input Input) (string, string, bool)
- func SecretPublicKeysDiffer(input Input) (string, string, bool)
- func SecretTemplateMismatchesSecret(input Input) (string, string, bool)
- type Chain
- type Func
- func CurrentCertificateHasExpired(c clock.Clock) Func
- func CurrentCertificateNearingExpiry(c clock.Clock) Func
- func SecretAdditionalOutputFormatsOwnerMismatch(fieldManager string) Func
- func SecretOwnerReferenceManagedFieldMismatch(ownerRefEnabled bool, fieldManager string) Func
- func SecretOwnerReferenceValueMismatch(ownerRefEnabled bool) Func
- func SecretTemplateMismatchesSecretManagedFields(fieldManager string) Func
- type Gatherer
- type Input
Constants ¶
const ( // DoesNotExist is a policy violation reason for a scenario where // Certificate's spec.secretName secret does not exist. DoesNotExist string = "DoesNotExist" // MissingData is a policy violation reason for a scenario where // Certificate's spec.secretName secret has missing data. MissingData string = "MissingData" // InvalidKeyPair is a policy violation reason for a scenario where public // key of certificate does not match private key. InvalidKeyPair string = "InvalidKeyPair" // InvalidCertificate is a policy violation whereby the signed certificate in // the Input Secret could not be parsed or decoded. InvalidCertificate string = "InvalidCertificate" // SecretMismatch is a policy violation reason for a scenario where Secret's // private key does not match spec. SecretMismatch string = "SecretMismatch" // IncorrectIssuer is a policy violation reason for a scenario where // Certificate has been issued by incorrect Issuer. IncorrectIssuer string = "IncorrectIssuer" // RequestChanged is a policy violation reason for a scenario where // CertificateRequest not valid for Certificate's spec. RequestChanged string = "RequestChanged" // Renewing is a policy violation reason for a scenario where // Certificate's renewal time is now or in past. Renewing string = "Renewing" // Expired is a policy violation reason for a scenario where Certificate has // expired. Expired string = "Expired" // SecretTemplateMisMatch is a policy violation whereby the Certificate's // SecretTemplate is not reflected on the target Secret, either by having // extra, missing, or wrong Annotations or Labels. SecretTemplateMismatch string = "SecretTemplateMismatch" // SecretBaseLabelsMissing is a policy violation whereby the Secret is // missing labels that should have been added by cert-manager SecretBaseLabelsMissing string = "SecretBaseLabelsMissing" // AdditionalOutputFormatsMismatch is a policy violation whereby the // Certificate's AdditionalOutputFormats is not reflected on the target // Secret, either by having extra, missing, or wrong values. AdditionalOutputFormatsMismatch string = "AdditionalOutputFormatsMismatch" // ManagedFieldsParseError is a policy violation whereby cert-manager was // unable to decode the managed fields on a resource. ManagedFieldsParseError string = "ManagedFieldsParseError" // SecretOwnerRefMismatch is a policy violation whereby the Secret either has // a missing owner reference to the Certificate, or has an owner reference it // shouldn't have. SecretOwnerRefMismatch string = "SecretOwnerRefMismatch" )
Variables ¶
This section is empty.
Functions ¶
func SecretAdditionalOutputFormatsDataMismatch ¶
SecretAdditionalOutputFormatsDataMismatch validates that the Secret has the expected Certificate AdditionalOutputFormats. Returns true (violation) if AdditionalOutputFormat(s) are present and any of the following:
- Secret key is missing
- Secret value is incorrect
func SecretBaseLabelsAreMissing ¶ added in v1.11.0
func SecretKeystoreFormatMatchesSpec ¶ added in v1.11.0
SecretKeystoreFormatMatchesSpec - When the keystore is not defined, the keystore related fields are removed from the secret. When one or more key stores are defined, the corresponding secrets are generated. If the private key rotation is set to "Never", the key store related values are re-encoded as per the certificate specification
func SecretTemplateMismatchesSecret ¶
SecretTemplateMismatchesSecret will inspect the given Secret's Annotations and Labels, and compare these maps against those that appear on the given Certificate's SecretTemplate. Returns false if all the Certificate's SecretTemplate Annotations and Labels appear on the Secret, or put another way, the Certificate's SecretTemplate is a subset of that in the Secret's Annotations/Labels. Returns true otherwise.
Types ¶
type Chain ¶
type Chain []Func
A Chain of PolicyFuncs to be evaluated in order.
func NewReadinessPolicyChain ¶
NewReadinessPolicyChain includes readiness policy checks, which if return true, would cause a Certificate to be marked as not ready.
func NewSecretPostIssuancePolicyChain ¶
NewSecretPostIssuancePolicyChain includes policy checks that are to be performed _after_ issuance has been successful, testing for the presence and correctness of metadata and output formats of Certificate's Secrets.
func NewTemporaryCertificatePolicyChain ¶
func NewTemporaryCertificatePolicyChain() Chain
NewTemporaryCertificatePolicyChain includes policy checks for ensuing a temporary certificate is valid.
func NewTriggerPolicyChain ¶
NewTriggerPolicyChain includes trigger policy checks, which if return true, should cause a Certificate to be marked for issuance.
type Func ¶
A Func evaluates the given input data and decides whether a check has passed or failed, returning additional human readable information in the 'reason' and 'message' return parameters if so.
func CurrentCertificateHasExpired ¶
CurrentCertificateHasExpired is used exclusively to check if the current issued certificate has actually expired rather than just nearing expiry.
func CurrentCertificateNearingExpiry ¶
CurrentCertificateNearingExpiry returns a policy function that can be used to check whether an X.509 cert currently issued for a Certificate should be renewed.
func SecretAdditionalOutputFormatsOwnerMismatch ¶
SecretAdditionalOutputFormatsOwnerMismatch validates that the field manager owns the correct Certificate's AdditionalOutputFormats in the Secret. Returns true (violation) if:
- missing AdditionalOutputFormat key owned by the field manager
- AdditionalOutputFormat key owned by the field manager shouldn't exist
A violation with the reason `ManagedFieldsParseError` should be considered a non re-triable error.
func SecretOwnerReferenceManagedFieldMismatch ¶
SecretOwnerReferenceManagedFieldMismatch validates that the Secret has an owner reference to the Certificate if enabled. Returns true (violation) if: * the Secret doesn't have an owner reference and is expecting one * has an owner reference but is not expecting one A violation with the reason `ManagedFieldsParseError` should be considered a non re-triable error.
func SecretOwnerReferenceValueMismatch ¶
SecretOwnerReferenceValueMismatch validates that the Secret has the expected owner reference if it is enabled. Returns true (violation) if: * owner reference is enabled, but the reference has an incorrect value
func SecretTemplateMismatchesSecretManagedFields ¶
SecretTemplateMismatchesSecretManagedFields will inspect the given Secret's managed fields for its Annotations and Labels, and compare this against the SecretTemplate on the given Certificate. Returns false if Annotations and Labels match on both the Certificate's SecretTemplate and the Secret's managed fields, true otherwise. Also returns true if the managed fields or signed certificate were not able to be decoded.
type Gatherer ¶
type Gatherer struct {
CertificateRequestLister cmlisters.CertificateRequestLister
SecretLister corelisters.SecretLister
}
Gatherer is used to gather data about a Certificate in order to evaluate its current readiness/state by applying policy functions to it.
func (*Gatherer) DataForCertificate ¶
DataForCertificate returns the secret as well as the "current" and "next" certificate request associated with the given certificate. It also returns the given certificate as-is. To know more about the "current" and "next" certificate requests and why we want to be fetching them along with the certificate's secret, take a look at the top comment on this file.
DataForCertificate returns an error when duplicate CRs are found for the "current" or the "next" revision. DataForCertificate does not return any apierrors.NewNotFound; instead, if either of the objects (current CR, next CR or secret) is not found, then the returned value of this object is left nil.
type Input ¶
type Input struct {
Certificate *cmapi.Certificate
Secret *corev1.Secret
// The "current" certificate request designates the certificate request that
// led to the current revision of the certificate. The "current" certificate
// request is by definition in a ready state, and can be seen as the source
// of information of the current certificate. Take a look at the gatherer
// package's documentation to see more about why we care about the "current"
// certificate request.
CurrentRevisionRequest *cmapi.CertificateRequest
// The "next" certificate request is the one that is currently being issued.
// Take a look at the gatherer package's documentation to see more about why
// we care about the "next" certificate request.
NextRevisionRequest *cmapi.CertificateRequest
}
Source Files