diff --git a/content/docs/policy/approval/approver-policy/api-reference.md b/content/docs/policy/approval/approver-policy/api-reference.md index e4d45bb8297..397d85aac43 100644 --- a/content/docs/policy/approval/approver-policy/api-reference.md +++ b/content/docs/policy/approval/approver-policy/api-reference.md @@ -23,7 +23,9 @@ Resource Types: -CertificateRequestPolicy is an object for describing a "policy profile" that makes decisions on whether applicable CertificateRequests should be approved or denied. +CertificateRequestPolicy is an object for describing a "policy profile" that +makes decisions on whether applicable CertificateRequests should be approved +or denied. @@ -55,14 +57,18 @@ CertificateRequestPolicy is an object for describing a "policy profile" that mak @@ -72,7 +78,8 @@ CertificateRequestPolicy is an object for describing a "policy profile" that mak ### `CertificateRequestPolicy.spec` -CertificateRequestPolicySpec defines the desired state of CertificateRequestPolicy. +CertificateRequestPolicySpec defines the desired state of +CertificateRequestPolicy.
spec object - CertificateRequestPolicySpec defines the desired state of CertificateRequestPolicy.
+ CertificateRequestPolicySpec defines the desired state of +CertificateRequestPolicy. +
 false
status object - CertificateRequestPolicyStatus defines the observed state of the CertificateRequestPolicy.
+ CertificateRequestPolicyStatus defines the observed state of the +CertificateRequestPolicy. +
 false
@@ -87,28 +94,47 @@ CertificateRequestPolicySpec defines the desired state of CertificateRequestPoli @@ -118,7 +144,9 @@ CertificateRequestPolicySpec defines the desired state of CertificateRequestPoli ### `CertificateRequestPolicy.spec.selector` -Selector is used for selecting over which CertificateRequests this CertificateRequestPolicy is appropriate for and so will used for its approval evaluation. +Selector is used for selecting over which CertificateRequests this +CertificateRequestPolicy is appropriate for and so will be used for its +approval evaluation.
selector object - Selector is used for selecting over which CertificateRequests this CertificateRequestPolicy is appropriate for and so will used for its approval evaluation.
+ Selector is used for selecting over which CertificateRequests this +CertificateRequestPolicy is appropriate for and so will be used for its +approval evaluation. +
 true
allowed object - Allowed is the set of attributes that are "allowed" by this policy. A CertificateRequest will only be considered permissible for this policy if the CertificateRequest has the same or less as what is allowed. Empty or `nil` allowed fields mean CertificateRequests are not allowed to have that field present to be permissible.
+ Allowed defines the allowed attributes for a CertificateRequest. +A CertificateRequest can request _less_ than what is allowed, +but _not more_, i.e. a CertificateRequest can request a subset of what +is declared as allowed by the policy. +Omitted fields declare that the equivalent CertificateRequest +field _must_ be omitted or have an empty value for the request to be +permitted. +
 false
constraints object - Constraints is the set of attributes that _must_ be satisfied by the CertificateRequest for the request to be permissible by the policy. Empty or `nil` constraint fields mean CertificateRequests satisfy that field with any value of their corresponding attribute.
+ Constraints define fields that _must_ be satisfied by a +CertificateRequest for the request to be allowed by this policy. +Omitted fields place no restrictions on the corresponding +attribute in a request. +
 false
plugins map[string]object - Plugins define a set of plugins and their configuration that should be executed when this policy is evaluated against a CertificateRequest. A plugin must already be built within approver-policy for it to be available.
+ Plugins are approvers that are built into approver-policy at +compile-time. This is an advanced feature typically used to extend +approver-policy core features. This field define plugins and their +configuration that should be executed when this policy is evaluated +against a CertificateRequest. +
 false
@@ -133,15 +161,29 @@ Selector is used for selecting over which CertificateRequests this CertificateRe @@ -151,8 +193,17 @@ Selector is used for selecting over which CertificateRequests this CertificateRe ### `CertificateRequestPolicy.spec.selector.issuerRef` -IssuerRef is used to match this CertificateRequestPolicy against processed CertificateRequests. This policy will only be evaluated against a CertificateRequest whose `spec.issuerRef` field matches `spec.selector.issuerRef`. CertificateRequests will not be processed on unmatched `issuerRef` if defined, regardless of whether the requestor is bound by RBAC. Accepts wildcards "*". Omitted values are equivalent to "*". - The following value will match _all_ `issuerRefs`: ``` issuerRef: {} ``` +IssuerRef is used to match by issuer, meaning the +CertificateRequestPolicy will only evaluate CertificateRequests +referring to matching issuers. +CertificateRequests will not be processed if the issuer does not match, +regardless of whether the requestor is bound by RBAC. + + +The following value will match _all_ issuers: +``` +issuerRef: {} +```
issuerRef object - IssuerRef is used to match this CertificateRequestPolicy against processed CertificateRequests. This policy will only be evaluated against a CertificateRequest whose `spec.issuerRef` field matches `spec.selector.issuerRef`. CertificateRequests will not be processed on unmatched `issuerRef` if defined, regardless of whether the requestor is bound by RBAC. Accepts wildcards "*". Omitted values are equivalent to "*". - The following value will match _all_ `issuerRefs`: ``` issuerRef: {} ```
+ IssuerRef is used to match by issuer, meaning the +CertificateRequestPolicy will only evaluate CertificateRequests +referring to matching issuers. +CertificateRequests will not be processed if the issuer does not match, +regardless of whether the requestor is bound by RBAC. + + +The following value will match _all_ issuers: +``` +issuerRef: {} +``` +
 false
namespace object - Namespace is used to select on Namespaces, meaning the CertificateRequestPolicy will only match on CertificateRequests that have been created in matching selected Namespaces. If this field is omitted, all Namespaces are selected.
+ Namespace is used to match by namespace, meaning the +CertificateRequestPolicy will only match CertificateRequests +created in matching namespaces. +If this field is omitted, resources in all namespaces are checked. +
 false
@@ -167,21 +218,33 @@ IssuerRef is used to match this CertificateRequestPolicy against processed Certi @@ -191,7 +254,10 @@ IssuerRef is used to match this CertificateRequestPolicy against processed Certi ### `CertificateRequestPolicy.spec.selector.namespace` -Namespace is used to select on Namespaces, meaning the CertificateRequestPolicy will only match on CertificateRequests that have been created in matching selected Namespaces. If this field is omitted, all Namespaces are selected. +Namespace is used to match by namespace, meaning the +CertificateRequestPolicy will only match CertificateRequests +created in matching namespaces. +If this field is omitted, resources in all namespaces are checked.
group string - Group is the wildcard selector to match the `spec.issuerRef.group` field on requests. Accepts wildcards "*". An omitted field or value of `nil` matches all.
+ Group is the wildcard selector to match the `spec.issuerRef.group` field +on requests. +Accepts wildcards "*". +An omitted field matches all groups. +
 false
kind string - Kind is the wildcard selector to match the `spec.issuerRef.kind` field on requests. Accepts wildcards "*". An omitted field or value of `nil` matches all.
+ Kind is the wildcard selector to match the `spec.issuerRef.kind` field +on requests. +Accepts wildcards "*". +An omitted field matches all kinds. +
 false
name string - Name is the wildcard selector to match the `spec.issuerRef.name` field on requests. Accepts wildcards "*". An omitted field or value of `nil` matches all.
+ Name is a wildcard enabled selector that matches the +`spec.issuerRef.name` field of requests. +Accepts wildcards "*". +An omitted field matches all names. +
 false
@@ -206,14 +272,21 @@ Namespace is used to select on Namespaces, meaning the CertificateRequestPolicy @@ -223,7 +296,13 @@ Namespace is used to select on Namespaces, meaning the CertificateRequestPolicy ### `CertificateRequestPolicy.spec.allowed` -Allowed is the set of attributes that are "allowed" by this policy. A CertificateRequest will only be considered permissible for this policy if the CertificateRequest has the same or less as what is allowed. Empty or `nil` allowed fields mean CertificateRequests are not allowed to have that field present to be permissible. +Allowed defines the allowed attributes for a CertificateRequest. +A CertificateRequest can request _less_ than what is allowed, +but _not more_, i.e. a CertificateRequest can request a subset of what +is declared as allowed by the policy. +Omitted fields declare that the equivalent CertificateRequest +field _must_ be omitted or have an empty value for the request to be +permitted.
matchLabels map[string]string - MatchLabels is the set of Namespace labels that select on CertificateRequests which have been created in a Namespace matching the selector.
+ MatchLabels is the set of Namespace labels that select on +CertificateRequests which have been created in a namespace matching the +selector. +
 false
matchNames []string - MatchNames are the set of Namespace names that select on CertificateRequests that have been created in a matching Namespace. Accepts wildcards "*".
+ MatchNames is the set of namespace names that select on +CertificateRequests that have been created in a matching namespace. +Accepts wildcards "*". +TODO: add x-kubernetes-list-type: set in v1alpha2 +
 false
@@ -238,56 +317,76 @@ Allowed is the set of attributes that are "allowed" by this policy. A Certificat @@ -297,7 +396,7 @@ Allowed is the set of attributes that are "allowed" by this policy. A Certificat ### `CertificateRequestPolicy.spec.allowed.commonName` -CommonName defines the X.509 Common Name that is permissible. +CommonName defines the X.509 Common Name that may be requested.
commonName object - CommonName defines the X.509 Common Name that is permissible.
+ CommonName defines the X.509 Common Name that may be requested. +
 false
dnsNames object - DNSNames defines the X.509 DNS SANs that may be requested for. Accepts wildcards "*".
+ DNSNames defines the X.509 DNS SANs that may be requested. +
 false
emailAddresses object - EmailAddresses defines the X.509 Email SANs that may be requested for.
+ EmailAddresses defines the X.509 Email SANs that may be requested. +
 false
ipAddresses object - IPAddresses defines the X.509 IP SANs that may be requested for.
+ IPAddresses defines the X.509 IP SANs that may be requested. +
 false
isCA boolean - IsCA defines whether it is permissible for a CertificateRequest to have the `spec.IsCA` field set to `true`. An omitted field, value of `nil` or `false`, forbids the `spec.IsCA` field from bring `true`. A value of `true` permits CertificateRequests setting the `spec.IsCA` field to `true`.
+ IsCA defines if a CertificateRequest is allowed to set the `spec.isCA` +field set to `true`. +If `true`, the `spec.isCA` field can be `true` or `false`. +If `false` or unset, the `spec.isCA` field must be `false`. +
 false
subject object - Subject defines the X.509 subject that is permissible. An omitted field or value of `nil` forbids any Subject being requested.
+ Subject declares the X.509 Subject attributes allowed in a +CertificateRequest. An omitted field forbids any Subject attributes +from being requested. +A CertificateRequest can request a subset of the allowed X.509 Subject +attributes. +
 false
uris object - URIs defines the X.509 URI SANs that may be requested for.
+ URIs defines the X.509 URI SANs that may be requested. +
 false
usages []enum - Usages defines the list of permissible key usages that may appear on the CertificateRequest `spec.keyUsages` field. An omitted field or value of `nil` forbids any Usages being requested. An empty slice `[]` is equivalent to `nil`.
+ Usages defines the key usages that may be included in a +CertificateRequest `spec.keyUsages` field. +If set, `spec.keyUsages` in a CertificateRequest must be a subset of the +specified values. +If `[]` or unset, no `spec.keyUsages` are allowed. +TODO: add x-kubernetes-list-type: set in v1alpha2 +
 false
@@ -312,14 +411,86 @@ CommonName defines the X.509 Common Name that is permissible. + + + + + + + +
required boolean - Required marks this field as being a required value on the request. May only be set to true if Value is also defined.
+ Required marks that the related field must be provided and not be an +empty string. +Defaults to `false`. +
+ 		false
validations[]object + Validations applies rules using Common Expression Language (CEL) to +validate attribute value present on request beyond what is possible +to express using value/required. +An attribute value on the related CertificateRequest field must pass +ALL validations for the request to be granted by this policy. +
 false
value string - Value defines the value that is permissible to be present on the request. Accepts wildcards "*". An omitted field or value of `nil` forbids the value from being requested. An empty string is equivalent to `nil`, however an empty string pared with Required as `true` is an impossible condition that always denies. Value may not be `nil` if Required is `true`.
+ Value defines the allowed attribute value on the related CertificateRequest field. +Accepts wildcards "*". +If set, the related field must match the specified pattern. + + +NOTE:`value: ""` paired with `required: true` establishes a policy that +will never grant a `CertificateRequest`, but other policies may. +
+ 		false
+ + +### `CertificateRequestPolicy.spec.allowed.commonName.validations[index]` + + +ValidationRule describes a validation rule expressed in CEL. + + + + + + + + + + + + + + + + + + + @@ -329,7 +500,7 @@ CommonName defines the X.509 Common Name that is permissible. ### `CertificateRequestPolicy.spec.allowed.dnsNames` -DNSNames defines the X.509 DNS SANs that may be requested for. Accepts wildcards "*". +DNSNames defines the X.509 DNS SANs that may be requested.
NameTypeDescriptionRequired
rulestring + Rule represents the expression which will be evaluated by CEL. +ref: https://github.com/google/cel-spec +The Rule is scoped to the location of the validations in the schema. +The `self` variable in the CEL expression is bound to the scoped value. +To enable more advanced validation rules, approver-policy provides the +`cr` (map) variable to the CEL expression containing `namespace` and +`name` of the `CertificateRequest` resource. + + +Example (rule for namespaced DNSNames): +``` +rule: self.endsWith(cr.namespace + '.svc.cluster.local') +``` +
+ 		true
messagestring + Message is the message to display when validation fails. +Message is required if the Rule contains line breaks. Note that Message +must not contain line breaks. +If unset, a fallback message is used: "failed rule: ``". +e.g. "must be a URL with the host matching spec.host" +
 false
@@ -344,14 +515,86 @@ DNSNames defines the X.509 DNS SANs that may be requested for. Accepts wildcards + + + + + + + +
required boolean - Required marks this field as being a required value on the request. May only be set to true if Values is also defined. Default is nil which marks the field as not required.
+ Required controls whether the related field must have at least one value. +Defaults to `false`. +
+ 		false
validations[]object + Validations applies rules using Common Expression Language (CEL) to +validate attribute values present on request beyond what is possible +to express using values/required. +ALL attribute values on the related CertificateRequest field must pass +ALL validations for the request to be granted by this policy. +
 false
values []string - Defines the values that are permissible to be present on request. Accepts wildcards "*". An omitted field or value of `nil` forbids any value on the related field in the request from being requested. An empty slice `[]` is equivalent to `nil`, however an empty slice pared with Required `true` is an impossible condition that always denies. Values may not be `nil` if Required is `true`.
+ Values defines allowed attribute values on the related CertificateRequest field. +Accepts wildcards "*". +If set, the related field can only include items contained in the allowed values. + + +NOTE:`values: []` paired with `required: true` establishes a policy that +will never grant a `CertificateRequest`, but other policies may. +TODO: add x-kubernetes-list-type: set in v1alpha2 +
+ 		false
+ + +### `CertificateRequestPolicy.spec.allowed.dnsNames.validations[index]` + + +ValidationRule describes a validation rule expressed in CEL. + + + + + + + + + + + + + + + + + + + @@ -361,7 +604,7 @@ DNSNames defines the X.509 DNS SANs that may be requested for. Accepts wildcards ### `CertificateRequestPolicy.spec.allowed.emailAddresses` -EmailAddresses defines the X.509 Email SANs that may be requested for. +EmailAddresses defines the X.509 Email SANs that may be requested.
NameTypeDescriptionRequired
rulestring + Rule represents the expression which will be evaluated by CEL. +ref: https://github.com/google/cel-spec +The Rule is scoped to the location of the validations in the schema. +The `self` variable in the CEL expression is bound to the scoped value. +To enable more advanced validation rules, approver-policy provides the +`cr` (map) variable to the CEL expression containing `namespace` and +`name` of the `CertificateRequest` resource. + + +Example (rule for namespaced DNSNames): +``` +rule: self.endsWith(cr.namespace + '.svc.cluster.local') +``` +
+ 		true
messagestring + Message is the message to display when validation fails. +Message is required if the Rule contains line breaks. Note that Message +must not contain line breaks. +If unset, a fallback message is used: "failed rule: ``". +e.g. "must be a URL with the host matching spec.host" +
 false
@@ -376,14 +619,86 @@ EmailAddresses defines the X.509 Email SANs that may be requested for. + + + + + + + +
required boolean - Required marks this field as being a required value on the request. May only be set to true if Values is also defined. Default is nil which marks the field as not required.
+ Required controls whether the related field must have at least one value. +Defaults to `false`. +
+ 		false
validations[]object + Validations applies rules using Common Expression Language (CEL) to +validate attribute values present on request beyond what is possible +to express using values/required. +ALL attribute values on the related CertificateRequest field must pass +ALL validations for the request to be granted by this policy. +
 false
values []string - Defines the values that are permissible to be present on request. Accepts wildcards "*". An omitted field or value of `nil` forbids any value on the related field in the request from being requested. An empty slice `[]` is equivalent to `nil`, however an empty slice pared with Required `true` is an impossible condition that always denies. Values may not be `nil` if Required is `true`.
+ Values defines allowed attribute values on the related CertificateRequest field. +Accepts wildcards "*". +If set, the related field can only include items contained in the allowed values. + + +NOTE:`values: []` paired with `required: true` establishes a policy that +will never grant a `CertificateRequest`, but other policies may. +TODO: add x-kubernetes-list-type: set in v1alpha2 +
+ 		false
+ + +### `CertificateRequestPolicy.spec.allowed.emailAddresses.validations[index]` + + +ValidationRule describes a validation rule expressed in CEL. + + + + + + + + + + + + + + + + + + + @@ -393,7 +708,7 @@ EmailAddresses defines the X.509 Email SANs that may be requested for. ### `CertificateRequestPolicy.spec.allowed.ipAddresses` -IPAddresses defines the X.509 IP SANs that may be requested for. +IPAddresses defines the X.509 IP SANs that may be requested.
NameTypeDescriptionRequired
rulestring + Rule represents the expression which will be evaluated by CEL. +ref: https://github.com/google/cel-spec +The Rule is scoped to the location of the validations in the schema. +The `self` variable in the CEL expression is bound to the scoped value. +To enable more advanced validation rules, approver-policy provides the +`cr` (map) variable to the CEL expression containing `namespace` and +`name` of the `CertificateRequest` resource. + + +Example (rule for namespaced DNSNames): +``` +rule: self.endsWith(cr.namespace + '.svc.cluster.local') +``` +
+ 		true
messagestring + Message is the message to display when validation fails. +Message is required if the Rule contains line breaks. Note that Message +must not contain line breaks. +If unset, a fallback message is used: "failed rule: ``". +e.g. "must be a URL with the host matching spec.host" +
 false
@@ -408,14 +723,86 @@ IPAddresses defines the X.509 IP SANs that may be requested for. + + + + + + + +
required boolean - Required marks this field as being a required value on the request. May only be set to true if Values is also defined. Default is nil which marks the field as not required.
+ Required controls whether the related field must have at least one value. +Defaults to `false`. +
+ 		false
validations[]object + Validations applies rules using Common Expression Language (CEL) to +validate attribute values present on request beyond what is possible +to express using values/required. +ALL attribute values on the related CertificateRequest field must pass +ALL validations for the request to be granted by this policy. +
 false
values []string - Defines the values that are permissible to be present on request. Accepts wildcards "*". An omitted field or value of `nil` forbids any value on the related field in the request from being requested. An empty slice `[]` is equivalent to `nil`, however an empty slice pared with Required `true` is an impossible condition that always denies. Values may not be `nil` if Required is `true`.
+ Values defines allowed attribute values on the related CertificateRequest field. +Accepts wildcards "*". +If set, the related field can only include items contained in the allowed values. + + +NOTE:`values: []` paired with `required: true` establishes a policy that +will never grant a `CertificateRequest`, but other policies may. +TODO: add x-kubernetes-list-type: set in v1alpha2 +
+ 		false
+ + +### `CertificateRequestPolicy.spec.allowed.ipAddresses.validations[index]` + + +ValidationRule describes a validation rule expressed in CEL. + + + + + + + + + + + + + + + + + + + @@ -425,7 +812,11 @@ IPAddresses defines the X.509 IP SANs that may be requested for. ### `CertificateRequestPolicy.spec.allowed.subject` -Subject defines the X.509 subject that is permissible. An omitted field or value of `nil` forbids any Subject being requested. +Subject declares the X.509 Subject attributes allowed in a +CertificateRequest. An omitted field forbids any Subject attributes +from being requested. +A CertificateRequest can request a subset of the allowed X.509 Subject +attributes.
NameTypeDescriptionRequired
rulestring + Rule represents the expression which will be evaluated by CEL. +ref: https://github.com/google/cel-spec +The Rule is scoped to the location of the validations in the schema. +The `self` variable in the CEL expression is bound to the scoped value. +To enable more advanced validation rules, approver-policy provides the +`cr` (map) variable to the CEL expression containing `namespace` and +`name` of the `CertificateRequest` resource. + + +Example (rule for namespaced DNSNames): +``` +rule: self.endsWith(cr.namespace + '.svc.cluster.local') +``` +
+ 		true
messagestring + Message is the message to display when validation fails. +Message is required if the Rule contains line breaks. Note that Message +must not contain line breaks. +If unset, a fallback message is used: "failed rule: ``". +e.g. "must be a URL with the host matching spec.host" +
 false
@@ -440,56 +831,68 @@ Subject defines the X.509 subject that is permissible. An omitted field or value @@ -499,7 +902,7 @@ Subject defines the X.509 subject that is permissible. An omitted field or value ### `CertificateRequestPolicy.spec.allowed.subject.countries` -Countries define the X.509 Subject Countries that may be requested for. +Countries define the X.509 Subject Countries that may be requested.
countries object - Countries define the X.509 Subject Countries that may be requested for.
+ Countries define the X.509 Subject Countries that may be requested. +
 false
localities object - Localities defines the X.509 Subject Localities that may be requested for.
+ Localities defines the X.509 Subject Localities that may be requested. +
 false
organizationalUnits object - OrganizationalUnits defines the X.509 Subject Organizational Units that may be requested for.
+ OrganizationalUnits defines the X.509 Subject Organizational Units that +may be requested. +
 false
organizations object - Organizations define the X.509 Subject Organizations that may be requested for.
+ Organizations define the X.509 Subject Organizations that may be +requested. +
 false
postalCodes object - PostalCodes defines the X.509 Subject Postal Codes that may be requested for.
+ PostalCodes defines the X.509 Subject Postal Codes that may be requested. +
 false
provinces object - Provinces defines the X.509 Subject Provinces that may be requested for.
+ Provinces defines the X.509 Subject Provinces that may be requested. +
 false
serialNumber object - SerialNumber defines the X.509 Subject Serial Number that may be requested for.
+ SerialNumber defines the X.509 Subject Serial Number that may be +requested. +
 false
streetAddresses object - StreetAddresses defines the X.509 Subject Street Addresses that may be requested for.
+ StreetAddresses defines the X.509 Subject Street Addresses that may be +requested. +
 false
@@ -514,14 +917,86 @@ Countries define the X.509 Subject Countries that may be requested for. + + + + + + + +
required boolean - Required marks this field as being a required value on the request. May only be set to true if Values is also defined. Default is nil which marks the field as not required.
+ Required controls whether the related field must have at least one value. +Defaults to `false`. +
+ 		false
validations[]object + Validations applies rules using Common Expression Language (CEL) to +validate attribute values present on request beyond what is possible +to express using values/required. +ALL attribute values on the related CertificateRequest field must pass +ALL validations for the request to be granted by this policy. +
 false
values []string - Defines the values that are permissible to be present on request. Accepts wildcards "*". An omitted field or value of `nil` forbids any value on the related field in the request from being requested. An empty slice `[]` is equivalent to `nil`, however an empty slice pared with Required `true` is an impossible condition that always denies. Values may not be `nil` if Required is `true`.
+ Values defines allowed attribute values on the related CertificateRequest field. +Accepts wildcards "*". +If set, the related field can only include items contained in the allowed values. + + +NOTE:`values: []` paired with `required: true` establishes a policy that +will never grant a `CertificateRequest`, but other policies may. +TODO: add x-kubernetes-list-type: set in v1alpha2 +
+ 		false
+ + +### `CertificateRequestPolicy.spec.allowed.subject.countries.validations[index]` + + +ValidationRule describes a validation rule expressed in CEL. + + + + + + + + + + + + + + + + + + + @@ -531,7 +1006,7 @@ Countries define the X.509 Subject Countries that may be requested for. ### `CertificateRequestPolicy.spec.allowed.subject.localities` -Localities defines the X.509 Subject Localities that may be requested for. +Localities defines the X.509 Subject Localities that may be requested.
NameTypeDescriptionRequired
rulestring + Rule represents the expression which will be evaluated by CEL. +ref: https://github.com/google/cel-spec +The Rule is scoped to the location of the validations in the schema. +The `self` variable in the CEL expression is bound to the scoped value. +To enable more advanced validation rules, approver-policy provides the +`cr` (map) variable to the CEL expression containing `namespace` and +`name` of the `CertificateRequest` resource. + + +Example (rule for namespaced DNSNames): +``` +rule: self.endsWith(cr.namespace + '.svc.cluster.local') +``` +
+ 		true
messagestring + Message is the message to display when validation fails. +Message is required if the Rule contains line breaks. Note that Message +must not contain line breaks. +If unset, a fallback message is used: "failed rule: ``". +e.g. "must be a URL with the host matching spec.host" +
 false
@@ -546,14 +1021,86 @@ Localities defines the X.509 Subject Localities that may be requested for. + + + + + + + +
required boolean - Required marks this field as being a required value on the request. May only be set to true if Values is also defined. Default is nil which marks the field as not required.
+ Required controls whether the related field must have at least one value. +Defaults to `false`. +
+ 		false
validations[]object + Validations applies rules using Common Expression Language (CEL) to +validate attribute values present on request beyond what is possible +to express using values/required. +ALL attribute values on the related CertificateRequest field must pass +ALL validations for the request to be granted by this policy. +
 false
values []string - Defines the values that are permissible to be present on request. Accepts wildcards "*". An omitted field or value of `nil` forbids any value on the related field in the request from being requested. An empty slice `[]` is equivalent to `nil`, however an empty slice pared with Required `true` is an impossible condition that always denies. Values may not be `nil` if Required is `true`.
+ Values defines allowed attribute values on the related CertificateRequest field. +Accepts wildcards "*". +If set, the related field can only include items contained in the allowed values. + + +NOTE:`values: []` paired with `required: true` establishes a policy that +will never grant a `CertificateRequest`, but other policies may. +TODO: add x-kubernetes-list-type: set in v1alpha2 +
+ 		false
+ + +### `CertificateRequestPolicy.spec.allowed.subject.localities.validations[index]` + + +ValidationRule describes a validation rule expressed in CEL. + + + + + + + + + + + + + + + + + + + @@ -563,7 +1110,8 @@ Localities defines the X.509 Subject Localities that may be requested for. ### `CertificateRequestPolicy.spec.allowed.subject.organizationalUnits` -OrganizationalUnits defines the X.509 Subject Organizational Units that may be requested for. +OrganizationalUnits defines the X.509 Subject Organizational Units that +may be requested.
NameTypeDescriptionRequired
rulestring + Rule represents the expression which will be evaluated by CEL. +ref: https://github.com/google/cel-spec +The Rule is scoped to the location of the validations in the schema. +The `self` variable in the CEL expression is bound to the scoped value. +To enable more advanced validation rules, approver-policy provides the +`cr` (map) variable to the CEL expression containing `namespace` and +`name` of the `CertificateRequest` resource. + + +Example (rule for namespaced DNSNames): +``` +rule: self.endsWith(cr.namespace + '.svc.cluster.local') +``` +
+ 		true
messagestring + Message is the message to display when validation fails. +Message is required if the Rule contains line breaks. Note that Message +must not contain line breaks. +If unset, a fallback message is used: "failed rule: ``". +e.g. "must be a URL with the host matching spec.host" +
 false
@@ -578,14 +1126,86 @@ OrganizationalUnits defines the X.509 Subject Organizational Units that may be r + + + + + + + +
required boolean - Required marks this field as being a required value on the request. May only be set to true if Values is also defined. Default is nil which marks the field as not required.
+ Required controls whether the related field must have at least one value. +Defaults to `false`. +
+ 		false
validations[]object + Validations applies rules using Common Expression Language (CEL) to +validate attribute values present on request beyond what is possible +to express using values/required. +ALL attribute values on the related CertificateRequest field must pass +ALL validations for the request to be granted by this policy. +
 false
values []string - Defines the values that are permissible to be present on request. Accepts wildcards "*". An omitted field or value of `nil` forbids any value on the related field in the request from being requested. An empty slice `[]` is equivalent to `nil`, however an empty slice pared with Required `true` is an impossible condition that always denies. Values may not be `nil` if Required is `true`.
+ Values defines allowed attribute values on the related CertificateRequest field. +Accepts wildcards "*". +If set, the related field can only include items contained in the allowed values. + + +NOTE:`values: []` paired with `required: true` establishes a policy that +will never grant a `CertificateRequest`, but other policies may. +TODO: add x-kubernetes-list-type: set in v1alpha2 +
+ 		false
+ + +### `CertificateRequestPolicy.spec.allowed.subject.organizationalUnits.validations[index]` + + +ValidationRule describes a validation rule expressed in CEL. + + + + + + + + + + + + + + + + + + + @@ -595,7 +1215,8 @@ OrganizationalUnits defines the X.509 Subject Organizational Units that may be r ### `CertificateRequestPolicy.spec.allowed.subject.organizations` -Organizations define the X.509 Subject Organizations that may be requested for. +Organizations define the X.509 Subject Organizations that may be +requested.
NameTypeDescriptionRequired
rulestring + Rule represents the expression which will be evaluated by CEL. +ref: https://github.com/google/cel-spec +The Rule is scoped to the location of the validations in the schema. +The `self` variable in the CEL expression is bound to the scoped value. +To enable more advanced validation rules, approver-policy provides the +`cr` (map) variable to the CEL expression containing `namespace` and +`name` of the `CertificateRequest` resource. + + +Example (rule for namespaced DNSNames): +``` +rule: self.endsWith(cr.namespace + '.svc.cluster.local') +``` +
+ 		true
messagestring + Message is the message to display when validation fails. +Message is required if the Rule contains line breaks. Note that Message +must not contain line breaks. +If unset, a fallback message is used: "failed rule: ``". +e.g. "must be a URL with the host matching spec.host" +
 false
@@ -610,14 +1231,86 @@ Organizations define the X.509 Subject Organizations that may be requested for. + + + + + + + +
required boolean - Required marks this field as being a required value on the request. May only be set to true if Values is also defined. Default is nil which marks the field as not required.
+ Required controls whether the related field must have at least one value. +Defaults to `false`. +
+ 		false
validations[]object + Validations applies rules using Common Expression Language (CEL) to +validate attribute values present on request beyond what is possible +to express using values/required. +ALL attribute values on the related CertificateRequest field must pass +ALL validations for the request to be granted by this policy. +
 false
values []string - Defines the values that are permissible to be present on request. Accepts wildcards "*". An omitted field or value of `nil` forbids any value on the related field in the request from being requested. An empty slice `[]` is equivalent to `nil`, however an empty slice pared with Required `true` is an impossible condition that always denies. Values may not be `nil` if Required is `true`.
+ Values defines allowed attribute values on the related CertificateRequest field. +Accepts wildcards "*". +If set, the related field can only include items contained in the allowed values. + + +NOTE:`values: []` paired with `required: true` establishes a policy that +will never grant a `CertificateRequest`, but other policies may. +TODO: add x-kubernetes-list-type: set in v1alpha2 +
+ 		false
+ + +### `CertificateRequestPolicy.spec.allowed.subject.organizations.validations[index]` + + +ValidationRule describes a validation rule expressed in CEL. + + + + + + + + + + + + + + + + + + + @@ -627,7 +1320,7 @@ Organizations define the X.509 Subject Organizations that may be requested for. ### `CertificateRequestPolicy.spec.allowed.subject.postalCodes` -PostalCodes defines the X.509 Subject Postal Codes that may be requested for. +PostalCodes defines the X.509 Subject Postal Codes that may be requested.
NameTypeDescriptionRequired
rulestring + Rule represents the expression which will be evaluated by CEL. +ref: https://github.com/google/cel-spec +The Rule is scoped to the location of the validations in the schema. +The `self` variable in the CEL expression is bound to the scoped value. +To enable more advanced validation rules, approver-policy provides the +`cr` (map) variable to the CEL expression containing `namespace` and +`name` of the `CertificateRequest` resource. + + +Example (rule for namespaced DNSNames): +``` +rule: self.endsWith(cr.namespace + '.svc.cluster.local') +``` +
+ 		true
messagestring + Message is the message to display when validation fails. +Message is required if the Rule contains line breaks. Note that Message +must not contain line breaks. +If unset, a fallback message is used: "failed rule: ``". +e.g. "must be a URL with the host matching spec.host" +
 false
@@ -642,14 +1335,86 @@ PostalCodes defines the X.509 Subject Postal Codes that may be requested for. + + + + + + + +
required boolean - Required marks this field as being a required value on the request. May only be set to true if Values is also defined. Default is nil which marks the field as not required.
+ Required controls whether the related field must have at least one value. +Defaults to `false`. +
+ 		false
validations[]object + Validations applies rules using Common Expression Language (CEL) to +validate attribute values present on request beyond what is possible +to express using values/required. +ALL attribute values on the related CertificateRequest field must pass +ALL validations for the request to be granted by this policy. +
 false
values []string - Defines the values that are permissible to be present on request. Accepts wildcards "*". An omitted field or value of `nil` forbids any value on the related field in the request from being requested. An empty slice `[]` is equivalent to `nil`, however an empty slice pared with Required `true` is an impossible condition that always denies. Values may not be `nil` if Required is `true`.
+ Values defines allowed attribute values on the related CertificateRequest field. +Accepts wildcards "*". +If set, the related field can only include items contained in the allowed values. + + +NOTE:`values: []` paired with `required: true` establishes a policy that +will never grant a `CertificateRequest`, but other policies may. +TODO: add x-kubernetes-list-type: set in v1alpha2 +
+ 		false
+ + +### `CertificateRequestPolicy.spec.allowed.subject.postalCodes.validations[index]` + + +ValidationRule describes a validation rule expressed in CEL. + + + + + + + + + + + + + + + + + + + @@ -659,7 +1424,7 @@ PostalCodes defines the X.509 Subject Postal Codes that may be requested for. ### `CertificateRequestPolicy.spec.allowed.subject.provinces` -Provinces defines the X.509 Subject Provinces that may be requested for. +Provinces defines the X.509 Subject Provinces that may be requested.
NameTypeDescriptionRequired
rulestring + Rule represents the expression which will be evaluated by CEL. +ref: https://github.com/google/cel-spec +The Rule is scoped to the location of the validations in the schema. +The `self` variable in the CEL expression is bound to the scoped value. +To enable more advanced validation rules, approver-policy provides the +`cr` (map) variable to the CEL expression containing `namespace` and +`name` of the `CertificateRequest` resource. + + +Example (rule for namespaced DNSNames): +``` +rule: self.endsWith(cr.namespace + '.svc.cluster.local') +``` +
+ 		true
messagestring + Message is the message to display when validation fails. +Message is required if the Rule contains line breaks. Note that Message +must not contain line breaks. +If unset, a fallback message is used: "failed rule: ``". +e.g. "must be a URL with the host matching spec.host" +
 false
@@ -674,14 +1439,86 @@ Provinces defines the X.509 Subject Provinces that may be requested for. + + + + + + + +
required boolean - Required marks this field as being a required value on the request. May only be set to true if Values is also defined. Default is nil which marks the field as not required.
+ Required controls whether the related field must have at least one value. +Defaults to `false`. +
+ 		false
validations[]object + Validations applies rules using Common Expression Language (CEL) to +validate attribute values present on request beyond what is possible +to express using values/required. +ALL attribute values on the related CertificateRequest field must pass +ALL validations for the request to be granted by this policy. +
 false
values []string - Defines the values that are permissible to be present on request. Accepts wildcards "*". An omitted field or value of `nil` forbids any value on the related field in the request from being requested. An empty slice `[]` is equivalent to `nil`, however an empty slice pared with Required `true` is an impossible condition that always denies. Values may not be `nil` if Required is `true`.
+ Values defines allowed attribute values on the related CertificateRequest field. +Accepts wildcards "*". +If set, the related field can only include items contained in the allowed values. + + +NOTE:`values: []` paired with `required: true` establishes a policy that +will never grant a `CertificateRequest`, but other policies may. +TODO: add x-kubernetes-list-type: set in v1alpha2 +
+ 		false
+ + +### `CertificateRequestPolicy.spec.allowed.subject.provinces.validations[index]` + + +ValidationRule describes a validation rule expressed in CEL. + + + + + + + + + + + + + + + + + + + @@ -691,7 +1528,8 @@ Provinces defines the X.509 Subject Provinces that may be requested for. ### `CertificateRequestPolicy.spec.allowed.subject.serialNumber` -SerialNumber defines the X.509 Subject Serial Number that may be requested for. +SerialNumber defines the X.509 Subject Serial Number that may be +requested.
NameTypeDescriptionRequired
rulestring + Rule represents the expression which will be evaluated by CEL. +ref: https://github.com/google/cel-spec +The Rule is scoped to the location of the validations in the schema. +The `self` variable in the CEL expression is bound to the scoped value. +To enable more advanced validation rules, approver-policy provides the +`cr` (map) variable to the CEL expression containing `namespace` and +`name` of the `CertificateRequest` resource. + + +Example (rule for namespaced DNSNames): +``` +rule: self.endsWith(cr.namespace + '.svc.cluster.local') +``` +
+ 		true
messagestring + Message is the message to display when validation fails. +Message is required if the Rule contains line breaks. Note that Message +must not contain line breaks. +If unset, a fallback message is used: "failed rule: ``". +e.g. "must be a URL with the host matching spec.host" +
 false
@@ -706,14 +1544,86 @@ SerialNumber defines the X.509 Subject Serial Number that may be requested for. + + + + + + + +
required boolean - Required marks this field as being a required value on the request. May only be set to true if Value is also defined.
+ Required marks that the related field must be provided and not be an +empty string. +Defaults to `false`. +
+ 		false
validations[]object + Validations applies rules using Common Expression Language (CEL) to +validate attribute value present on request beyond what is possible +to express using value/required. +An attribute value on the related CertificateRequest field must pass +ALL validations for the request to be granted by this policy. +
 false
value string - Value defines the value that is permissible to be present on the request. Accepts wildcards "*". An omitted field or value of `nil` forbids the value from being requested. An empty string is equivalent to `nil`, however an empty string pared with Required as `true` is an impossible condition that always denies. Value may not be `nil` if Required is `true`.
+ Value defines the allowed attribute value on the related CertificateRequest field. +Accepts wildcards "*". +If set, the related field must match the specified pattern. + + +NOTE:`value: ""` paired with `required: true` establishes a policy that +will never grant a `CertificateRequest`, but other policies may. +
+ 		false
+ + +### `CertificateRequestPolicy.spec.allowed.subject.serialNumber.validations[index]` + + +ValidationRule describes a validation rule expressed in CEL. + + + + + + + + + + + + + + + + + + + @@ -723,7 +1633,8 @@ SerialNumber defines the X.509 Subject Serial Number that may be requested for. ### `CertificateRequestPolicy.spec.allowed.subject.streetAddresses` -StreetAddresses defines the X.509 Subject Street Addresses that may be requested for. +StreetAddresses defines the X.509 Subject Street Addresses that may be +requested.
NameTypeDescriptionRequired
rulestring + Rule represents the expression which will be evaluated by CEL. +ref: https://github.com/google/cel-spec +The Rule is scoped to the location of the validations in the schema. +The `self` variable in the CEL expression is bound to the scoped value. +To enable more advanced validation rules, approver-policy provides the +`cr` (map) variable to the CEL expression containing `namespace` and +`name` of the `CertificateRequest` resource. + + +Example (rule for namespaced DNSNames): +``` +rule: self.endsWith(cr.namespace + '.svc.cluster.local') +``` +
+ 		true
messagestring + Message is the message to display when validation fails. +Message is required if the Rule contains line breaks. Note that Message +must not contain line breaks. +If unset, a fallback message is used: "failed rule: ``". +e.g. "must be a URL with the host matching spec.host" +
 false
@@ -738,14 +1649,86 @@ StreetAddresses defines the X.509 Subject Street Addresses that may be requested + + + + + + + +
required boolean - Required marks this field as being a required value on the request. May only be set to true if Values is also defined. Default is nil which marks the field as not required.
+ Required controls whether the related field must have at least one value. +Defaults to `false`. +
+ 		false
validations[]object + Validations applies rules using Common Expression Language (CEL) to +validate attribute values present on request beyond what is possible +to express using values/required. +ALL attribute values on the related CertificateRequest field must pass +ALL validations for the request to be granted by this policy. +
 false
values []string - Defines the values that are permissible to be present on request. Accepts wildcards "*". An omitted field or value of `nil` forbids any value on the related field in the request from being requested. An empty slice `[]` is equivalent to `nil`, however an empty slice pared with Required `true` is an impossible condition that always denies. Values may not be `nil` if Required is `true`.
+ Values defines allowed attribute values on the related CertificateRequest field. +Accepts wildcards "*". +If set, the related field can only include items contained in the allowed values. + + +NOTE:`values: []` paired with `required: true` establishes a policy that +will never grant a `CertificateRequest`, but other policies may. +TODO: add x-kubernetes-list-type: set in v1alpha2 +
+ 		false
+ + +### `CertificateRequestPolicy.spec.allowed.subject.streetAddresses.validations[index]` + + +ValidationRule describes a validation rule expressed in CEL. + + + + + + + + + + + + + + + + + + + @@ -755,7 +1738,7 @@ StreetAddresses defines the X.509 Subject Street Addresses that may be requested ### `CertificateRequestPolicy.spec.allowed.uris` -URIs defines the X.509 URI SANs that may be requested for. +URIs defines the X.509 URI SANs that may be requested.
NameTypeDescriptionRequired
rulestring + Rule represents the expression which will be evaluated by CEL. +ref: https://github.com/google/cel-spec +The Rule is scoped to the location of the validations in the schema. +The `self` variable in the CEL expression is bound to the scoped value. +To enable more advanced validation rules, approver-policy provides the +`cr` (map) variable to the CEL expression containing `namespace` and +`name` of the `CertificateRequest` resource. + + +Example (rule for namespaced DNSNames): +``` +rule: self.endsWith(cr.namespace + '.svc.cluster.local') +``` +
+ 		true
messagestring + Message is the message to display when validation fails. +Message is required if the Rule contains line breaks. Note that Message +must not contain line breaks. +If unset, a fallback message is used: "failed rule: ``". +e.g. "must be a URL with the host matching spec.host" +
 false
@@ -770,14 +1753,86 @@ URIs defines the X.509 URI SANs that may be requested for. + + + + + + + +
required boolean - Required marks this field as being a required value on the request. May only be set to true if Values is also defined. Default is nil which marks the field as not required.
+ Required controls whether the related field must have at least one value. +Defaults to `false`. +
+ 		false
validations[]object + Validations applies rules using Common Expression Language (CEL) to +validate attribute values present on request beyond what is possible +to express using values/required. +ALL attribute values on the related CertificateRequest field must pass +ALL validations for the request to be granted by this policy. +
 false
values []string - Defines the values that are permissible to be present on request. Accepts wildcards "*". An omitted field or value of `nil` forbids any value on the related field in the request from being requested. An empty slice `[]` is equivalent to `nil`, however an empty slice pared with Required `true` is an impossible condition that always denies. Values may not be `nil` if Required is `true`.
+ Values defines allowed attribute values on the related CertificateRequest field. +Accepts wildcards "*". +If set, the related field can only include items contained in the allowed values. + + +NOTE:`values: []` paired with `required: true` establishes a policy that +will never grant a `CertificateRequest`, but other policies may. +TODO: add x-kubernetes-list-type: set in v1alpha2 +
+ 		false
+ + +### `CertificateRequestPolicy.spec.allowed.uris.validations[index]` + + +ValidationRule describes a validation rule expressed in CEL. + + + + + + + + + + + + + + + + + + + @@ -787,7 +1842,10 @@ URIs defines the X.509 URI SANs that may be requested for. ### `CertificateRequestPolicy.spec.constraints` -Constraints is the set of attributes that _must_ be satisfied by the CertificateRequest for the request to be permissible by the policy. Empty or `nil` constraint fields mean CertificateRequests satisfy that field with any value of their corresponding attribute. +Constraints define fields that _must_ be satisfied by a +CertificateRequest for the request to be allowed by this policy. +Omitted fields place no restrictions on the corresponding +attribute in a request.
NameTypeDescriptionRequired
rulestring + Rule represents the expression which will be evaluated by CEL. +ref: https://github.com/google/cel-spec +The Rule is scoped to the location of the validations in the schema. +The `self` variable in the CEL expression is bound to the scoped value. +To enable more advanced validation rules, approver-policy provides the +`cr` (map) variable to the CEL expression containing `namespace` and +`name` of the `CertificateRequest` resource. + + +Example (rule for namespaced DNSNames): +``` +rule: self.endsWith(cr.namespace + '.svc.cluster.local') +``` +
+ 		true
messagestring + Message is the message to display when validation fails. +Message is required if the Rule contains line breaks. Note that Message +must not contain line breaks. +If unset, a fallback message is used: "failed rule: ``". +e.g. "must be a URL with the host matching spec.host" +
 false
@@ -802,21 +1860,35 @@ Constraints is the set of attributes that _must_ be satisfied by the Certificate @@ -826,7 +1898,9 @@ Constraints is the set of attributes that _must_ be satisfied by the Certificate ### `CertificateRequestPolicy.spec.constraints.privateKey` -PrivateKey defines the shape of permissible private keys that may be used for the request with this policy. An omitted field or value of `nil` permits the use of any private key by the requestor. +PrivateKey defines constraints on the shape of private key +allowed for a CertificateRequest. +An omitted field applies no private key shape constraints.
maxDuration string - MaxDuration defines the maximum duration a certificate may be requested for. Values are inclusive (i.e. a max value of `1h` will accept a duration of `1h`). MaxDuration and MinDuration may be the same value. An omitted field or value of `nil` permits any maximum duration. If MaxDuration is defined, a duration _must_ be requested on the CertificateRequest.
+ MaxDuration defines the maximum duration for a certificate request. +for. +Values are inclusive (i.e. a value of `1h` will accept a duration of +`1h`). MinDuration and MaxDuration may be the same value. +If set, a duration _must_ be requested in the CertificateRequest. +An omitted field applies no maximum constraint for duration. +
 false
minDuration string - MinDuration defines the minimum duration a certificate may be requested for. Values are inclusive (i.e. a min value of `1h` will accept a duration of `1h`). MinDuration and MaxDuration may be the same value. An omitted field or value of `nil` permits any minimum duration. If MinDuration is defined, a duration _must_ be requested on the CertificateRequest.
+ MinDuration defines the minimum duration for a certificate request. +Values are inclusive (i.e. a value of `1h` will accept a duration of +`1h`). MinDuration and MaxDuration may be the same value. +If set, a duration _must_ be requested in the CertificateRequest. +An omitted field applies no minimum constraint for duration. +
 false
privateKey object - PrivateKey defines the shape of permissible private keys that may be used for the request with this policy. An omitted field or value of `nil` permits the use of any private key by the requestor.
+ PrivateKey defines constraints on the shape of private key +allowed for a CertificateRequest. +An omitted field applies no private key shape constraints. +
 false
@@ -841,7 +1915,10 @@ PrivateKey defines the shape of permissible private keys that may be used for th @@ -850,14 +1927,22 @@ PrivateKey defines the shape of permissible private keys that may be used for th @@ -867,7 +1952,8 @@ PrivateKey defines the shape of permissible private keys that may be used for th ### `CertificateRequestPolicy.spec.plugins[key]` -CertificateRequestPolicyPluginData is configuration needed by the plugin approver to evaluate a CertificateRequest on this policy. +CertificateRequestPolicyPluginData is configuration needed by the plugin +approver to evaluate a CertificateRequest on this policy.
algorithm enum - Algorithm defines the allowed crypto algorithm that is used by the requestor for their private key in their request. An omitted field or value of `nil` permits any Algorithm.
+ Algorithm defines the allowed crypto algorithm for the private key +in a request. +An omitted field permits any algorithm. +

Enum: RSA, ECDSA, Ed25519
maxSize integer - MaxSize defines the maximum key size a requestor may use for their private key. Values are inclusive (i.e. a min value of `2048` will accept a size of `2048`). MaxSize and MinSize may be the same value. An omitted field or value of `nil` permits any maximum size.
+ MaxSize defines the maximum key size for a private key. +Values are inclusive (i.e. a min value of `2048` will accept a size +of `2048`). MaxSize and MinSize may be the same value. +An omitted field applies no maximum constraint on size. +
 false
minSize integer - MinSize defines the minimum key size a requestor may use for their private key. Values are inclusive (i.e. a min value of `2048` will accept a size of `2048`). MinSize and MaxSize may be the same value. An omitted field or value of `nil` permits any minimum size.
+ MinSize defines the minimum key size for a private key. +Values are inclusive (i.e. a min value of `2048` will accept a size +of `2048`). MinSize and MaxSize may be the same value. +An omitted field applies no minimum constraint on size. +
 false
@@ -882,7 +1968,10 @@ CertificateRequestPolicyPluginData is configuration needed by the plugin approve @@ -892,7 +1981,8 @@ CertificateRequestPolicyPluginData is configuration needed by the plugin approve ### `CertificateRequestPolicy.status` -CertificateRequestPolicyStatus defines the observed state of the CertificateRequestPolicy. +CertificateRequestPolicyStatus defines the observed state of the +CertificateRequestPolicy.
values map[string]string - Values define a set of well-known, to the plugin, key value pairs that are required for the plugin to successfully evaluate a request based on this policy.
+ Values define a set of well-known, to the plugin, key value pairs that +are required for the plugin to successfully evaluate a request based on +this policy. +
 false
@@ -907,7 +1997,10 @@ CertificateRequestPolicyStatus defines the observed state of the CertificateRequ @@ -917,7 +2010,8 @@ CertificateRequestPolicyStatus defines the observed state of the CertificateRequ ### `CertificateRequestPolicy.status.conditions[index]` -CertificateRequestPolicyCondition contains condition information for a CertificateRequestPolicyStatus. +CertificateRequestPolicyCondition contains condition information for a +CertificateRequestPolicyStatus.
conditions []object - List of status conditions to indicate the status of the CertificateRequestPolicy. Known condition types are `Ready`.
+ List of status conditions to indicate the status of the +CertificateRequestPolicy. +Known condition types are `Ready`. +
 false
@@ -932,21 +2026,25 @@ CertificateRequestPolicyCondition contains condition information for a Certifica @@ -955,14 +2053,21 @@ CertificateRequestPolicyCondition contains condition information for a Certifica @@ -971,7 +2076,9 @@ CertificateRequestPolicyCondition contains condition information for a Certifica diff --git a/scripts/gendocs/generate-approver-policy b/scripts/gendocs/generate-approver-policy index 6d1a9652122..d68700cbbee 100755 --- a/scripts/gendocs/generate-approver-policy +++ b/scripts/gendocs/generate-approver-policy @@ -47,7 +47,7 @@ gendocs() { echo "+++ Generating reference docs..." $CRDOC \ - --resources "$tmpdir/deploy/charts/approver-policy/templates/crds/policy.cert-manager.io_certificaterequestpolicies.yaml" \ + --resources "$tmpdir/deploy/charts/approver-policy/templates/crd-policy.cert-manager.io_certificaterequestpolicies.yaml" \ --template $REPO_ROOT/scripts/gendocs/templates-approver-policy/markdown.tmpl \ --output $outputdir } @@ -57,4 +57,4 @@ git clone "https://github.com/cert-manager/approver-policy.git" "$tmpdir" checkout "main" -gendocs "$REPO_ROOT/content/docs/projects/approver-policy/api-reference.md" +gendocs "$REPO_ROOT/content/docs/policy/approval/approver-policy/api-reference.md" diff --git a/scripts/gendocs/templates-approver-policy/markdown.tmpl b/scripts/gendocs/templates-approver-policy/markdown.tmpl index 0fc0fc18e00..f1ede1f2c7a 100644 --- a/scripts/gendocs/templates-approver-policy/markdown.tmpl +++ b/scripts/gendocs/templates-approver-policy/markdown.tmpl @@ -66,7 +66,8 @@ Resource Types:
status string - Status of the condition, one of ('True', 'False', 'Unknown').
+ Status of the condition, one of ('True', 'False', 'Unknown'). +
 true
type string - Type of the condition, known values are (`Ready`).
+ Type of the condition, known values are (`Ready`). +
 true
lastTransitionTime string - LastTransitionTime is the timestamp corresponding to the last status change of this condition.
+ LastTransitionTime is the timestamp corresponding to the last status +change of this condition. +

Format: date-time
message string - Message is a human readable description of the details of the last transition, complementing reason.
+ Message is a human readable description of the details of the last +transition, complementing reason. +
 false
observedGeneration integer - If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the CertificateRequestPolicy.
+ If set, this represents the .metadata.generation that the condition was +set based upon. +For instance, if .metadata.generation is currently 12, but the +.status.condition[x].observedGeneration is 9, the condition is out of +date with respect to the current state of the CertificateRequestPolicy. +

Format: int64
reason string - Reason is a brief machine readable explanation for the condition's last transition.
+ Reason is a brief machine readable explanation for the condition's last +transition. +
 false
{{if .TypeKey}}{{.Name}}{{else}}{{.Name}}{{end}} {{.Type}} - {{.Description}}
+ {{.Description}} +
{{- if or .Schema.Format .Schema.Enum .Schema.Default .Schema.Minimum .Schema.Maximum }}
{{- end}}