policies

package
v1.3.0-alpha.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 26, 2021 License: Apache-2.0 Imports: 16 Imported by: 0

Documentation

Overview

Package policies provides functionality to evaluate Certificate's state

Index

Constants

View Source 
const (
	// Certificate's spec.secretName secret does not exist
	DoesNotExist string = "DoesNotExist"
	// Certificate's spec.secretName secret has missing data
	MissingData string = "MissingData"
	// Public key of certificate does not match private key
	InvalidKeyPair string = "InvalidKeyPair"
	// Secret's private key does not match spec
	SecretMismatch string = "SecretMismatch"
	// Certificate has been issued by incorrect Issuer
	IncorrectIssuer string = "IncorrectIssuer"
	// CertificateRequest not valid for Certificate's spec
	RequestChanged string = "RequestChanged"
	// Certificate's renewal time is now or in past
	Renewing string = "Renewing"
	// Certificate has expired
	Expired string = "Expired"
)

Variables

This section is empty.

Functions

func CurrentCertificateRequestNotValidForSpec added in v1.3.0 

func CurrentCertificateRequestNotValidForSpec(input Input) (string, string, bool)

func SecretDoesNotExist 

func SecretDoesNotExist(input Input) (string, string, bool)

func SecretIsMissingData added in v1.3.0 

func SecretIsMissingData(input Input) (string, string, bool)

func SecretIssuerAnnotationsNotUpToDate added in v1.3.0 

func SecretIssuerAnnotationsNotUpToDate(input Input) (string, string, bool)

func SecretPrivateKeyMatchesSpec 

func SecretPrivateKeyMatchesSpec(input Input) (string, string, bool)

func SecretPublicKeysDiffer added in v1.3.0 

func SecretPublicKeysDiffer(input Input) (string, string, bool)

Types

type Chain 

type Chain []Func

A chain of PolicyFuncs to be evaluated in order.

func NewTriggerPolicyChain 

func NewTriggerPolicyChain(c clock.Clock, defaultRenewBeforeExpiryDuration time.Duration) Chain

func (Chain) Evaluate 

func (c Chain) Evaluate(input Input) (string, string, bool)

Evaluate will evaluate the entire policy chain using the provided input. As soon as it is discovered that the input violates one policy, Evaluate will return and not evaluate the rest of the chain.

type Func 

type Func func(Input) (reason, message string, reissue bool)

A Func evaluates the given input data and decides whether a re-issuance is required, returning additional human readable information in the 'reason' and 'message' return parameters if so.

func CurrentCertificateHasExpired 

func CurrentCertificateHasExpired(c clock.Clock) Func

CurrentCertificateHasExpired is used exclusively to check if the current issued certificate has actually expired rather than just nearing expiry.

func CurrentCertificateNearingExpiry 

func CurrentCertificateNearingExpiry(c clock.Clock, defaultRenewBeforeExpiryDuration time.Duration) Func

CurrentCertificateNearingExpiry returns a policy function that can be used to check whether an X.509 cert currently issued for a Certificate should be renewed.

type Gatherer 

type Gatherer struct {
	CertificateRequestLister cmlisters.CertificateRequestLister
	SecretLister             corelisters.SecretLister
}

Gatherer is used to gather data about a Certificate in order to evaluate its current readiness/state by applying policy functions to it.

func (*Gatherer) DataForCertificate 

func (g *Gatherer) DataForCertificate(ctx context.Context, crt *cmapi.Certificate) (Input, error)

DataForCertificate returns the secret as well as the "current" certificate request associated with the given certificate. It also returns the given certificate as-is.

The "current" certificate request designates the certificate request that led to the current revision of the certificate. The "current" certificate request is by definition in a ready state, and can be seen as the source of information of the current certificate.

This "current" certificate request is not to be confused with the "next" certificate request that you might get by listing the CRs for the certificate's revision+1; these "next" CRs might not be ready yet.

We need the "current" certificate request because this CR contains the "source of truth" of the current certificate, and getting the "current" CR allows us to check whether the current certificate still matches the already-issued certificate request.

An error is returned when two certificate requests are found for the pair (certificate's revision, certificate's uid). This function does not return any apierrors.NewNotFound errors for either the secret or the certificate request. Instead, if either the secret or the certificate request is not found, the returned secret (respectively, certificate request) is left nil.

type Input 

type Input struct {
	Certificate *cmapi.Certificate
	Secret      *corev1.Secret

	// The "current" certificate request designates the certificate request
	// that led to the current revision of the certificate. The "current"
	// certificate request is by definition in a ready state, and can be seen
	// as the source of information of the current certificate.
	//
	// This "current" certificate request is not to be confused with the "next"
	// certificate request that you might get by listing the CRs for the
	// certificate's revision+1; these "next" CRs might not be ready yet.
	//
	// We need the "current" certificate request because this CR contains the
	// "source of truth" of the current certificate, and getting the "current"
	// CR allows is to check whether the current certificate still matches the
	// already-issued certificate request.
	CurrentRevisionRequest *cmapi.CertificateRequest
}

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.