Skip to content

Commit

Permalink
docs: brush-up policy examples
Browse files Browse the repository at this point in the history
Signed-off-by: Erik Godding Boye <[email protected]>
  • Loading branch information
erikgb committed Nov 25, 2023
1 parent 9d2e8df commit 54b19e9
Show file tree
Hide file tree
Showing 5 changed files with 79 additions and 133 deletions.
97 changes: 59 additions & 38 deletions docs/examples/all-options.yaml
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
# This is a fabricated policy to show all possible policy options.
apiVersion: policy.cert-manager.io/v1alpha1
kind: CertificateRequestPolicy
metadata:
Expand All @@ -7,79 +8,99 @@ spec:
commonName:
required: true
value: "example.com"
validations:
- rule: self.endsWith('.com')
message: CommonName must end with '.com'
dnsNames:
required: false
values:
- "example.com"
- "*.example.com"
- "example.com"
- "*.example.com"
validations:
- rule: self.size() =< 24
message: DNSName must be no more than 24 characters
ipAddresses:
values:
- "1.2.3.4"
- "10.0.1.*"
required: false
values: ["*"]
validations:
- rule: self.matches('\d+\.\d+\.\d+\.\d+')
message: IPAddress must be a valid IPv4 address
uris:
required: false
values:
- "spiffe://example.org/ns/*/sa/*"
- "spiffe://example.org/ns/*/sa/*"
validations:
- rule: self.startsWith('spiffe://%s/ns/%s/sa/'.format(['example.org',cr.namespace]))
message: URI must be a valid SPIFFE ID in trust domain bound to request namespace
emailAddresses:
required: false
values:
- "*@example.com"
- "*@example.com"
validations:
- rule: self.size() =< 24
message: EmailAddress must be no more than 24 characters
isCA: false
usages:
- "server auth"
- "client auth"
- "server auth"
- "client auth"
subject:
organizations:
values: ["hello-world"]
required: false
values: ["*"]
validations:
- rule: self.size() > 0
message: must not be empty
countries:
required: false
values: ["*"]
validations:
- rule: self.size() > 0
message: must not be empty
organizationalUnits:
required: false
values: ["*"]
validations:
- rule: self.size() > 0
message: must not be empty
localities:
required: false
values: ["*"]
validations:
- rule: self.size() > 0
message: must not be empty
provinces:
required: false
values: ["*"]
validations:
- rule: self.size() > 0
message: must not be empty
streetAddresses:
required: false
values: ["*"]
validations:
- rule: self.size() > 0
message: must not be empty
postalCodes:
required: false
values: ["*"]
validations:
- rule: self.size() > 0
message: must not be empty
serialNumber:
required: false
value: "*"

validations:
- rule: self.size() > 0
message: must not be empty
constraints:
minDuration: 1h
maxDuration: 24h
privateKey:
algorithm: RSA
minSize: 2048
maxSize: 4096

selector:
issuerRef:
name: "my-ca-*"
kind: "*Issuer"
group: cert-manager.io

---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cert-manager-policy:all-options
namespace: sandbox
rules:
- apiGroups: ["policy.cert-manager.io"]
resources: ["certificaterequestpolicies"]
verbs: ["use"]
resourceNames: ["all-options"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cert-manager-policy:all-options
namespace: sandbox
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cert-manager-policy:all-options
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: alice
14 changes: 14 additions & 0 deletions docs/examples/default-deny-all.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
# Here we match on all requests created by anyone. The policy contains an
# option that establishes a policy that will never grant a request, but other policies may.
# This ensures all requests will be denied by default unless another policy permits the request.
apiVersion: policy.cert-manager.io/v1alpha1
kind: CertificateRequestPolicy
metadata:
name: default-deny-all
spec:
allowed:
dnsNames:
values: []
required: true
selector:
issuerRef: {}
37 changes: 0 additions & 37 deletions docs/examples/deny-all.yaml

This file was deleted.

39 changes: 6 additions & 33 deletions docs/examples/example.com.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,46 +8,19 @@ spec:
value: "example.com"
dnsNames:
values:
- "example.com"
- "*.example.com"
- "example.com"
- "*.example.com"
validations:
- rule: !self.contains('*')
message: Wildcard certificates are not allowed
usages:
- "server auth"

- "server auth"
constraints:
privateKey:
algorithm: RSA
minSize: 2048

selector:
issuerRef:
name: letsencrypt-prod
kind: Issuer
group: cert-manager.io
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cert-manager-policy:example-com
namespace: sandbox
rules:
- apiGroups: ["policy.cert-manager.io"]
resources: ["certificaterequestpolicies"]
verbs: ["use"]
resourceNames: ["example-com"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cert-manager-policy:example-com
namespace: sandbox
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cert-manager-policy:example-com
subjects:
# Policy intended to be used with a Certificate resource, so cert-manager is
# the user creating CertificateRequest. Bind to the cert-manager
# ServiceAccount.
- kind: ServiceAccount
name: cert-manager
namespace: cert-manager
25 changes: 0 additions & 25 deletions docs/examples/plugin.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -15,28 +15,3 @@ spec:
name: my-ca
kind: Issuer
group: cert-manager.io
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cert-manager-policy:plugin-some-example
namespace: sandbox
rules:
- apiGroups: ["policy.cert-manager.io"]
resources: ["certificaterequestpolicies"]
verbs: ["use"]
resourceNames: ["plugin-some-example"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cert-manager-policy:plugin-some-example
namespace: sandbox
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cert-manager-policy:plugin-some-example
subjects:
- kind: ServiceAccount
name: cert-manager
namespace: cert-manager

0 comments on commit 54b19e9

Please sign in to comment.