diff --git a/content/docs/policy/approval/approver-policy/api-reference.md b/content/docs/policy/approval/approver-policy/api-reference.md
index 397d85aac4..bf08fbfead 100644
--- a/content/docs/policy/approval/approver-policy/api-reference.md
+++ b/content/docs/policy/approval/approver-policy/api-reference.md
@@ -167,7 +167,6 @@ referring to matching issuers.
CertificateRequests will not be processed if the issuer does not match,
regardless of whether the requestor is bound by RBAC.
-
The following value will match _all_ issuers:
```
issuerRef: {}
@@ -199,7 +198,6 @@ referring to matching issuers.
CertificateRequests will not be processed if the issuer does not match,
regardless of whether the requestor is bound by RBAC.
-
The following value will match _all_ issuers:
```
issuerRef: {}
@@ -285,7 +283,6 @@ selector.
MatchNames is the set of namespace names that select on
CertificateRequests that have been created in a matching namespace.
Accepts wildcards "*".
-TODO: add x-kubernetes-list-type: set in v1alpha2
false |
@@ -385,7 +382,6 @@ CertificateRequest `spec.keyUsages` field.
If set, `spec.keyUsages` in a CertificateRequest must be a subset of the
specified values.
If `[]` or unset, no `spec.keyUsages` are allowed.
-TODO: add x-kubernetes-list-type: set in v1alpha2
false |
@@ -437,7 +433,6 @@ ALL validations for the request to be granted by this policy.
Accepts wildcards "*".
If set, the related field must match the specified pattern.
-
NOTE:`value: ""` paired with `required: true` establishes a policy that
will never grant a `CertificateRequest`, but other policies may.
@@ -473,7 +468,6 @@ To enable more advanced validation rules, approver-policy provides the
`cr` (map) variable to the CEL expression containing `namespace` and
`name` of the `CertificateRequest` resource.
-
Example (rule for namespaced DNSNames):
```
rule: self.endsWith(cr.namespace + '.svc.cluster.local')
@@ -540,10 +534,8 @@ ALL validations for the request to be granted by this policy.
Accepts wildcards "*".
If set, the related field can only include items contained in the allowed values.
-
NOTE:`values: []` paired with `required: true` establishes a policy that
will never grant a `CertificateRequest`, but other policies may.
-TODO: add x-kubernetes-list-type: set in v1alpha2
false |
@@ -577,7 +569,6 @@ To enable more advanced validation rules, approver-policy provides the
`cr` (map) variable to the CEL expression containing `namespace` and
`name` of the `CertificateRequest` resource.
-
Example (rule for namespaced DNSNames):
```
rule: self.endsWith(cr.namespace + '.svc.cluster.local')
@@ -644,10 +635,8 @@ ALL validations for the request to be granted by this policy.
Accepts wildcards "*".
If set, the related field can only include items contained in the allowed values.
-
NOTE:`values: []` paired with `required: true` establishes a policy that
will never grant a `CertificateRequest`, but other policies may.
-TODO: add x-kubernetes-list-type: set in v1alpha2
false |
@@ -681,7 +670,6 @@ To enable more advanced validation rules, approver-policy provides the
`cr` (map) variable to the CEL expression containing `namespace` and
`name` of the `CertificateRequest` resource.
-
Example (rule for namespaced DNSNames):
```
rule: self.endsWith(cr.namespace + '.svc.cluster.local')
@@ -748,10 +736,8 @@ ALL validations for the request to be granted by this policy.
Accepts wildcards "*".
If set, the related field can only include items contained in the allowed values.
-
NOTE:`values: []` paired with `required: true` establishes a policy that
will never grant a `CertificateRequest`, but other policies may.
-TODO: add x-kubernetes-list-type: set in v1alpha2
false |
@@ -785,7 +771,6 @@ To enable more advanced validation rules, approver-policy provides the
`cr` (map) variable to the CEL expression containing `namespace` and
`name` of the `CertificateRequest` resource.
-
Example (rule for namespaced DNSNames):
```
rule: self.endsWith(cr.namespace + '.svc.cluster.local')
@@ -942,10 +927,8 @@ ALL validations for the request to be granted by this policy.
Accepts wildcards "*".
If set, the related field can only include items contained in the allowed values.
-
NOTE:`values: []` paired with `required: true` establishes a policy that
will never grant a `CertificateRequest`, but other policies may.
-TODO: add x-kubernetes-list-type: set in v1alpha2
false |
@@ -979,7 +962,6 @@ To enable more advanced validation rules, approver-policy provides the
`cr` (map) variable to the CEL expression containing `namespace` and
`name` of the `CertificateRequest` resource.
-
Example (rule for namespaced DNSNames):
```
rule: self.endsWith(cr.namespace + '.svc.cluster.local')
@@ -1046,10 +1028,8 @@ ALL validations for the request to be granted by this policy.
Accepts wildcards "*".
If set, the related field can only include items contained in the allowed values.
-
NOTE:`values: []` paired with `required: true` establishes a policy that
will never grant a `CertificateRequest`, but other policies may.
-TODO: add x-kubernetes-list-type: set in v1alpha2
false |
@@ -1083,7 +1063,6 @@ To enable more advanced validation rules, approver-policy provides the
`cr` (map) variable to the CEL expression containing `namespace` and
`name` of the `CertificateRequest` resource.
-
Example (rule for namespaced DNSNames):
```
rule: self.endsWith(cr.namespace + '.svc.cluster.local')
@@ -1151,10 +1130,8 @@ ALL validations for the request to be granted by this policy.
Accepts wildcards "*".
If set, the related field can only include items contained in the allowed values.
-
NOTE:`values: []` paired with `required: true` establishes a policy that
will never grant a `CertificateRequest`, but other policies may.
-TODO: add x-kubernetes-list-type: set in v1alpha2
false |
@@ -1188,7 +1165,6 @@ To enable more advanced validation rules, approver-policy provides the
`cr` (map) variable to the CEL expression containing `namespace` and
`name` of the `CertificateRequest` resource.
-
Example (rule for namespaced DNSNames):
```
rule: self.endsWith(cr.namespace + '.svc.cluster.local')
@@ -1256,10 +1232,8 @@ ALL validations for the request to be granted by this policy.
Accepts wildcards "*".
If set, the related field can only include items contained in the allowed values.
-
NOTE:`values: []` paired with `required: true` establishes a policy that
will never grant a `CertificateRequest`, but other policies may.
-TODO: add x-kubernetes-list-type: set in v1alpha2
false |
@@ -1293,7 +1267,6 @@ To enable more advanced validation rules, approver-policy provides the
`cr` (map) variable to the CEL expression containing `namespace` and
`name` of the `CertificateRequest` resource.
-
Example (rule for namespaced DNSNames):
```
rule: self.endsWith(cr.namespace + '.svc.cluster.local')
@@ -1360,10 +1333,8 @@ ALL validations for the request to be granted by this policy.
Accepts wildcards "*".
If set, the related field can only include items contained in the allowed values.
-
NOTE:`values: []` paired with `required: true` establishes a policy that
will never grant a `CertificateRequest`, but other policies may.
-TODO: add x-kubernetes-list-type: set in v1alpha2
false |
@@ -1397,7 +1368,6 @@ To enable more advanced validation rules, approver-policy provides the
`cr` (map) variable to the CEL expression containing `namespace` and
`name` of the `CertificateRequest` resource.
-
Example (rule for namespaced DNSNames):
```
rule: self.endsWith(cr.namespace + '.svc.cluster.local')
@@ -1464,10 +1434,8 @@ ALL validations for the request to be granted by this policy.
Accepts wildcards "*".
If set, the related field can only include items contained in the allowed values.
-
NOTE:`values: []` paired with `required: true` establishes a policy that
will never grant a `CertificateRequest`, but other policies may.
-TODO: add x-kubernetes-list-type: set in v1alpha2
false |
@@ -1501,7 +1469,6 @@ To enable more advanced validation rules, approver-policy provides the
`cr` (map) variable to the CEL expression containing `namespace` and
`name` of the `CertificateRequest` resource.
-
Example (rule for namespaced DNSNames):
```
rule: self.endsWith(cr.namespace + '.svc.cluster.local')
@@ -1570,7 +1537,6 @@ ALL validations for the request to be granted by this policy.
Accepts wildcards "*".
If set, the related field must match the specified pattern.
-
NOTE:`value: ""` paired with `required: true` establishes a policy that
will never grant a `CertificateRequest`, but other policies may.
@@ -1606,7 +1572,6 @@ To enable more advanced validation rules, approver-policy provides the
`cr` (map) variable to the CEL expression containing `namespace` and
`name` of the `CertificateRequest` resource.
-
Example (rule for namespaced DNSNames):
```
rule: self.endsWith(cr.namespace + '.svc.cluster.local')
@@ -1674,10 +1639,8 @@ ALL validations for the request to be granted by this policy.
Accepts wildcards "*".
If set, the related field can only include items contained in the allowed values.
-
NOTE:`values: []` paired with `required: true` establishes a policy that
will never grant a `CertificateRequest`, but other policies may.
-TODO: add x-kubernetes-list-type: set in v1alpha2
false |
@@ -1711,7 +1674,6 @@ To enable more advanced validation rules, approver-policy provides the
`cr` (map) variable to the CEL expression containing `namespace` and
`name` of the `CertificateRequest` resource.
-
Example (rule for namespaced DNSNames):
```
rule: self.endsWith(cr.namespace + '.svc.cluster.local')
@@ -1778,10 +1740,8 @@ ALL validations for the request to be granted by this policy.
Accepts wildcards "*".
If set, the related field can only include items contained in the allowed values.
-
NOTE:`values: []` paired with `required: true` establishes a policy that
will never grant a `CertificateRequest`, but other policies may.
-TODO: add x-kubernetes-list-type: set in v1alpha2
false |
@@ -1815,7 +1775,6 @@ To enable more advanced validation rules, approver-policy provides the
`cr` (map) variable to the CEL expression containing `namespace` and
`name` of the `CertificateRequest` resource.
-
Example (rule for namespaced DNSNames):
```
rule: self.endsWith(cr.namespace + '.svc.cluster.local')
diff --git a/content/docs/trust/trust-manager/api-reference.md b/content/docs/trust/trust-manager/api-reference.md
index 3020ed65ab..e89743204f 100644
--- a/content/docs/trust/trust-manager/api-reference.md
+++ b/content/docs/trust/trust-manager/api-reference.md
@@ -124,8 +124,8 @@ the BundleTarget in all Namespaces.
configMap |
object |
- ConfigMap is a reference (by name) to a ConfigMap's `data` key, or to a
-list of ConfigMap's `data` key using label selector, in the trust Namespace.
+ ConfigMap is a reference (by name) to a ConfigMap's `data` key(s), or to a
+list of ConfigMap's `data` key(s) using label selector, in the trust Namespace.
|
false |
@@ -141,8 +141,8 @@ list of ConfigMap's `data` key using label selector, in the trust Namespace.
secret |
object |
- Secret is a reference (by name) to a Secret's `data` key, or to a
-list of Secret's `data` key using label selector, in the trust Namespace.
+ Secret is a reference (by name) to a Secret's `data` key(s), or to a
+list of Secret's `data` key(s) using label selector, in the trust Namespace.
|
false |
@@ -168,8 +168,8 @@ defaultCAPackageVersion field of the Bundle's status field.
### `Bundle.spec.sources[index].configMap`
-ConfigMap is a reference (by name) to a ConfigMap's `data` key, or to a
-list of ConfigMap's `data` key using label selector, in the trust Namespace.
+ConfigMap is a reference (by name) to a ConfigMap's `data` key(s), or to a
+list of ConfigMap's `data` key(s) using label selector, in the trust Namespace.
@@ -181,13 +181,22 @@ list of ConfigMap's `data` key using label selector, in the trust Namespace.
+ | includeAllKeys |
+ boolean |
+
+ IncludeAllKeys is a flag to include all keys in the object's `data` field to be used. False by default.
+This field must not be true when `Key` is set.
+
+ |
+ false |
+
| key |
string |
- Key is the key of the entry in the object's `data` field to be used.
+ Key of the entry in the object's `data` field to be used.
|
- true |
+ false |
| name |
string |
@@ -297,8 +306,8 @@ merge patch.
### `Bundle.spec.sources[index].secret`
-Secret is a reference (by name) to a Secret's `data` key, or to a
-list of Secret's `data` key using label selector, in the trust Namespace.
+Secret is a reference (by name) to a Secret's `data` key(s), or to a
+list of Secret's `data` key(s) using label selector, in the trust Namespace.
@@ -310,13 +319,22 @@ list of Secret's `data` key using label selector, in the trust Namespace.
+ | includeAllKeys |
+ boolean |
+
+ IncludeAllKeys is a flag to include all keys in the object's `data` field to be used. False by default.
+This field must not be true when `Key` is set.
+
+ |
+ false |
+
| key |
string |
- Key is the key of the entry in the object's `data` field to be used.
+ Key of the entry in the object's `data` field to be used.
|
- true |
+ false |
| name |
string |
@@ -632,11 +650,67 @@ Namespaces which match the selector.
+ | matchExpressions |
+ []object |
+
+ matchExpressions is a list of label selector requirements. The requirements are ANDed.
+
+ |
+ false |
+
| matchLabels |
map[string]string |
- MatchLabels matches on the set of labels that must be present on a
-Namespace for the Bundle target to be synced there.
+ matchLabels is a map of key-value pairs. A single key-value in the matchLabels
+map is equivalent to an element of matchExpressions, whose key field is "key", the
+operator is "In", and the values array contains only "value". The requirements are ANDed.
+
+ |
+ false |
+
+
+
+
+### `Bundle.spec.target.namespaceSelector.matchExpressions[index]`
+
+
+A label selector requirement is a selector that contains values, a key, and an operator that
+relates the key and values.
+
+
+
+
+ | Name |
+ Type |
+ Description |
+ Required |
+
+
+
+ | key |
+ string |
+
+ key is the label key that the selector applies to.
+
+ |
+ true |
+
+ | operator |
+ string |
+
+ operator represents a key's relationship to a set of values.
+Valid operators are In, NotIn, Exists and DoesNotExist.
+
+ |
+ true |
+
+ | values |
+ []string |
+
+ values is an array of string values. If the operator is In or NotIn,
+the values array must be non-empty. If the operator is Exists or DoesNotExist,
+the values array must be empty. This array is replaced during a strategic
+merge patch.
|
false |
diff --git a/scripts/gendocs/generate-approver-policy b/scripts/gendocs/generate-approver-policy
index d68700cbbe..4bd0c4bba5 100755
--- a/scripts/gendocs/generate-approver-policy
+++ b/scripts/gendocs/generate-approver-policy
@@ -47,7 +47,7 @@ gendocs() {
echo "+++ Generating reference docs..."
$CRDOC \
- --resources "$tmpdir/deploy/charts/approver-policy/templates/crd-policy.cert-manager.io_certificaterequestpolicies.yaml" \
+ --resources "$tmpdir/deploy/crds/policy.cert-manager.io_certificaterequestpolicies.yaml" \
--template $REPO_ROOT/scripts/gendocs/templates-approver-policy/markdown.tmpl \
--output $outputdir
}
diff --git a/scripts/gendocs/generate-trust-manager b/scripts/gendocs/generate-trust-manager
index a411df636e..d4d0838b67 100755
--- a/scripts/gendocs/generate-trust-manager
+++ b/scripts/gendocs/generate-trust-manager
@@ -61,6 +61,6 @@ gendocs() {
echo "+++ Cloning trust-manager repository..."
git clone "https://github.com/cert-manager/trust-manager.git" "$tmpdir"
-checkout "v0.13.0"
+checkout "v0.15.0"
gendocs "$REPO_ROOT/content/docs/trust/trust-manager/api-reference.md"