diff --git a/policy.cert-manager.io/certificaterequestpolicy_v1alpha1.json b/policy.cert-manager.io/certificaterequestpolicy_v1alpha1.json new file mode 100644 index 00000000..8d91e536 --- /dev/null +++ b/policy.cert-manager.io/certificaterequestpolicy_v1alpha1.json @@ -0,0 +1,800 @@ +{ + "description": "CertificateRequestPolicy is an object for describing a \"policy profile\" that\nmakes decisions on whether applicable CertificateRequests should be approved\nor denied.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "type": "object" + }, + "spec": { + "description": "CertificateRequestPolicySpec defines the desired state of\nCertificateRequestPolicy.", + "properties": { + "allowed": { + "description": "Allowed defines the allowed attributes for a CertificateRequest.\nA CertificateRequest can request _less_ than what is allowed,\nbut _not more_, i.e. a CertificateRequest can request a subset of what\nis declared as allowed by the policy.\nOmitted fields declare that the equivalent CertificateRequest\nfield _must_ be omitted or have an empty value for the request to be\npermitted.", + "properties": { + "commonName": { + "description": "CommonName defines the X.509 Common Name that may be requested.", + "properties": { + "required": { + "description": "Required marks that the related field must be provided and not be an\nempty string.\nDefaults to `false`.", + "type": "boolean" + }, + "validations": { + "description": "Validations applies rules using Common Expression Language (CEL) to\nvalidate attribute value present on request beyond what is possible\nto express using value/required.\nAn attribute value on the related CertificateRequest field must pass\nALL validations for the request to be granted by this policy.", + "items": { + "description": "ValidationRule describes a validation rule expressed in CEL.", + "properties": { + "message": { + "description": "Message is the message to display when validation fails.\nMessage is required if the Rule contains line breaks. Note that Message\nmust not contain line breaks.\nIf unset, a fallback message is used: \"failed rule: ``\".\ne.g. \"must be a URL with the host matching spec.host\"", + "type": "string" + }, + "rule": { + "description": "Rule represents the expression which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nThe Rule is scoped to the location of the validations in the schema.\nThe `self` variable in the CEL expression is bound to the scoped value.\nTo enable more advanced validation rules, approver-policy provides the\n`cr` (map) variable to the CEL expression containing `namespace` and\n`name` of the `CertificateRequest` resource.\n\nExample (rule for namespaced DNSNames):\n```\nrule: self.endsWith(cr.namespace + '.svc.cluster.local')\n```", + "type": "string" + } + }, + "required": [ + "rule" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array", + "x-kubernetes-list-map-keys": [ + "rule" + ], + "x-kubernetes-list-type": "map" + }, + "value": { + "description": "Value defines the allowed attribute value on the related CertificateRequest field.\nAccepts wildcards \"*\".\nIf set, the related field must match the specified pattern.\n\nNOTE:`value: \"\"` paired with `required: true` establishes a policy that\nwill never grant a `CertificateRequest`, but other policies may.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "dnsNames": { + "description": "DNSNames defines the X.509 DNS SANs that may be requested.", + "properties": { + "required": { + "description": "Required controls whether the related field must have at least one value.\nDefaults to `false`.", + "type": "boolean" + }, + "validations": { + "description": "Validations applies rules using Common Expression Language (CEL) to\nvalidate attribute values present on request beyond what is possible\nto express using values/required.\nALL attribute values on the related CertificateRequest field must pass\nALL validations for the request to be granted by this policy.", + "items": { + "description": "ValidationRule describes a validation rule expressed in CEL.", + "properties": { + "message": { + "description": "Message is the message to display when validation fails.\nMessage is required if the Rule contains line breaks. Note that Message\nmust not contain line breaks.\nIf unset, a fallback message is used: \"failed rule: ``\".\ne.g. \"must be a URL with the host matching spec.host\"", + "type": "string" + }, + "rule": { + "description": "Rule represents the expression which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nThe Rule is scoped to the location of the validations in the schema.\nThe `self` variable in the CEL expression is bound to the scoped value.\nTo enable more advanced validation rules, approver-policy provides the\n`cr` (map) variable to the CEL expression containing `namespace` and\n`name` of the `CertificateRequest` resource.\n\nExample (rule for namespaced DNSNames):\n```\nrule: self.endsWith(cr.namespace + '.svc.cluster.local')\n```", + "type": "string" + } + }, + "required": [ + "rule" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array", + "x-kubernetes-list-map-keys": [ + "rule" + ], + "x-kubernetes-list-type": "map" + }, + "values": { + "description": "Values defines allowed attribute values on the related CertificateRequest field.\nAccepts wildcards \"*\".\nIf set, the related field can only include items contained in the allowed values.\n\nNOTE:`values: []` paired with `required: true` establishes a policy that\nwill never grant a `CertificateRequest`, but other policies may.", + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "additionalProperties": false + }, + "emailAddresses": { + "description": "EmailAddresses defines the X.509 Email SANs that may be requested.", + "properties": { + "required": { + "description": "Required controls whether the related field must have at least one value.\nDefaults to `false`.", + "type": "boolean" + }, + "validations": { + "description": "Validations applies rules using Common Expression Language (CEL) to\nvalidate attribute values present on request beyond what is possible\nto express using values/required.\nALL attribute values on the related CertificateRequest field must pass\nALL validations for the request to be granted by this policy.", + "items": { + "description": "ValidationRule describes a validation rule expressed in CEL.", + "properties": { + "message": { + "description": "Message is the message to display when validation fails.\nMessage is required if the Rule contains line breaks. Note that Message\nmust not contain line breaks.\nIf unset, a fallback message is used: \"failed rule: ``\".\ne.g. \"must be a URL with the host matching spec.host\"", + "type": "string" + }, + "rule": { + "description": "Rule represents the expression which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nThe Rule is scoped to the location of the validations in the schema.\nThe `self` variable in the CEL expression is bound to the scoped value.\nTo enable more advanced validation rules, approver-policy provides the\n`cr` (map) variable to the CEL expression containing `namespace` and\n`name` of the `CertificateRequest` resource.\n\nExample (rule for namespaced DNSNames):\n```\nrule: self.endsWith(cr.namespace + '.svc.cluster.local')\n```", + "type": "string" + } + }, + "required": [ + "rule" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array", + "x-kubernetes-list-map-keys": [ + "rule" + ], + "x-kubernetes-list-type": "map" + }, + "values": { + "description": "Values defines allowed attribute values on the related CertificateRequest field.\nAccepts wildcards \"*\".\nIf set, the related field can only include items contained in the allowed values.\n\nNOTE:`values: []` paired with `required: true` establishes a policy that\nwill never grant a `CertificateRequest`, but other policies may.", + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "additionalProperties": false + }, + "ipAddresses": { + "description": "IPAddresses defines the X.509 IP SANs that may be requested.", + "properties": { + "required": { + "description": "Required controls whether the related field must have at least one value.\nDefaults to `false`.", + "type": "boolean" + }, + "validations": { + "description": "Validations applies rules using Common Expression Language (CEL) to\nvalidate attribute values present on request beyond what is possible\nto express using values/required.\nALL attribute values on the related CertificateRequest field must pass\nALL validations for the request to be granted by this policy.", + "items": { + "description": "ValidationRule describes a validation rule expressed in CEL.", + "properties": { + "message": { + "description": "Message is the message to display when validation fails.\nMessage is required if the Rule contains line breaks. Note that Message\nmust not contain line breaks.\nIf unset, a fallback message is used: \"failed rule: ``\".\ne.g. \"must be a URL with the host matching spec.host\"", + "type": "string" + }, + "rule": { + "description": "Rule represents the expression which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nThe Rule is scoped to the location of the validations in the schema.\nThe `self` variable in the CEL expression is bound to the scoped value.\nTo enable more advanced validation rules, approver-policy provides the\n`cr` (map) variable to the CEL expression containing `namespace` and\n`name` of the `CertificateRequest` resource.\n\nExample (rule for namespaced DNSNames):\n```\nrule: self.endsWith(cr.namespace + '.svc.cluster.local')\n```", + "type": "string" + } + }, + "required": [ + "rule" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array", + "x-kubernetes-list-map-keys": [ + "rule" + ], + "x-kubernetes-list-type": "map" + }, + "values": { + "description": "Values defines allowed attribute values on the related CertificateRequest field.\nAccepts wildcards \"*\".\nIf set, the related field can only include items contained in the allowed values.\n\nNOTE:`values: []` paired with `required: true` establishes a policy that\nwill never grant a `CertificateRequest`, but other policies may.", + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "additionalProperties": false + }, + "isCA": { + "description": "IsCA defines if a CertificateRequest is allowed to set the `spec.isCA`\nfield set to `true`.\nIf `true`, the `spec.isCA` field can be `true` or `false`.\nIf `false` or unset, the `spec.isCA` field must be `false`.", + "type": "boolean" + }, + "subject": { + "description": "Subject declares the X.509 Subject attributes allowed in a\nCertificateRequest. An omitted field forbids any Subject attributes\nfrom being requested.\nA CertificateRequest can request a subset of the allowed X.509 Subject\nattributes.", + "properties": { + "countries": { + "description": "Countries define the X.509 Subject Countries that may be requested.", + "properties": { + "required": { + "description": "Required controls whether the related field must have at least one value.\nDefaults to `false`.", + "type": "boolean" + }, + "validations": { + "description": "Validations applies rules using Common Expression Language (CEL) to\nvalidate attribute values present on request beyond what is possible\nto express using values/required.\nALL attribute values on the related CertificateRequest field must pass\nALL validations for the request to be granted by this policy.", + "items": { + "description": "ValidationRule describes a validation rule expressed in CEL.", + "properties": { + "message": { + "description": "Message is the message to display when validation fails.\nMessage is required if the Rule contains line breaks. Note that Message\nmust not contain line breaks.\nIf unset, a fallback message is used: \"failed rule: ``\".\ne.g. \"must be a URL with the host matching spec.host\"", + "type": "string" + }, + "rule": { + "description": "Rule represents the expression which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nThe Rule is scoped to the location of the validations in the schema.\nThe `self` variable in the CEL expression is bound to the scoped value.\nTo enable more advanced validation rules, approver-policy provides the\n`cr` (map) variable to the CEL expression containing `namespace` and\n`name` of the `CertificateRequest` resource.\n\nExample (rule for namespaced DNSNames):\n```\nrule: self.endsWith(cr.namespace + '.svc.cluster.local')\n```", + "type": "string" + } + }, + "required": [ + "rule" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array", + "x-kubernetes-list-map-keys": [ + "rule" + ], + "x-kubernetes-list-type": "map" + }, + "values": { + "description": "Values defines allowed attribute values on the related CertificateRequest field.\nAccepts wildcards \"*\".\nIf set, the related field can only include items contained in the allowed values.\n\nNOTE:`values: []` paired with `required: true` establishes a policy that\nwill never grant a `CertificateRequest`, but other policies may.", + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "additionalProperties": false + }, + "localities": { + "description": "Localities defines the X.509 Subject Localities that may be requested.", + "properties": { + "required": { + "description": "Required controls whether the related field must have at least one value.\nDefaults to `false`.", + "type": "boolean" + }, + "validations": { + "description": "Validations applies rules using Common Expression Language (CEL) to\nvalidate attribute values present on request beyond what is possible\nto express using values/required.\nALL attribute values on the related CertificateRequest field must pass\nALL validations for the request to be granted by this policy.", + "items": { + "description": "ValidationRule describes a validation rule expressed in CEL.", + "properties": { + "message": { + "description": "Message is the message to display when validation fails.\nMessage is required if the Rule contains line breaks. Note that Message\nmust not contain line breaks.\nIf unset, a fallback message is used: \"failed rule: ``\".\ne.g. \"must be a URL with the host matching spec.host\"", + "type": "string" + }, + "rule": { + "description": "Rule represents the expression which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nThe Rule is scoped to the location of the validations in the schema.\nThe `self` variable in the CEL expression is bound to the scoped value.\nTo enable more advanced validation rules, approver-policy provides the\n`cr` (map) variable to the CEL expression containing `namespace` and\n`name` of the `CertificateRequest` resource.\n\nExample (rule for namespaced DNSNames):\n```\nrule: self.endsWith(cr.namespace + '.svc.cluster.local')\n```", + "type": "string" + } + }, + "required": [ + "rule" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array", + "x-kubernetes-list-map-keys": [ + "rule" + ], + "x-kubernetes-list-type": "map" + }, + "values": { + "description": "Values defines allowed attribute values on the related CertificateRequest field.\nAccepts wildcards \"*\".\nIf set, the related field can only include items contained in the allowed values.\n\nNOTE:`values: []` paired with `required: true` establishes a policy that\nwill never grant a `CertificateRequest`, but other policies may.", + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "additionalProperties": false + }, + "organizationalUnits": { + "description": "OrganizationalUnits defines the X.509 Subject Organizational Units that\nmay be requested.", + "properties": { + "required": { + "description": "Required controls whether the related field must have at least one value.\nDefaults to `false`.", + "type": "boolean" + }, + "validations": { + "description": "Validations applies rules using Common Expression Language (CEL) to\nvalidate attribute values present on request beyond what is possible\nto express using values/required.\nALL attribute values on the related CertificateRequest field must pass\nALL validations for the request to be granted by this policy.", + "items": { + "description": "ValidationRule describes a validation rule expressed in CEL.", + "properties": { + "message": { + "description": "Message is the message to display when validation fails.\nMessage is required if the Rule contains line breaks. Note that Message\nmust not contain line breaks.\nIf unset, a fallback message is used: \"failed rule: ``\".\ne.g. \"must be a URL with the host matching spec.host\"", + "type": "string" + }, + "rule": { + "description": "Rule represents the expression which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nThe Rule is scoped to the location of the validations in the schema.\nThe `self` variable in the CEL expression is bound to the scoped value.\nTo enable more advanced validation rules, approver-policy provides the\n`cr` (map) variable to the CEL expression containing `namespace` and\n`name` of the `CertificateRequest` resource.\n\nExample (rule for namespaced DNSNames):\n```\nrule: self.endsWith(cr.namespace + '.svc.cluster.local')\n```", + "type": "string" + } + }, + "required": [ + "rule" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array", + "x-kubernetes-list-map-keys": [ + "rule" + ], + "x-kubernetes-list-type": "map" + }, + "values": { + "description": "Values defines allowed attribute values on the related CertificateRequest field.\nAccepts wildcards \"*\".\nIf set, the related field can only include items contained in the allowed values.\n\nNOTE:`values: []` paired with `required: true` establishes a policy that\nwill never grant a `CertificateRequest`, but other policies may.", + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "additionalProperties": false + }, + "organizations": { + "description": "Organizations define the X.509 Subject Organizations that may be\nrequested.", + "properties": { + "required": { + "description": "Required controls whether the related field must have at least one value.\nDefaults to `false`.", + "type": "boolean" + }, + "validations": { + "description": "Validations applies rules using Common Expression Language (CEL) to\nvalidate attribute values present on request beyond what is possible\nto express using values/required.\nALL attribute values on the related CertificateRequest field must pass\nALL validations for the request to be granted by this policy.", + "items": { + "description": "ValidationRule describes a validation rule expressed in CEL.", + "properties": { + "message": { + "description": "Message is the message to display when validation fails.\nMessage is required if the Rule contains line breaks. Note that Message\nmust not contain line breaks.\nIf unset, a fallback message is used: \"failed rule: ``\".\ne.g. \"must be a URL with the host matching spec.host\"", + "type": "string" + }, + "rule": { + "description": "Rule represents the expression which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nThe Rule is scoped to the location of the validations in the schema.\nThe `self` variable in the CEL expression is bound to the scoped value.\nTo enable more advanced validation rules, approver-policy provides the\n`cr` (map) variable to the CEL expression containing `namespace` and\n`name` of the `CertificateRequest` resource.\n\nExample (rule for namespaced DNSNames):\n```\nrule: self.endsWith(cr.namespace + '.svc.cluster.local')\n```", + "type": "string" + } + }, + "required": [ + "rule" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array", + "x-kubernetes-list-map-keys": [ + "rule" + ], + "x-kubernetes-list-type": "map" + }, + "values": { + "description": "Values defines allowed attribute values on the related CertificateRequest field.\nAccepts wildcards \"*\".\nIf set, the related field can only include items contained in the allowed values.\n\nNOTE:`values: []` paired with `required: true` establishes a policy that\nwill never grant a `CertificateRequest`, but other policies may.", + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "additionalProperties": false + }, + "postalCodes": { + "description": "PostalCodes defines the X.509 Subject Postal Codes that may be requested.", + "properties": { + "required": { + "description": "Required controls whether the related field must have at least one value.\nDefaults to `false`.", + "type": "boolean" + }, + "validations": { + "description": "Validations applies rules using Common Expression Language (CEL) to\nvalidate attribute values present on request beyond what is possible\nto express using values/required.\nALL attribute values on the related CertificateRequest field must pass\nALL validations for the request to be granted by this policy.", + "items": { + "description": "ValidationRule describes a validation rule expressed in CEL.", + "properties": { + "message": { + "description": "Message is the message to display when validation fails.\nMessage is required if the Rule contains line breaks. Note that Message\nmust not contain line breaks.\nIf unset, a fallback message is used: \"failed rule: ``\".\ne.g. \"must be a URL with the host matching spec.host\"", + "type": "string" + }, + "rule": { + "description": "Rule represents the expression which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nThe Rule is scoped to the location of the validations in the schema.\nThe `self` variable in the CEL expression is bound to the scoped value.\nTo enable more advanced validation rules, approver-policy provides the\n`cr` (map) variable to the CEL expression containing `namespace` and\n`name` of the `CertificateRequest` resource.\n\nExample (rule for namespaced DNSNames):\n```\nrule: self.endsWith(cr.namespace + '.svc.cluster.local')\n```", + "type": "string" + } + }, + "required": [ + "rule" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array", + "x-kubernetes-list-map-keys": [ + "rule" + ], + "x-kubernetes-list-type": "map" + }, + "values": { + "description": "Values defines allowed attribute values on the related CertificateRequest field.\nAccepts wildcards \"*\".\nIf set, the related field can only include items contained in the allowed values.\n\nNOTE:`values: []` paired with `required: true` establishes a policy that\nwill never grant a `CertificateRequest`, but other policies may.", + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "additionalProperties": false + }, + "provinces": { + "description": "Provinces defines the X.509 Subject Provinces that may be requested.", + "properties": { + "required": { + "description": "Required controls whether the related field must have at least one value.\nDefaults to `false`.", + "type": "boolean" + }, + "validations": { + "description": "Validations applies rules using Common Expression Language (CEL) to\nvalidate attribute values present on request beyond what is possible\nto express using values/required.\nALL attribute values on the related CertificateRequest field must pass\nALL validations for the request to be granted by this policy.", + "items": { + "description": "ValidationRule describes a validation rule expressed in CEL.", + "properties": { + "message": { + "description": "Message is the message to display when validation fails.\nMessage is required if the Rule contains line breaks. Note that Message\nmust not contain line breaks.\nIf unset, a fallback message is used: \"failed rule: ``\".\ne.g. \"must be a URL with the host matching spec.host\"", + "type": "string" + }, + "rule": { + "description": "Rule represents the expression which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nThe Rule is scoped to the location of the validations in the schema.\nThe `self` variable in the CEL expression is bound to the scoped value.\nTo enable more advanced validation rules, approver-policy provides the\n`cr` (map) variable to the CEL expression containing `namespace` and\n`name` of the `CertificateRequest` resource.\n\nExample (rule for namespaced DNSNames):\n```\nrule: self.endsWith(cr.namespace + '.svc.cluster.local')\n```", + "type": "string" + } + }, + "required": [ + "rule" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array", + "x-kubernetes-list-map-keys": [ + "rule" + ], + "x-kubernetes-list-type": "map" + }, + "values": { + "description": "Values defines allowed attribute values on the related CertificateRequest field.\nAccepts wildcards \"*\".\nIf set, the related field can only include items contained in the allowed values.\n\nNOTE:`values: []` paired with `required: true` establishes a policy that\nwill never grant a `CertificateRequest`, but other policies may.", + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "additionalProperties": false + }, + "serialNumber": { + "description": "SerialNumber defines the X.509 Subject Serial Number that may be\nrequested.", + "properties": { + "required": { + "description": "Required marks that the related field must be provided and not be an\nempty string.\nDefaults to `false`.", + "type": "boolean" + }, + "validations": { + "description": "Validations applies rules using Common Expression Language (CEL) to\nvalidate attribute value present on request beyond what is possible\nto express using value/required.\nAn attribute value on the related CertificateRequest field must pass\nALL validations for the request to be granted by this policy.", + "items": { + "description": "ValidationRule describes a validation rule expressed in CEL.", + "properties": { + "message": { + "description": "Message is the message to display when validation fails.\nMessage is required if the Rule contains line breaks. Note that Message\nmust not contain line breaks.\nIf unset, a fallback message is used: \"failed rule: ``\".\ne.g. \"must be a URL with the host matching spec.host\"", + "type": "string" + }, + "rule": { + "description": "Rule represents the expression which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nThe Rule is scoped to the location of the validations in the schema.\nThe `self` variable in the CEL expression is bound to the scoped value.\nTo enable more advanced validation rules, approver-policy provides the\n`cr` (map) variable to the CEL expression containing `namespace` and\n`name` of the `CertificateRequest` resource.\n\nExample (rule for namespaced DNSNames):\n```\nrule: self.endsWith(cr.namespace + '.svc.cluster.local')\n```", + "type": "string" + } + }, + "required": [ + "rule" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array", + "x-kubernetes-list-map-keys": [ + "rule" + ], + "x-kubernetes-list-type": "map" + }, + "value": { + "description": "Value defines the allowed attribute value on the related CertificateRequest field.\nAccepts wildcards \"*\".\nIf set, the related field must match the specified pattern.\n\nNOTE:`value: \"\"` paired with `required: true` establishes a policy that\nwill never grant a `CertificateRequest`, but other policies may.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "streetAddresses": { + "description": "StreetAddresses defines the X.509 Subject Street Addresses that may be\nrequested.", + "properties": { + "required": { + "description": "Required controls whether the related field must have at least one value.\nDefaults to `false`.", + "type": "boolean" + }, + "validations": { + "description": "Validations applies rules using Common Expression Language (CEL) to\nvalidate attribute values present on request beyond what is possible\nto express using values/required.\nALL attribute values on the related CertificateRequest field must pass\nALL validations for the request to be granted by this policy.", + "items": { + "description": "ValidationRule describes a validation rule expressed in CEL.", + "properties": { + "message": { + "description": "Message is the message to display when validation fails.\nMessage is required if the Rule contains line breaks. Note that Message\nmust not contain line breaks.\nIf unset, a fallback message is used: \"failed rule: ``\".\ne.g. \"must be a URL with the host matching spec.host\"", + "type": "string" + }, + "rule": { + "description": "Rule represents the expression which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nThe Rule is scoped to the location of the validations in the schema.\nThe `self` variable in the CEL expression is bound to the scoped value.\nTo enable more advanced validation rules, approver-policy provides the\n`cr` (map) variable to the CEL expression containing `namespace` and\n`name` of the `CertificateRequest` resource.\n\nExample (rule for namespaced DNSNames):\n```\nrule: self.endsWith(cr.namespace + '.svc.cluster.local')\n```", + "type": "string" + } + }, + "required": [ + "rule" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array", + "x-kubernetes-list-map-keys": [ + "rule" + ], + "x-kubernetes-list-type": "map" + }, + "values": { + "description": "Values defines allowed attribute values on the related CertificateRequest field.\nAccepts wildcards \"*\".\nIf set, the related field can only include items contained in the allowed values.\n\nNOTE:`values: []` paired with `required: true` establishes a policy that\nwill never grant a `CertificateRequest`, but other policies may.", + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false + }, + "uris": { + "description": "URIs defines the X.509 URI SANs that may be requested.", + "properties": { + "required": { + "description": "Required controls whether the related field must have at least one value.\nDefaults to `false`.", + "type": "boolean" + }, + "validations": { + "description": "Validations applies rules using Common Expression Language (CEL) to\nvalidate attribute values present on request beyond what is possible\nto express using values/required.\nALL attribute values on the related CertificateRequest field must pass\nALL validations for the request to be granted by this policy.", + "items": { + "description": "ValidationRule describes a validation rule expressed in CEL.", + "properties": { + "message": { + "description": "Message is the message to display when validation fails.\nMessage is required if the Rule contains line breaks. Note that Message\nmust not contain line breaks.\nIf unset, a fallback message is used: \"failed rule: ``\".\ne.g. \"must be a URL with the host matching spec.host\"", + "type": "string" + }, + "rule": { + "description": "Rule represents the expression which will be evaluated by CEL.\nref: https://github.com/google/cel-spec\nThe Rule is scoped to the location of the validations in the schema.\nThe `self` variable in the CEL expression is bound to the scoped value.\nTo enable more advanced validation rules, approver-policy provides the\n`cr` (map) variable to the CEL expression containing `namespace` and\n`name` of the `CertificateRequest` resource.\n\nExample (rule for namespaced DNSNames):\n```\nrule: self.endsWith(cr.namespace + '.svc.cluster.local')\n```", + "type": "string" + } + }, + "required": [ + "rule" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array", + "x-kubernetes-list-map-keys": [ + "rule" + ], + "x-kubernetes-list-type": "map" + }, + "values": { + "description": "Values defines allowed attribute values on the related CertificateRequest field.\nAccepts wildcards \"*\".\nIf set, the related field can only include items contained in the allowed values.\n\nNOTE:`values: []` paired with `required: true` establishes a policy that\nwill never grant a `CertificateRequest`, but other policies may.", + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "additionalProperties": false + }, + "usages": { + "description": "Usages defines the key usages that may be included in a\nCertificateRequest `spec.keyUsages` field.\nIf set, `spec.keyUsages` in a CertificateRequest must be a subset of the\nspecified values.\nIf `[]` or unset, no `spec.keyUsages` are allowed.", + "items": { + "description": "KeyUsage specifies valid usage contexts for keys.\nSee:\nhttps://tools.ietf.org/html/rfc5280#section-4.2.1.3\nhttps://tools.ietf.org/html/rfc5280#section-4.2.1.12\n\nValid KeyUsage values are as follows:\n\"signing\",\n\"digital signature\",\n\"content commitment\",\n\"key encipherment\",\n\"key agreement\",\n\"data encipherment\",\n\"cert sign\",\n\"crl sign\",\n\"encipher only\",\n\"decipher only\",\n\"any\",\n\"server auth\",\n\"client auth\",\n\"code signing\",\n\"email protection\",\n\"s/mime\",\n\"ipsec end system\",\n\"ipsec tunnel\",\n\"ipsec user\",\n\"timestamping\",\n\"ocsp signing\",\n\"microsoft sgc\",\n\"netscape sgc\"", + "enum": [ + "signing", + "digital signature", + "content commitment", + "key encipherment", + "key agreement", + "data encipherment", + "cert sign", + "crl sign", + "encipher only", + "decipher only", + "any", + "server auth", + "client auth", + "code signing", + "email protection", + "s/mime", + "ipsec end system", + "ipsec tunnel", + "ipsec user", + "timestamping", + "ocsp signing", + "microsoft sgc", + "netscape sgc" + ], + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "additionalProperties": false + }, + "constraints": { + "description": "Constraints define fields that _must_ be satisfied by a\nCertificateRequest for the request to be allowed by this policy.\nOmitted fields place no restrictions on the corresponding\nattribute in a request.", + "properties": { + "maxDuration": { + "description": "MaxDuration defines the maximum duration for a certificate request.\nfor.\nValues are inclusive (i.e. a value of `1h` will accept a duration of\n`1h`). MinDuration and MaxDuration may be the same value.\nIf set, a duration _must_ be requested in the CertificateRequest.\nAn omitted field applies no maximum constraint for duration.", + "type": "string" + }, + "minDuration": { + "description": "MinDuration defines the minimum duration for a certificate request.\nValues are inclusive (i.e. a value of `1h` will accept a duration of\n`1h`). MinDuration and MaxDuration may be the same value.\nIf set, a duration _must_ be requested in the CertificateRequest.\nAn omitted field applies no minimum constraint for duration.", + "type": "string" + }, + "privateKey": { + "description": "PrivateKey defines constraints on the shape of private key\nallowed for a CertificateRequest.\nAn omitted field applies no private key shape constraints.", + "properties": { + "algorithm": { + "description": "Algorithm defines the allowed crypto algorithm for the private key\nin a request.\nAn omitted field permits any algorithm.", + "enum": [ + "RSA", + "ECDSA", + "Ed25519" + ], + "type": "string" + }, + "maxSize": { + "description": "MaxSize defines the maximum key size for a private key.\nValues are inclusive (i.e. a min value of `2048` will accept a size\nof `2048`). MaxSize and MinSize may be the same value.\nAn omitted field applies no maximum constraint on size.", + "type": "integer" + }, + "minSize": { + "description": "MinSize defines the minimum key size for a private key.\nValues are inclusive (i.e. a min value of `2048` will accept a size\nof `2048`). MinSize and MaxSize may be the same value.\nAn omitted field applies no minimum constraint on size.", + "type": "integer" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false + }, + "plugins": { + "additionalProperties": { + "description": "CertificateRequestPolicyPluginData is configuration needed by the plugin\napprover to evaluate a CertificateRequest on this policy.", + "properties": { + "values": { + "additionalProperties": { + "type": "string" + }, + "description": "Values define a set of well-known, to the plugin, key value pairs that\nare required for the plugin to successfully evaluate a request based on\nthis policy.", + "type": "object" + } + }, + "type": "object", + "additionalProperties": false + }, + "description": "Plugins are approvers that are built into approver-policy at\ncompile-time. This is an advanced feature typically used to extend\napprover-policy core features. This field define plugins and their\nconfiguration that should be executed when this policy is evaluated\nagainst a CertificateRequest.", + "type": "object" + }, + "selector": { + "description": "Selector is used for selecting over which CertificateRequests this\nCertificateRequestPolicy is appropriate for and so will be used for its\napproval evaluation.", + "properties": { + "issuerRef": { + "description": "IssuerRef is used to match by issuer, meaning the\nCertificateRequestPolicy will only evaluate CertificateRequests\nreferring to matching issuers.\nCertificateRequests will not be processed if the issuer does not match,\nregardless of whether the requestor is bound by RBAC.\n\nThe following value will match _all_ issuers:\n```\nissuerRef: {}\n```", + "properties": { + "group": { + "description": "Group is the wildcard selector to match the `spec.issuerRef.group` field\non requests.\nAccepts wildcards \"*\".\nAn omitted field matches all groups.", + "type": "string" + }, + "kind": { + "description": "Kind is the wildcard selector to match the `spec.issuerRef.kind` field\non requests.\nAccepts wildcards \"*\".\nAn omitted field matches all kinds.", + "type": "string" + }, + "name": { + "description": "Name is a wildcard enabled selector that matches the\n`spec.issuerRef.name` field of requests.\nAccepts wildcards \"*\".\nAn omitted field matches all names.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "namespace": { + "description": "Namespace is used to match by namespace, meaning the\nCertificateRequestPolicy will only match CertificateRequests\ncreated in matching namespaces.\nIf this field is omitted, resources in all namespaces are checked.", + "properties": { + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "description": "MatchLabels is the set of Namespace labels that select on\nCertificateRequests which have been created in a namespace matching the\nselector.", + "type": "object" + }, + "matchNames": { + "description": "MatchNames is the set of namespace names that select on\nCertificateRequests that have been created in a matching namespace.\nAccepts wildcards \"*\".", + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false + } + }, + "required": [ + "selector" + ], + "type": "object", + "additionalProperties": false + }, + "status": { + "description": "CertificateRequestPolicyStatus defines the observed state of the\nCertificateRequestPolicy.", + "properties": { + "conditions": { + "description": "List of status conditions to indicate the status of the\nCertificateRequestPolicy.\nKnown condition types are `Ready`.", + "items": { + "description": "CertificateRequestPolicyCondition contains condition information for a\nCertificateRequestPolicyStatus.", + "properties": { + "lastTransitionTime": { + "description": "LastTransitionTime is the timestamp corresponding to the last status\nchange of this condition.", + "format": "date-time", + "type": "string" + }, + "message": { + "description": "Message is a human readable description of the details of the last\ntransition, complementing reason.", + "type": "string" + }, + "observedGeneration": { + "description": "If set, this represents the .metadata.generation that the condition was\nset based upon.\nFor instance, if .metadata.generation is currently 12, but the\n.status.condition[x].observedGeneration is 9, the condition is out of\ndate with respect to the current state of the CertificateRequestPolicy.", + "format": "int64", + "type": "integer" + }, + "reason": { + "description": "Reason is a brief machine readable explanation for the condition's last\ntransition.", + "type": "string" + }, + "status": { + "description": "Status of the condition, one of ('True', 'False', 'Unknown').", + "type": "string" + }, + "type": { + "description": "Type of the condition, known values are (`Ready`).", + "type": "string" + } + }, + "required": [ + "status", + "type" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array", + "x-kubernetes-list-map-keys": [ + "type" + ], + "x-kubernetes-list-type": "map" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object" +}