From 54b19e9fc2caf008658e12b91fd8a5deacb1379b Mon Sep 17 00:00:00 2001 From: Erik Godding Boye Date: Sat, 25 Nov 2023 22:35:49 +0100 Subject: [PATCH] docs: brush-up policy examples Signed-off-by: Erik Godding Boye --- docs/examples/all-options.yaml | 97 ++++++++++++++++++----------- docs/examples/default-deny-all.yaml | 14 +++++ docs/examples/deny-all.yaml | 37 ----------- docs/examples/example.com.yaml | 39 ++---------- docs/examples/plugin.yaml | 25 -------- 5 files changed, 79 insertions(+), 133 deletions(-) create mode 100644 docs/examples/default-deny-all.yaml delete mode 100644 docs/examples/deny-all.yaml diff --git a/docs/examples/all-options.yaml b/docs/examples/all-options.yaml index 322217ab..c0021f4c 100644 --- a/docs/examples/all-options.yaml +++ b/docs/examples/all-options.yaml @@ -1,3 +1,4 @@ +# This is a fabricated policy to show all possible policy options. apiVersion: policy.cert-manager.io/v1alpha1 kind: CertificateRequestPolicy metadata: @@ -7,43 +8,90 @@ spec: commonName: required: true value: "example.com" + validations: + - rule: self.endsWith('.com') + message: CommonName must end with '.com' dnsNames: required: false values: - - "example.com" - - "*.example.com" + - "example.com" + - "*.example.com" + validations: + - rule: self.size() =< 24 + message: DNSName must be no more than 24 characters ipAddresses: - values: - - "1.2.3.4" - - "10.0.1.*" + required: false + values: ["*"] + validations: + - rule: self.matches('\d+\.\d+\.\d+\.\d+') + message: IPAddress must be a valid IPv4 address uris: + required: false values: - - "spiffe://example.org/ns/*/sa/*" + - "spiffe://example.org/ns/*/sa/*" + validations: + - rule: self.startsWith('spiffe://%s/ns/%s/sa/'.format(['example.org',cr.namespace])) + message: URI must be a valid SPIFFE ID in trust domain bound to request namespace emailAddresses: + required: false values: - - "*@example.com" + - "*@example.com" + validations: + - rule: self.size() =< 24 + message: EmailAddress must be no more than 24 characters isCA: false usages: - - "server auth" - - "client auth" + - "server auth" + - "client auth" subject: organizations: - values: ["hello-world"] + required: false + values: ["*"] + validations: + - rule: self.size() > 0 + message: must not be empty countries: + required: false values: ["*"] + validations: + - rule: self.size() > 0 + message: must not be empty organizationalUnits: + required: false values: ["*"] + validations: + - rule: self.size() > 0 + message: must not be empty localities: + required: false values: ["*"] + validations: + - rule: self.size() > 0 + message: must not be empty provinces: + required: false values: ["*"] + validations: + - rule: self.size() > 0 + message: must not be empty streetAddresses: + required: false values: ["*"] + validations: + - rule: self.size() > 0 + message: must not be empty postalCodes: + required: false values: ["*"] + validations: + - rule: self.size() > 0 + message: must not be empty serialNumber: + required: false value: "*" - + validations: + - rule: self.size() > 0 + message: must not be empty constraints: minDuration: 1h maxDuration: 24h @@ -51,35 +99,8 @@ spec: algorithm: RSA minSize: 2048 maxSize: 4096 - selector: issuerRef: name: "my-ca-*" kind: "*Issuer" group: cert-manager.io - ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: cert-manager-policy:all-options - namespace: sandbox -rules: -- apiGroups: ["policy.cert-manager.io"] - resources: ["certificaterequestpolicies"] - verbs: ["use"] - resourceNames: ["all-options"] ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: cert-manager-policy:all-options - namespace: sandbox -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cert-manager-policy:all-options -subjects: -- apiGroup: rbac.authorization.k8s.io - kind: User - name: alice diff --git a/docs/examples/default-deny-all.yaml b/docs/examples/default-deny-all.yaml new file mode 100644 index 00000000..c5fa60db --- /dev/null +++ b/docs/examples/default-deny-all.yaml @@ -0,0 +1,14 @@ +# Here we match on all requests created by anyone. The policy contains an +# option that establishes a policy that will never grant a request, but other policies may. +# This ensures all requests will be denied by default unless another policy permits the request. +apiVersion: policy.cert-manager.io/v1alpha1 +kind: CertificateRequestPolicy +metadata: + name: default-deny-all +spec: + allowed: + dnsNames: + values: [] + required: true + selector: + issuerRef: {} diff --git a/docs/examples/deny-all.yaml b/docs/examples/deny-all.yaml deleted file mode 100644 index 647d4369..00000000 --- a/docs/examples/deny-all.yaml +++ /dev/null @@ -1,37 +0,0 @@ -# Here we match on all requests created by anyone. The policy contains an -# impossible condition and so will always return denied. This ensures all -# requests will be denied by default unless another policy permits the request. -apiVersion: policy.cert-manager.io/v1alpha1 -kind: CertificateRequestPolicy -metadata: - name: deny-all -spec: - allowed: - dnsNames: - values: [] - required: true - selector: - issuerRef: {} ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: cert-manager-policy:deny-all -rules: -- apiGroups: ["policy.cert-manager.io"] - resources: ["certificaterequestpolicies"] - verbs: ["use"] - resourceNames: ["deny-all"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: cert-manager-policy:deny-all -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cert-manager-policy:deny-all -subjects: -- apiGroup: rbac.authorization.k8s.io - kind: Group - name: system:authenticated diff --git a/docs/examples/example.com.yaml b/docs/examples/example.com.yaml index c6277e2c..498450e5 100644 --- a/docs/examples/example.com.yaml +++ b/docs/examples/example.com.yaml @@ -8,46 +8,19 @@ spec: value: "example.com" dnsNames: values: - - "example.com" - - "*.example.com" + - "example.com" + - "*.example.com" + validations: + - rule: !self.contains('*') + message: Wildcard certificates are not allowed usages: - - "server auth" - + - "server auth" constraints: privateKey: algorithm: RSA minSize: 2048 - selector: issuerRef: name: letsencrypt-prod kind: Issuer group: cert-manager.io ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: cert-manager-policy:example-com - namespace: sandbox -rules: -- apiGroups: ["policy.cert-manager.io"] - resources: ["certificaterequestpolicies"] - verbs: ["use"] - resourceNames: ["example-com"] ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: cert-manager-policy:example-com - namespace: sandbox -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cert-manager-policy:example-com -subjects: -# Policy intended to be used with a Certificate resource, so cert-manager is -# the user creating CertificateRequest. Bind to the cert-manager -# ServiceAccount. -- kind: ServiceAccount - name: cert-manager - namespace: cert-manager diff --git a/docs/examples/plugin.yaml b/docs/examples/plugin.yaml index 9cf30f82..54398b01 100644 --- a/docs/examples/plugin.yaml +++ b/docs/examples/plugin.yaml @@ -15,28 +15,3 @@ spec: name: my-ca kind: Issuer group: cert-manager.io ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: cert-manager-policy:plugin-some-example - namespace: sandbox -rules: -- apiGroups: ["policy.cert-manager.io"] - resources: ["certificaterequestpolicies"] - verbs: ["use"] - resourceNames: ["plugin-some-example"] ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: cert-manager-policy:plugin-some-example - namespace: sandbox -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cert-manager-policy:plugin-some-example -subjects: -- kind: ServiceAccount - name: cert-manager - namespace: cert-manager