Documentation
¶
Overview ¶
Package policies provides functionality to evaluate Certificate's state
Index ¶
- Constants
- func CurrentCertificateRequestMismatchesSpec(input Input) (string, string, bool)
- func SecretAdditionalOutputFormatsMismatch(input Input) (string, string, bool)
- func SecretBaseLabelsMismatch(input Input) (string, string, bool)
- func SecretCertificateDetailsAnnotationsMismatch(input Input) (string, string, bool)
- func SecretCertificateNameAnnotationsMismatch(input Input) (string, string, bool)
- func SecretDoesNotExist(input Input) (string, string, bool)
- func SecretIsMissingData(input Input) (string, string, bool)
- func SecretIssuerAnnotationsMismatch(input Input) (string, string, bool)
- func SecretKeystoreFormatMismatch(input Input) (string, string, bool)
- func SecretPrivateKeyMismatchesSpec(input Input) (string, string, bool)
- func SecretPublicKeyDiffersFromCurrentCertificateRequest(input Input) (string, string, bool)
- func SecretPublicKeysDiffer(input Input) (string, string, bool)
- func SecretSecretTemplateMismatch(input Input) (string, string, bool)
- type Chain
- type Func
- func CurrentCertificateHasExpired(c clock.Clock) Func
- func CurrentCertificateNearingExpiry(c clock.Clock) Func
- func SecretAdditionalOutputFormatsManagedFieldsMismatch(fieldManager string) Func
- func SecretManagedLabelsAndAnnotationsManagedFieldsMismatch(fieldManager string) Func
- func SecretOwnerReferenceManagedFieldMismatch(ownerRefEnabled bool, fieldManager string) Func
- func SecretOwnerReferenceMismatch(ownerRefEnabled bool) Func
- func SecretSecretTemplateManagedFieldsMismatch(fieldManager string) Func
- type Gatherer
- type Input
Constants ¶
const ( // DoesNotExist is a policy violation reason for a scenario where // Certificate's spec.secretName secret does not exist. DoesNotExist string = "DoesNotExist" // MissingData is a policy violation reason for a scenario where // Certificate's spec.secretName secret has missing data. MissingData string = "MissingData" // InvalidKeyPair is a policy violation reason for a scenario where public // key of certificate does not match private key. InvalidKeyPair string = "InvalidKeyPair" // InvalidCertificate is a policy violation whereby the signed certificate in // the Input Secret could not be parsed or decoded. InvalidCertificate string = "InvalidCertificate" // InvalidCertificateRequest is a policy violation whereby the CSR in // the Input CertificateRequest could not be parsed or decoded. InvalidCertificateRequest string = "InvalidCertificateRequest" // SecretMismatch is a policy violation reason for a scenario where Secret's // private key does not match spec. SecretMismatch string = "SecretMismatch" // IncorrectIssuer is a policy violation reason for a scenario where // Certificate has been issued by incorrect Issuer. IncorrectIssuer string = "IncorrectIssuer" // IncorrectCertificate is a policy violation reason for a scenario where // the Secret referred to by this Certificate's spec.secretName, // already has a `cert-manager.io/certificate-name` annotation // with the name of another Certificate. IncorrectCertificate string = "IncorrectCertificate" // RequestChanged is a policy violation reason for a scenario where // CertificateRequest not valid for Certificate's spec. RequestChanged string = "RequestChanged" // Renewing is a policy violation reason for a scenario where // Certificate's renewal time is now or in the past. Renewing string = "Renewing" // Expired is a policy violation reason for a scenario where Certificate has // expired. Expired string = "Expired" // SecretTemplateMisMatch is a policy violation whereby the Certificate's // SecretTemplate is not reflected on the target Secret, either by having // extra, missing, or wrong Annotations or Labels. SecretTemplateMismatch string = "SecretTemplateMismatch" // SecretManagedMetadataMismatch is a policy violation whereby the Secret is // missing labels that should have been added by cert-manager SecretManagedMetadataMismatch string = "SecretManagedMetadataMismatch" // AdditionalOutputFormatsMismatch is a policy violation whereby the // Certificate's AdditionalOutputFormats is not reflected on the target // Secret, either by having extra, missing, or wrong values. AdditionalOutputFormatsMismatch string = "AdditionalOutputFormatsMismatch" // ManagedFieldsParseError is a policy violation whereby cert-manager was // unable to decode the managed fields on a resource. ManagedFieldsParseError string = "ManagedFieldsParseError" // SecretOwnerRefMismatch is a policy violation whereby the Secret either has // a missing owner reference to the Certificate, or has an owner reference it // shouldn't have. SecretOwnerRefMismatch string = "SecretOwnerRefMismatch" )
Variables ¶
This section is empty.
Functions ¶
func SecretAdditionalOutputFormatsMismatch ¶
SecretAdditionalOutputFormatsMismatch validates that the Secret has the expected Certificate AdditionalOutputFormats. Returns true (violation) if AdditionalOutputFormat(s) are present and any of the following:
- Secret key is missing
- Secret value is incorrect
func SecretBaseLabelsMismatch ¶
NOTE: The presence of the controller.cert-manager.io/fao label is checked by the SecretManagedLabelsAndAnnotationsManagedFieldsMismatch function.
func SecretCertificateDetailsAnnotationsMismatch ¶
SecretCertificateDetailsAnnotationsMismatch returns a validation violation when annotations on the Secret do not match the details of the x509 certificate that is stored in the Secret. This function will only compare the annotations that already exist on the Secret and are also present in the certificate metadata. NOTE: Missing and extra annotations are detected by the SecretManagedLabelsAndAnnotationsManagedFieldsMismatch function instead.
func SecretCertificateNameAnnotationsMismatch ¶
SecretCertificateNameAnnotationsMismatch - When the CertificateName annotation is defined, it must match the name of the Certificate.
func SecretIssuerAnnotationsMismatch ¶
SecretIssuerAnnotationsMismatch - When the issuer annotations are defined, it must match the issuer ref.
func SecretKeystoreFormatMismatch ¶
SecretKeystoreFormatMismatch - When the keystore is not defined, the keystore related fields are removed from the secret. When one or more key stores are defined, the corresponding secrets are generated. If the private key rotation is set to "Never", the key store related values are re-encoded as per the certificate specification
func SecretPublicKeyDiffersFromCurrentCertificateRequest ¶
SecretPublicKeyDiffersFromCurrentCertificateRequest checks that the current CertificateRequest contains a CSR that is signed by the key stored in the Secret. A failure is often caused by the Secret being changed outside of the control of cert-manager, causing the current CertificateRequest to no longer match what is stored in the Secret.
func SecretSecretTemplateMismatch ¶
SecretSecretTemplateMismatch will inspect the given Secret's Annotations and Labels, and compare these maps against those that appear on the given Certificate's SecretTemplate. NOTE: This function only compares the values of annotations and labels that exist both in the Certificate's SecretTemplate and the Secret. Missing and extra annotations or labels are detected by the SecretManagedLabelsAndAnnotationsManagedFieldsMismatch and SecretSecretTemplateManagedFieldsMismatch functions instead.
Types ¶
type Chain ¶
type Chain []Func
A Chain of PolicyFuncs to be evaluated in order.
func NewReadinessPolicyChain ¶
NewReadinessPolicyChain includes readiness policy checks, which if returns true, would cause a Certificate to be marked as not ready.
func NewSecretPostIssuancePolicyChain ¶
NewSecretPostIssuancePolicyChain includes policy checks that are to be performed _after_ issuance has been successful, testing for the presence and correctness of metadata and output formats of Certificate's Secrets.
func NewTemporaryCertificatePolicyChain ¶
func NewTemporaryCertificatePolicyChain() Chain
NewTemporaryCertificatePolicyChain includes policy checks for ensuing a temporary certificate is valid.
func NewTriggerPolicyChain ¶
NewTriggerPolicyChain includes trigger policy checks, which if returns true, should cause a Certificate to be marked for issuance.
type Func ¶
A Func evaluates the given input data and decides whether a check has passed or failed, returning additional human readable information in the 'reason' and 'message' return parameters if so.
func CurrentCertificateHasExpired ¶
CurrentCertificateHasExpired is used exclusively to check if the current issued certificate has actually expired rather than just nearing expiry.
func CurrentCertificateNearingExpiry ¶
CurrentCertificateNearingExpiry returns a policy function that can be used to check whether an X.509 cert currently issued for a Certificate should be renewed.
func SecretAdditionalOutputFormatsManagedFieldsMismatch ¶
SecretAdditionalOutputFormatsManagedFieldsMismatch validates that the field manager owns the correct Certificate's AdditionalOutputFormats in the Secret. Returns true (violation) if:
- missing AdditionalOutputFormat key owned by the field manager
- AdditionalOutputFormat key owned by the field manager shouldn't exist
A violation with the reason `ManagedFieldsParseError` should be considered a non re-triable error.
func SecretManagedLabelsAndAnnotationsManagedFieldsMismatch ¶
SecretManagedLabelsAndAnnotationsManagedFieldsMismatch will inspect the given Secret's managed fields for its Annotations and Labels, and compare this against the Labels and Annotations that are managed by cert-manager. Returns false if Annotations and Labels match on both the Certificate's SecretTemplate and the Secret's managed fields, true otherwise. Also returns true if the managed fields or signed certificate were not able to be decoded.
func SecretOwnerReferenceManagedFieldMismatch ¶
SecretOwnerReferenceManagedFieldMismatch validates that the Secret has an owner reference to the Certificate if enabled. Returns true (violation) if: * the Secret doesn't have an owner reference and is expecting one * has an owner reference but is not expecting one A violation with the reason `ManagedFieldsParseError` should be considered a non re-triable error.
func SecretOwnerReferenceMismatch ¶
SecretOwnerReferenceMismatch validates that the Secret has the expected owner reference if it is enabled. Returns true (violation) if: * owner reference is enabled, but the reference has an incorrect value
func SecretSecretTemplateManagedFieldsMismatch ¶
SecretSecretTemplateManagedFieldsMismatch will inspect the given Secret's managed fields for its Annotations and Labels, and compare this against the SecretTemplate on the given Certificate. Returns false if Annotations and Labels match on both the Certificate's SecretTemplate and the Secret's managed fields, true otherwise. Also returns true if the managed fields or signed certificate were not able to be decoded.
type Gatherer ¶
type Gatherer struct {
CertificateRequestLister cmlisters.CertificateRequestLister
SecretLister internalinformers.SecretLister
}
Gatherer is used to gather data about a Certificate in order to evaluate its current readiness/state by applying policy functions to it.
func (*Gatherer) DataForCertificate ¶
DataForCertificate returns the secret as well as the "current" and "next" certificate request associated with the given certificate. It also returns the given certificate as-is. To know more about the "current" and "next" certificate requests and why we want to be fetching them along with the certificate's secret, take a look at the top comment on this file.
DataForCertificate returns an error when duplicate CRs are found for the "current" or the "next" revision. DataForCertificate does not return any apierrors.NewNotFound; instead, if either of the objects (current CR, next CR or secret) is not found, then the returned value of this object is left nil.
type Input ¶
type Input struct {
Certificate *cmapi.Certificate
Secret *corev1.Secret
// The "current" certificate request designates the certificate request that
// led to the current revision of the certificate. The "current" certificate
// request is by definition in a ready state, and can be seen as the source
// of information of the current certificate. Take a look at the gatherer
// package's documentation to see more about why we care about the "current"
// certificate request.
CurrentRevisionRequest *cmapi.CertificateRequest
// The "next" certificate request is the one that is currently being issued.
// Take a look at the gatherer package's documentation to see more about why
// we care about the "next" certificate request.
NextRevisionRequest *cmapi.CertificateRequest
}
Source Files