Merge pull request cert-manager#310 from erikgb/brush-up-examples

docs: brush-up policy examples

docs/examples/all-options.yaml

@@ -1,3 +1,4 @@
+# This is a fabricated policy to show all possible policy options.
 apiVersion: policy.cert-manager.io/v1alpha1
 kind: CertificateRequestPolicy
 metadata:
@@ -7,79 +8,87 @@ spec:
     commonName:
       required: true
       value: "example.com"
+      validations:
+        - rule: self.endsWith('.com')
+          message: CommonName must end with '.com'
     dnsNames:
       required: false
       values:
-      - "example.com"
-      - "*.example.com"
+        - "example.com"
+        - "*.example.com"
+      validations:
+        - rule: self.size() =< 24
+          message: DNSName must be no more than 24 characters
     ipAddresses:
-      values:
-      - "1.2.3.4"
-      - "10.0.1.*"
+      required: false
+      values: ["*"]
+      validations:
+        - rule: self.matches('\d+\.\d+\.\d+\.\d+')
+          message: IPAddress must be a valid IPv4 address
     uris:
+      required: false
       values:
-      - "spiffe://example.org/ns/*/sa/*"
+        - "spiffe://example.org/ns/*/sa/*"
+      validations:
+        - rule: self.startsWith('spiffe://%s/ns/%s/sa/'.format(['example.org',cr.namespace]))
+          message: URI must be a valid SPIFFE ID in trust domain bound to request namespace
     emailAddresses:
+      required: false
       values:
-      - "*@example.com"
+        - "*@example.com"
+      validations:
+        - rule: self.size() =< 24
+          message: EmailAddress must be no more than 24 characters
     isCA: false
     usages:
-    - "server auth"
-    - "client auth"
+      - "server auth"
+      - "client auth"
     subject:
       organizations:
-        values: ["hello-world"]
+        required: false
+        values: ["*"]
+        validations: []
       countries:
+        required: false
         values: ["*"]
+        validations: []
       organizationalUnits:
+        required: false
         values: ["*"]
+        validations: []
       localities:
+        required: false
         values: ["*"]
+        validations: []
       provinces:
+        required: false
         values: ["*"]
+        validations: []
       streetAddresses:
+        required: false
         values: ["*"]
+        validations: []
       postalCodes:
+        required: false
         values: ["*"]
+        validations: []
       serialNumber:
+        required: false
         value: "*"
-
+        validations: []
   constraints:
     minDuration: 1h
     maxDuration: 24h
     privateKey:
       algorithm: RSA
       minSize: 2048
       maxSize: 4096
-
+  plugins:
+    rego:
+      values:
+        my-ref: "hello-world"
   selector:
     issuerRef:
       name: "my-ca-*"
       kind: "*Issuer"
       group: cert-manager.io
-
----
-kind: Role
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: cert-manager-policy:all-options
-  namespace: sandbox
-rules:
-- apiGroups: ["policy.cert-manager.io"]
-  resources: ["certificaterequestpolicies"]
-  verbs: ["use"]
-  resourceNames: ["all-options"]
----
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: cert-manager-policy:all-options
-  namespace: sandbox
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: cert-manager-policy:all-options
-subjects:
-- apiGroup: rbac.authorization.k8s.io
-  kind: User
-  name: alice

docs/examples/default-deny-all.yaml

@@ -0,0 +1,14 @@
+# Here we match on all requests created by anyone. The policy contains an
+# option that establishes a policy that will never approve a request, but other policies may.
+# This ensures all requests will be denied by default unless another policy permits the request.
+apiVersion: policy.cert-manager.io/v1alpha1
+kind: CertificateRequestPolicy
+metadata:
+  name: default-deny-all
+spec:
+  allowed:
+    dnsNames:
+      values: []
+      required: true
+  selector:
+    issuerRef: {}

docs/examples/example.com.yaml

@@ -8,46 +8,19 @@ spec:
       value: "example.com"
     dnsNames:
       values:
-      - "example.com"
-      - "*.example.com"
+        - "example.com"
+        - "*.example.com"
+      validations:
+        - rule: !self.contains('*')
+          message: Wildcard certificates are not allowed
     usages:
-    - "server auth"
-
+      - "server auth"
   constraints:
     privateKey:
       algorithm: RSA
       minSize: 2048
-
   selector:
     issuerRef:
       name: letsencrypt-prod
       kind: Issuer
       group: cert-manager.io
----
-kind: Role
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: cert-manager-policy:example-com
-  namespace: sandbox
-rules:
-- apiGroups: ["policy.cert-manager.io"]
-  resources: ["certificaterequestpolicies"]
-  verbs: ["use"]
-  resourceNames: ["example-com"]
----
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: cert-manager-policy:example-com
-  namespace: sandbox
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: cert-manager-policy:example-com
-subjects:
-# Policy intended to be used with a Certificate resource, so cert-manager is
-# the user creating CertificateRequest. Bind to the cert-manager
-# ServiceAccount.
-- kind: ServiceAccount
-  name: cert-manager
-  namespace: cert-manager

docs/examples/plugin.yaml

@@ -15,28 +15,3 @@ spec:
       name: my-ca
       kind: Issuer
       group: cert-manager.io
----
-kind: Role
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: cert-manager-policy:plugin-some-example
-  namespace: sandbox
-rules:
-- apiGroups: ["policy.cert-manager.io"]
-  resources: ["certificaterequestpolicies"]
-  verbs: ["use"]
-  resourceNames: ["plugin-some-example"]
----
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: cert-manager-policy:plugin-some-example
-  namespace: sandbox
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: cert-manager-policy:plugin-some-example
-subjects:
-- kind: ServiceAccount
-  name: cert-manager
-  namespace: cert-manager