policies

package
v1.5.4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 30, 2021 License: Apache-2.0 Imports: 16 Imported by: 0

Documentation

Overview

Package policies provides functionality to evaluate Certificate's state

Index

Constants

View Source 
const (
	// DoesNotExist is a policy violation reason for a scenario where
	// Certificate's spec.secretName secret does not exist.
	DoesNotExist string = "DoesNotExist"
	// MissingData is a policy violation reason for a scenario where
	// Certificate's spec.secretName secret has missing data.
	MissingData string = "MissingData"
	// InvalidKeyPair is a policy violation reason for a scenario where public
	// key of certificate does not match private key.
	InvalidKeyPair string = "InvalidKeyPair"
	// SecretMismatch is a policy violation reason for a scenario where Secret's
	// private key does not match spec.
	SecretMismatch string = "SecretMismatch"
	// IncorrectIssuer is a policy violation reason for a scenario where
	// Certificate has been issued by incorrect Issuer.
	IncorrectIssuer string = "IncorrectIssuer"
	// RequestChanged is a policy violation reason for a scenario where
	// CertificateRequest not valid for Certificate's spec.
	RequestChanged string = "RequestChanged"
	// Renewing is a policy violation reason for a scenario where
	// Certificate's renewal time is now or in past.
	Renewing string = "Renewing"
	// Expired is a policy violation reason for a scenario where Certificate has
	// expired.
	Expired string = "Expired"
)

Variables

This section is empty.

Functions

func CurrentCertificateRequestNotValidForSpec added in v1.3.0 

func CurrentCertificateRequestNotValidForSpec(input Input) (string, string, bool)

func SecretDoesNotExist 

func SecretDoesNotExist(input Input) (string, string, bool)

func SecretIsMissingData added in v1.3.0 

func SecretIsMissingData(input Input) (string, string, bool)

func SecretIssuerAnnotationsNotUpToDate added in v1.3.0 

func SecretIssuerAnnotationsNotUpToDate(input Input) (string, string, bool)

func SecretPrivateKeyMatchesSpec 

func SecretPrivateKeyMatchesSpec(input Input) (string, string, bool)

func SecretPublicKeysDiffer added in v1.3.0 

func SecretPublicKeysDiffer(input Input) (string, string, bool)

Types

type Chain 

type Chain []Func

A Chain of PolicyFuncs to be evaluated in order.

func NewTriggerPolicyChain 

func NewTriggerPolicyChain(c clock.Clock) Chain

func (Chain) Evaluate 

func (c Chain) Evaluate(input Input) (string, string, bool)

Evaluate will evaluate the entire policy chain using the provided input. As soon as it is discovered that the input violates one policy, Evaluate will return and not evaluate the rest of the chain.

type Func 

type Func func(Input) (reason, message string, reissue bool)

A Func evaluates the given input data and decides whether a re-issuance is required, returning additional human readable information in the 'reason' and 'message' return parameters if so.

func CurrentCertificateHasExpired 

func CurrentCertificateHasExpired(c clock.Clock) Func

CurrentCertificateHasExpired is used exclusively to check if the current issued certificate has actually expired rather than just nearing expiry.

func CurrentCertificateNearingExpiry 

func CurrentCertificateNearingExpiry(c clock.Clock) Func

CurrentCertificateNearingExpiry returns a policy function that can be used to check whether an X.509 cert currently issued for a Certificate should be renewed.

type Gatherer 

type Gatherer struct {
	CertificateRequestLister cmlisters.CertificateRequestLister
	SecretLister             corelisters.SecretLister
}

Gatherer is used to gather data about a Certificate in order to evaluate its current readiness/state by applying policy functions to it.

func (*Gatherer) DataForCertificate 

func (g *Gatherer) DataForCertificate(ctx context.Context, crt *cmapi.Certificate) (Input, error)

DataForCertificate returns the secret as well as the "current" and "next" certificate request associated with the given certificate. It also returns the given certificate as-is. To know more about the "current" and "next" certificate requests and why we want to be fetching them along with the certificate's secret, take a look at the top comment on this file.

DataForCertificate returns an error when duplicate CRs are found for the "current" or the "next" revision. DataForCertificate does not return any apierrors.NewNotFound; instead, if either of the objects (current CR, next CR or secret) is not found, then the returned value of this object is left nil.

type Input 

type Input struct {
	Certificate *cmapi.Certificate
	Secret      *corev1.Secret

	// The "current" certificate request designates the certificate request that
	// led to the current revision of the certificate. The "current" certificate
	// request is by definition in a ready state, and can be seen as the source
	// of information of the current certificate. Take a look at the gatherer
	// package's documentation to see more about why we care about the "current"
	// certificate request.
	CurrentRevisionRequest *cmapi.CertificateRequest

	// The "next" certificate request is the one that is currently being issued.
	// Take a look at the gatherer package's documentation to see more about why
	// we care about the "next" certificate request.
	NextRevisionRequest *cmapi.CertificateRequest
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.