policies

package
v1.14.5 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 25, 2024 License: Apache-2.0 Imports: 25 Imported by: 0

Documentation

Overview

Package policies provides functionality to evaluate Certificate's state

Index

Constants

View Source 
const (
	// DoesNotExist is a policy violation reason for a scenario where
	// Certificate's spec.secretName secret does not exist.
	DoesNotExist string = "DoesNotExist"
	// MissingData is a policy violation reason for a scenario where
	// Certificate's spec.secretName secret has missing data.
	MissingData string = "MissingData"
	// InvalidKeyPair is a policy violation reason for a scenario where public
	// key of certificate does not match private key.
	InvalidKeyPair string = "InvalidKeyPair"
	// InvalidCertificate is a policy violation whereby the signed certificate in
	// the Input Secret could not be parsed or decoded.
	InvalidCertificate string = "InvalidCertificate"
	// InvalidCertificateRequest is a policy violation whereby the CSR in
	// the Input CertificateRequest could not be parsed or decoded.
	InvalidCertificateRequest string = "InvalidCertificateRequest"

	// SecretMismatch is a policy violation reason for a scenario where Secret's
	// private key does not match spec.
	SecretMismatch string = "SecretMismatch"
	// IncorrectIssuer is a policy violation reason for a scenario where
	// Certificate has been issued by incorrect Issuer.
	IncorrectIssuer string = "IncorrectIssuer"
	// IncorrectCertificate is a policy violation reason for a scenario where
	// the Secret referred to by this Certificate's spec.secretName,
	// already has a `cert-manager.io/certificate-name` annotation
	// with the name of another Certificate.
	IncorrectCertificate string = "IncorrectCertificate"
	// RequestChanged is a policy violation reason for a scenario where
	// CertificateRequest not valid for Certificate's spec.
	RequestChanged string = "RequestChanged"
	// Renewing is a policy violation reason for a scenario where
	// Certificate's renewal time is now or in past.
	Renewing string = "Renewing"
	// Expired is a policy violation reason for a scenario where Certificate has
	// expired.
	Expired string = "Expired"
	// SecretTemplateMisMatch is a policy violation whereby the Certificate's
	// SecretTemplate is not reflected on the target Secret, either by having
	// extra, missing, or wrong Annotations or Labels.
	SecretTemplateMismatch string = "SecretTemplateMismatch"
	// SecretManagedMetadataMismatch is a policy violation whereby the Secret is
	// missing labels that should have been added by cert-manager
	SecretManagedMetadataMismatch string = "SecretManagedMetadataMismatch"

	// AdditionalOutputFormatsMismatch is a policy violation whereby the
	// Certificate's AdditionalOutputFormats is not reflected on the target
	// Secret, either by having extra, missing, or wrong values.
	AdditionalOutputFormatsMismatch string = "AdditionalOutputFormatsMismatch"
	// ManagedFieldsParseError is a policy violation whereby cert-manager was
	// unable to decode the managed fields on a resource.
	ManagedFieldsParseError string = "ManagedFieldsParseError"
	// SecretOwnerRefMismatch is a policy violation whereby the Secret either has
	// a missing owner reference to the Certificate, or has an owner reference it
	// shouldn't have.
	SecretOwnerRefMismatch string = "SecretOwnerRefMismatch"
)

Variables

This section is empty.

Functions

func CurrentCertificateRequestMismatchesSpec added in v1.13.0 

func CurrentCertificateRequestMismatchesSpec(input Input) (string, string, bool)

func SecretAdditionalOutputFormatsMismatch added in v1.13.0 

func SecretAdditionalOutputFormatsMismatch(input Input) (string, string, bool)

SecretAdditionalOutputFormatsMismatch validates that the Secret has the expected Certificate AdditionalOutputFormats. Returns true (violation) if AdditionalOutputFormat(s) are present and any of the following:

  • Secret key is missing
  • Secret value is incorrect

func SecretBaseLabelsMismatch added in v1.13.0 

func SecretBaseLabelsMismatch(input Input) (string, string, bool)

NOTE: The presence of the controller.cert-manager.io/fao label is checked by the SecretManagedLabelsAndAnnotationsManagedFieldsMismatch function.

func SecretCertificateDetailsAnnotationsMismatch added in v1.13.0 

func SecretCertificateDetailsAnnotationsMismatch(input Input) (string, string, bool)

SecretCertificateDetailsAnnotationsMismatch - When the certificate details annotations are not matching, the secret is updated. NOTE: The presence of the certificate details annotations is checked by the SecretManagedLabelsAndAnnotationsManagedFieldsMismatch function.

func SecretCertificateNameAnnotationsMismatch added in v1.13.2 

func SecretCertificateNameAnnotationsMismatch(input Input) (string, string, bool)

SecretCertificateNameAnnotationsMismatch - When the CertificateName annotation is defined, it must match the name of the Certificate.

func SecretDoesNotExist 

func SecretDoesNotExist(input Input) (string, string, bool)

func SecretIsMissingData 

func SecretIsMissingData(input Input) (string, string, bool)

func SecretIssuerAnnotationsMismatch added in v1.13.0 

func SecretIssuerAnnotationsMismatch(input Input) (string, string, bool)

SecretIssuerAnnotationsMismatch - When the issuer annotations are defined, it must match the issuer ref.

func SecretKeystoreFormatMismatch added in v1.13.0 

func SecretKeystoreFormatMismatch(input Input) (string, string, bool)

SecretKeystoreFormatMismatch - When the keystore is not defined, the keystore related fields are removed from the secret. When one or more key stores are defined, the corresponding secrets are generated. If the private key rotation is set to "Never", the key store related values are re-encoded as per the certificate specification

func SecretPrivateKeyMismatchesSpec added in v1.13.0 

func SecretPrivateKeyMismatchesSpec(input Input) (string, string, bool)

func SecretPublicKeyDiffersFromCurrentCertificateRequest added in v1.13.0 

func SecretPublicKeyDiffersFromCurrentCertificateRequest(input Input) (string, string, bool)

SecretPublicKeyDiffersFromCurrentCertificateRequest checks that the current CertificateRequest contains a CSR that is signed by the key stored in the Secret. A failure is often caused by the Secret being changed outside of the control of cert-manager, causing the current CertificateRequest to no longer match what is stored in the Secret.

func SecretPublicKeysDiffer 

func SecretPublicKeysDiffer(input Input) (string, string, bool)

func SecretSecretTemplateMismatch added in v1.13.0 

func SecretSecretTemplateMismatch(input Input) (string, string, bool)

SecretSecretTemplateMismatch will inspect the given Secret's Annotations and Labels, and compare these maps against those that appear on the given Certificate's SecretTemplate. Returns false if all the Certificate's SecretTemplate Annotations and Labels appear on the Secret, or put another way, the Certificate's SecretTemplate is a subset of that in the Secret's Annotations/Labels. Returns true otherwise.

Types

type Chain 

type Chain []Func

A Chain of PolicyFuncs to be evaluated in order.

func NewReadinessPolicyChain 

func NewReadinessPolicyChain(c clock.Clock) Chain

NewReadinessPolicyChain includes readiness policy checks, which if return true, would cause a Certificate to be marked as not ready.

func NewSecretPostIssuancePolicyChain 

func NewSecretPostIssuancePolicyChain(ownerRefEnabled bool, fieldManager string) Chain

NewSecretPostIssuancePolicyChain includes policy checks that are to be performed _after_ issuance has been successful, testing for the presence and correctness of metadata and output formats of Certificate's Secrets.

func NewTemporaryCertificatePolicyChain 

func NewTemporaryCertificatePolicyChain() Chain

NewTemporaryCertificatePolicyChain includes policy checks for ensuing a temporary certificate is valid.

func NewTriggerPolicyChain 

func NewTriggerPolicyChain(c clock.Clock) Chain

NewTriggerPolicyChain includes trigger policy checks, which if return true, should cause a Certificate to be marked for issuance.

func (Chain) Evaluate 

func (c Chain) Evaluate(input Input) (string, string, bool)

Evaluate will evaluate the entire policy chain using the provided input. As soon as it is discovered that the input violates one policy, Evaluate will return and not evaluate the rest of the chain.

type Func 

type Func func(Input) (reason, message string, failed bool)

A Func evaluates the given input data and decides whether a check has passed or failed, returning additional human readable information in the 'reason' and 'message' return parameters if so.

func CurrentCertificateHasExpired 

func CurrentCertificateHasExpired(c clock.Clock) Func

CurrentCertificateHasExpired is used exclusively to check if the current issued certificate has actually expired rather than just nearing expiry.

func CurrentCertificateNearingExpiry 

func CurrentCertificateNearingExpiry(c clock.Clock) Func

CurrentCertificateNearingExpiry returns a policy function that can be used to check whether an X.509 cert currently issued for a Certificate should be renewed.

func SecretAdditionalOutputFormatsManagedFieldsMismatch added in v1.13.0 

func SecretAdditionalOutputFormatsManagedFieldsMismatch(fieldManager string) Func

SecretAdditionalOutputFormatsManagedFieldsMismatch validates that the field manager owns the correct Certificate's AdditionalOutputFormats in the Secret. Returns true (violation) if:

  • missing AdditionalOutputFormat key owned by the field manager
  • AdditionalOutputFormat key owned by the field manager shouldn't exist

A violation with the reason `ManagedFieldsParseError` should be considered a non re-triable error.

func SecretManagedLabelsAndAnnotationsManagedFieldsMismatch added in v1.13.0 

func SecretManagedLabelsAndAnnotationsManagedFieldsMismatch(fieldManager string) Func

SecretManagedLabelsAndAnnotationsManagedFieldsMismatch will inspect the given Secret's managed fields for its Annotations and Labels, and compare this against the Labels and Annotations that are managed by cert-manager. Returns false if Annotations and Labels match on both the Certificate's SecretTemplate and the Secret's managed fields, true otherwise. Also returns true if the managed fields or signed certificate were not able to be decoded.

func SecretOwnerReferenceManagedFieldMismatch 

func SecretOwnerReferenceManagedFieldMismatch(ownerRefEnabled bool, fieldManager string) Func

SecretOwnerReferenceManagedFieldMismatch validates that the Secret has an owner reference to the Certificate if enabled. Returns true (violation) if: * the Secret doesn't have an owner reference and is expecting one * has an owner reference but is not expecting one A violation with the reason `ManagedFieldsParseError` should be considered a non re-triable error.

func SecretOwnerReferenceMismatch added in v1.13.0 

func SecretOwnerReferenceMismatch(ownerRefEnabled bool) Func

SecretOwnerReferenceMismatch validates that the Secret has the expected owner reference if it is enabled. Returns true (violation) if: * owner reference is enabled, but the reference has an incorrect value

func SecretSecretTemplateManagedFieldsMismatch added in v1.13.0 

func SecretSecretTemplateManagedFieldsMismatch(fieldManager string) Func

SecretSecretTemplateManagedFieldsMismatch will inspect the given Secret's managed fields for its Annotations and Labels, and compare this against the SecretTemplate on the given Certificate. Returns false if Annotations and Labels match on both the Certificate's SecretTemplate and the Secret's managed fields, true otherwise. Also returns true if the managed fields or signed certificate were not able to be decoded.

type Gatherer 

type Gatherer struct {
	CertificateRequestLister cmlisters.CertificateRequestLister
	SecretLister             internalinformers.SecretLister
}

Gatherer is used to gather data about a Certificate in order to evaluate its current readiness/state by applying policy functions to it.

func (*Gatherer) DataForCertificate 

func (g *Gatherer) DataForCertificate(ctx context.Context, crt *cmapi.Certificate) (Input, error)

DataForCertificate returns the secret as well as the "current" and "next" certificate request associated with the given certificate. It also returns the given certificate as-is. To know more about the "current" and "next" certificate requests and why we want to be fetching them along with the certificate's secret, take a look at the top comment on this file.

DataForCertificate returns an error when duplicate CRs are found for the "current" or the "next" revision. DataForCertificate does not return any apierrors.NewNotFound; instead, if either of the objects (current CR, next CR or secret) is not found, then the returned value of this object is left nil.

type Input 

type Input struct {
	Certificate *cmapi.Certificate
	Secret      *corev1.Secret

	// The "current" certificate request designates the certificate request that
	// led to the current revision of the certificate. The "current" certificate
	// request is by definition in a ready state, and can be seen as the source
	// of information of the current certificate. Take a look at the gatherer
	// package's documentation to see more about why we care about the "current"
	// certificate request.
	CurrentRevisionRequest *cmapi.CertificateRequest

	// The "next" certificate request is the one that is currently being issued.
	// Take a look at the gatherer package's documentation to see more about why
	// we care about the "next" certificate request.
	NextRevisionRequest *cmapi.CertificateRequest
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.