docs: brush-up policy examples

Signed-off-by: Erik Godding Boye <[email protected]>
cert-manager · Nov 25, 2023 · 99c3496 · 99c3496
1 parent 9d2e8df
commit 99c3496
Show file tree

Hide file tree

Showing 5 changed files with 83 additions and 133 deletions.
diff --git a/docs/examples/all-options.yaml b/docs/examples/all-options.yaml
@@ -1,3 +1,4 @@
+# This is a fabricated policy to show all possible policy options.
 apiVersion: policy.cert-manager.io/v1alpha1
 kind: CertificateRequestPolicy
 metadata:
@@ -7,79 +8,103 @@ spec:
     commonName:
       required: true
       value: "example.com"
+      validations:
+        - rule: self.endsWith('.com')
+          message: CommonName must end with '.com'
     dnsNames:
       required: false
       values:
-      - "example.com"
-      - "*.example.com"
+        - "example.com"
+        - "*.example.com"
+      validations:
+        - rule: self.size() =< 24
+          message: DNSName must be no more than 24 characters
     ipAddresses:
-      values:
-      - "1.2.3.4"
-      - "10.0.1.*"
+      required: false
+      values: ["*"]
+      validations:
+        - rule: self.matches('\d+\.\d+\.\d+\.\d+')
+          message: IPAddress must be a valid IPv4 address
     uris:
+      required: false
       values:
-      - "spiffe://example.org/ns/*/sa/*"
+        - "spiffe://example.org/ns/*/sa/*"
+      validations:
+        - rule: self.startsWith('spiffe://%s/ns/%s/sa/'.format(['example.org',cr.namespace]))
+          message: URI must be a valid SPIFFE ID in trust domain bound to request namespace
     emailAddresses:
+      required: false
       values:
-      - "*@example.com"
+        - "*@example.com"
+      validations:
+        - rule: self.size() =< 24
+          message: EmailAddress must be no more than 24 characters
     isCA: false
     usages:
-    - "server auth"
-    - "client auth"
+      - "server auth"
+      - "client auth"
     subject:
       organizations:
-        values: ["hello-world"]
+        required: false
+        values: ["*"]
+        validations:
+          - rule: self.size() > 0
+            message: must not be empty
       countries:
+        required: false
         values: ["*"]
+        validations:
+          - rule: self.size() > 0
+            message: must not be empty
       organizationalUnits:
+        required: false
         values: ["*"]
+        validations:
+          - rule: self.size() > 0
+            message: must not be empty
       localities:
+        required: false
         values: ["*"]
+        validations:
+          - rule: self.size() > 0
+            message: must not be empty
       provinces:
+        required: false
         values: ["*"]
+        validations:
+          - rule: self.size() > 0
+            message: must not be empty
       streetAddresses:
+        required: false
         values: ["*"]
+        validations:
+          - rule: self.size() > 0
+            message: must not be empty
       postalCodes:
+        required: false
         values: ["*"]
+        validations:
+          - rule: self.size() > 0
+            message: must not be empty
       serialNumber:
+        required: false
         value: "*"
-
+        validations:
+          - rule: self.size() > 0
+            message: must not be empty
   constraints:
     minDuration: 1h
     maxDuration: 24h
     privateKey:
       algorithm: RSA
       minSize: 2048
       maxSize: 4096
-
+  plugins:
+    rego:
+      values:
+        my-ref: "hello-world"
   selector:
     issuerRef:
       name: "my-ca-*"
       kind: "*Issuer"
       group: cert-manager.io
-
----
-kind: Role
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: cert-manager-policy:all-options
-  namespace: sandbox
-rules:
-- apiGroups: ["policy.cert-manager.io"]
-  resources: ["certificaterequestpolicies"]
-  verbs: ["use"]
-  resourceNames: ["all-options"]
----
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: cert-manager-policy:all-options
-  namespace: sandbox
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: cert-manager-policy:all-options
-subjects:
-- apiGroup: rbac.authorization.k8s.io
-  kind: User
-  name: alice
diff --git a/docs/examples/default-deny-all.yaml b/docs/examples/default-deny-all.yaml
@@ -0,0 +1,14 @@
+# Here we match on all requests created by anyone. The policy contains an
+# option that establishes a policy that will never grant a request, but other policies may.
+# This ensures all requests will be denied by default unless another policy permits the request.
+apiVersion: policy.cert-manager.io/v1alpha1
+kind: CertificateRequestPolicy
+metadata:
+  name: default-deny-all
+spec:
+  allowed:
+    dnsNames:
+      values: []
+      required: true
+  selector:
+    issuerRef: {}
diff --git a/docs/examples/deny-all.yaml b/docs/examples/deny-all.yaml
diff --git a/docs/examples/example.com.yaml b/docs/examples/example.com.yaml
@@ -8,46 +8,19 @@ spec:
       value: "example.com"
     dnsNames:
       values:
-      - "example.com"
-      - "*.example.com"
+        - "example.com"
+        - "*.example.com"
+      validations:
+        - rule: !self.contains('*')
+          message: Wildcard certificates are not allowed
     usages:
-    - "server auth"
-
+      - "server auth"
   constraints:
     privateKey:
       algorithm: RSA
       minSize: 2048
-
   selector:
     issuerRef:
       name: letsencrypt-prod
       kind: Issuer
       group: cert-manager.io
----
-kind: Role
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: cert-manager-policy:example-com
-  namespace: sandbox
-rules:
-- apiGroups: ["policy.cert-manager.io"]
-  resources: ["certificaterequestpolicies"]
-  verbs: ["use"]
-  resourceNames: ["example-com"]
----
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: cert-manager-policy:example-com
-  namespace: sandbox
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: cert-manager-policy:example-com
-subjects:
-# Policy intended to be used with a Certificate resource, so cert-manager is
-# the user creating CertificateRequest. Bind to the cert-manager
-# ServiceAccount.
-- kind: ServiceAccount
-  name: cert-manager
-  namespace: cert-manager
diff --git a/docs/examples/plugin.yaml b/docs/examples/plugin.yaml
@@ -15,28 +15,3 @@ spec:
       name: my-ca
       kind: Issuer
       group: cert-manager.io
----
-kind: Role
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: cert-manager-policy:plugin-some-example
-  namespace: sandbox
-rules:
-- apiGroups: ["policy.cert-manager.io"]
-  resources: ["certificaterequestpolicies"]
-  verbs: ["use"]
-  resourceNames: ["plugin-some-example"]
----
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: cert-manager-policy:plugin-some-example
-  namespace: sandbox
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: cert-manager-policy:plugin-some-example
-subjects:
-- kind: ServiceAccount
-  name: cert-manager
-  namespace: cert-manager