From 749e065a07d799acc2c05f8838c8dc02e1ed571c Mon Sep 17 00:00:00 2001 From: Ashley Davis Date: Fri, 31 Jan 2025 11:05:09 +0000 Subject: [PATCH] update generated docs for trust-manager + approver-policy Signed-off-by: Ashley Davis --- .../approval/approver-policy/api-reference.md | 41 ------- .../docs/trust/trust-manager/api-reference.md | 102 +++++++++++++++--- scripts/gendocs/generate-approver-policy | 2 +- scripts/gendocs/generate-trust-manager | 2 +- 4 files changed, 90 insertions(+), 57 deletions(-) diff --git a/content/docs/policy/approval/approver-policy/api-reference.md b/content/docs/policy/approval/approver-policy/api-reference.md index 397d85aac43..bf08fbfeada 100644 --- a/content/docs/policy/approval/approver-policy/api-reference.md +++ b/content/docs/policy/approval/approver-policy/api-reference.md @@ -167,7 +167,6 @@ referring to matching issuers. CertificateRequests will not be processed if the issuer does not match, regardless of whether the requestor is bound by RBAC. - The following value will match _all_ issuers: ``` issuerRef: {} @@ -199,7 +198,6 @@ referring to matching issuers. CertificateRequests will not be processed if the issuer does not match, regardless of whether the requestor is bound by RBAC. - The following value will match _all_ issuers: ``` issuerRef: {} @@ -285,7 +283,6 @@ selector. MatchNames is the set of namespace names that select on CertificateRequests that have been created in a matching namespace. Accepts wildcards "*". -TODO: add x-kubernetes-list-type: set in v1alpha2
false @@ -385,7 +382,6 @@ CertificateRequest `spec.keyUsages` field. If set, `spec.keyUsages` in a CertificateRequest must be a subset of the specified values. If `[]` or unset, no `spec.keyUsages` are allowed. -TODO: add x-kubernetes-list-type: set in v1alpha2
false @@ -437,7 +433,6 @@ ALL validations for the request to be granted by this policy. Accepts wildcards "*". If set, the related field must match the specified pattern. - NOTE:`value: ""` paired with `required: true` establishes a policy that will never grant a `CertificateRequest`, but other policies may.
@@ -473,7 +468,6 @@ To enable more advanced validation rules, approver-policy provides the `cr` (map) variable to the CEL expression containing `namespace` and `name` of the `CertificateRequest` resource. - Example (rule for namespaced DNSNames): ``` rule: self.endsWith(cr.namespace + '.svc.cluster.local') @@ -540,10 +534,8 @@ ALL validations for the request to be granted by this policy. Accepts wildcards "*". If set, the related field can only include items contained in the allowed values. - NOTE:`values: []` paired with `required: true` establishes a policy that will never grant a `CertificateRequest`, but other policies may. -TODO: add x-kubernetes-list-type: set in v1alpha2
false @@ -577,7 +569,6 @@ To enable more advanced validation rules, approver-policy provides the `cr` (map) variable to the CEL expression containing `namespace` and `name` of the `CertificateRequest` resource. - Example (rule for namespaced DNSNames): ``` rule: self.endsWith(cr.namespace + '.svc.cluster.local') @@ -644,10 +635,8 @@ ALL validations for the request to be granted by this policy. Accepts wildcards "*". If set, the related field can only include items contained in the allowed values. - NOTE:`values: []` paired with `required: true` establishes a policy that will never grant a `CertificateRequest`, but other policies may. -TODO: add x-kubernetes-list-type: set in v1alpha2
false @@ -681,7 +670,6 @@ To enable more advanced validation rules, approver-policy provides the `cr` (map) variable to the CEL expression containing `namespace` and `name` of the `CertificateRequest` resource. - Example (rule for namespaced DNSNames): ``` rule: self.endsWith(cr.namespace + '.svc.cluster.local') @@ -748,10 +736,8 @@ ALL validations for the request to be granted by this policy. Accepts wildcards "*". If set, the related field can only include items contained in the allowed values. - NOTE:`values: []` paired with `required: true` establishes a policy that will never grant a `CertificateRequest`, but other policies may. -TODO: add x-kubernetes-list-type: set in v1alpha2
false @@ -785,7 +771,6 @@ To enable more advanced validation rules, approver-policy provides the `cr` (map) variable to the CEL expression containing `namespace` and `name` of the `CertificateRequest` resource. - Example (rule for namespaced DNSNames): ``` rule: self.endsWith(cr.namespace + '.svc.cluster.local') @@ -942,10 +927,8 @@ ALL validations for the request to be granted by this policy. Accepts wildcards "*". If set, the related field can only include items contained in the allowed values. - NOTE:`values: []` paired with `required: true` establishes a policy that will never grant a `CertificateRequest`, but other policies may. -TODO: add x-kubernetes-list-type: set in v1alpha2
false @@ -979,7 +962,6 @@ To enable more advanced validation rules, approver-policy provides the `cr` (map) variable to the CEL expression containing `namespace` and `name` of the `CertificateRequest` resource. - Example (rule for namespaced DNSNames): ``` rule: self.endsWith(cr.namespace + '.svc.cluster.local') @@ -1046,10 +1028,8 @@ ALL validations for the request to be granted by this policy. Accepts wildcards "*". If set, the related field can only include items contained in the allowed values. - NOTE:`values: []` paired with `required: true` establishes a policy that will never grant a `CertificateRequest`, but other policies may. -TODO: add x-kubernetes-list-type: set in v1alpha2
false @@ -1083,7 +1063,6 @@ To enable more advanced validation rules, approver-policy provides the `cr` (map) variable to the CEL expression containing `namespace` and `name` of the `CertificateRequest` resource. - Example (rule for namespaced DNSNames): ``` rule: self.endsWith(cr.namespace + '.svc.cluster.local') @@ -1151,10 +1130,8 @@ ALL validations for the request to be granted by this policy. Accepts wildcards "*". If set, the related field can only include items contained in the allowed values. - NOTE:`values: []` paired with `required: true` establishes a policy that will never grant a `CertificateRequest`, but other policies may. -TODO: add x-kubernetes-list-type: set in v1alpha2
false @@ -1188,7 +1165,6 @@ To enable more advanced validation rules, approver-policy provides the `cr` (map) variable to the CEL expression containing `namespace` and `name` of the `CertificateRequest` resource. - Example (rule for namespaced DNSNames): ``` rule: self.endsWith(cr.namespace + '.svc.cluster.local') @@ -1256,10 +1232,8 @@ ALL validations for the request to be granted by this policy. Accepts wildcards "*". If set, the related field can only include items contained in the allowed values. - NOTE:`values: []` paired with `required: true` establishes a policy that will never grant a `CertificateRequest`, but other policies may. -TODO: add x-kubernetes-list-type: set in v1alpha2
false @@ -1293,7 +1267,6 @@ To enable more advanced validation rules, approver-policy provides the `cr` (map) variable to the CEL expression containing `namespace` and `name` of the `CertificateRequest` resource. - Example (rule for namespaced DNSNames): ``` rule: self.endsWith(cr.namespace + '.svc.cluster.local') @@ -1360,10 +1333,8 @@ ALL validations for the request to be granted by this policy. Accepts wildcards "*". If set, the related field can only include items contained in the allowed values. - NOTE:`values: []` paired with `required: true` establishes a policy that will never grant a `CertificateRequest`, but other policies may. -TODO: add x-kubernetes-list-type: set in v1alpha2
false @@ -1397,7 +1368,6 @@ To enable more advanced validation rules, approver-policy provides the `cr` (map) variable to the CEL expression containing `namespace` and `name` of the `CertificateRequest` resource. - Example (rule for namespaced DNSNames): ``` rule: self.endsWith(cr.namespace + '.svc.cluster.local') @@ -1464,10 +1434,8 @@ ALL validations for the request to be granted by this policy. Accepts wildcards "*". If set, the related field can only include items contained in the allowed values. - NOTE:`values: []` paired with `required: true` establishes a policy that will never grant a `CertificateRequest`, but other policies may. -TODO: add x-kubernetes-list-type: set in v1alpha2
false @@ -1501,7 +1469,6 @@ To enable more advanced validation rules, approver-policy provides the `cr` (map) variable to the CEL expression containing `namespace` and `name` of the `CertificateRequest` resource. - Example (rule for namespaced DNSNames): ``` rule: self.endsWith(cr.namespace + '.svc.cluster.local') @@ -1570,7 +1537,6 @@ ALL validations for the request to be granted by this policy. Accepts wildcards "*". If set, the related field must match the specified pattern. - NOTE:`value: ""` paired with `required: true` establishes a policy that will never grant a `CertificateRequest`, but other policies may.
@@ -1606,7 +1572,6 @@ To enable more advanced validation rules, approver-policy provides the `cr` (map) variable to the CEL expression containing `namespace` and `name` of the `CertificateRequest` resource. - Example (rule for namespaced DNSNames): ``` rule: self.endsWith(cr.namespace + '.svc.cluster.local') @@ -1674,10 +1639,8 @@ ALL validations for the request to be granted by this policy. Accepts wildcards "*". If set, the related field can only include items contained in the allowed values. - NOTE:`values: []` paired with `required: true` establishes a policy that will never grant a `CertificateRequest`, but other policies may. -TODO: add x-kubernetes-list-type: set in v1alpha2
false @@ -1711,7 +1674,6 @@ To enable more advanced validation rules, approver-policy provides the `cr` (map) variable to the CEL expression containing `namespace` and `name` of the `CertificateRequest` resource. - Example (rule for namespaced DNSNames): ``` rule: self.endsWith(cr.namespace + '.svc.cluster.local') @@ -1778,10 +1740,8 @@ ALL validations for the request to be granted by this policy. Accepts wildcards "*". If set, the related field can only include items contained in the allowed values. - NOTE:`values: []` paired with `required: true` establishes a policy that will never grant a `CertificateRequest`, but other policies may. -TODO: add x-kubernetes-list-type: set in v1alpha2
false @@ -1815,7 +1775,6 @@ To enable more advanced validation rules, approver-policy provides the `cr` (map) variable to the CEL expression containing `namespace` and `name` of the `CertificateRequest` resource. - Example (rule for namespaced DNSNames): ``` rule: self.endsWith(cr.namespace + '.svc.cluster.local') diff --git a/content/docs/trust/trust-manager/api-reference.md b/content/docs/trust/trust-manager/api-reference.md index 3020ed65ab5..e89743204f4 100644 --- a/content/docs/trust/trust-manager/api-reference.md +++ b/content/docs/trust/trust-manager/api-reference.md @@ -124,8 +124,8 @@ the BundleTarget in all Namespaces. configMap object - ConfigMap is a reference (by name) to a ConfigMap's `data` key, or to a -list of ConfigMap's `data` key using label selector, in the trust Namespace. + ConfigMap is a reference (by name) to a ConfigMap's `data` key(s), or to a +list of ConfigMap's `data` key(s) using label selector, in the trust Namespace.
false @@ -141,8 +141,8 @@ list of ConfigMap's `data` key using label selector, in the trust Namespace. secret object - Secret is a reference (by name) to a Secret's `data` key, or to a -list of Secret's `data` key using label selector, in the trust Namespace. + Secret is a reference (by name) to a Secret's `data` key(s), or to a +list of Secret's `data` key(s) using label selector, in the trust Namespace.
false @@ -168,8 +168,8 @@ defaultCAPackageVersion field of the Bundle's status field. ### `Bundle.spec.sources[index].configMap` -ConfigMap is a reference (by name) to a ConfigMap's `data` key, or to a -list of ConfigMap's `data` key using label selector, in the trust Namespace. +ConfigMap is a reference (by name) to a ConfigMap's `data` key(s), or to a +list of ConfigMap's `data` key(s) using label selector, in the trust Namespace. @@ -181,13 +181,22 @@ list of ConfigMap's `data` key using label selector, in the trust Namespace. + + + + + - + @@ -297,8 +306,8 @@ merge patch. ### `Bundle.spec.sources[index].secret` -Secret is a reference (by name) to a Secret's `data` key, or to a -list of Secret's `data` key using label selector, in the trust Namespace. +Secret is a reference (by name) to a Secret's `data` key(s), or to a +list of Secret's `data` key(s) using label selector, in the trust Namespace.
includeAllKeysboolean + IncludeAllKeys is a flag to include all keys in the object's `data` field to be used. False by default. +This field must not be true when `Key` is set. +
+ 		false
key string - Key is the key of the entry in the object's `data` field to be used. + Key of the entry in the object's `data` field to be used.
truefalse
name string
@@ -310,13 +319,22 @@ list of Secret's `data` key using label selector, in the trust Namespace. + + + + + - + @@ -632,11 +650,67 @@ Namespaces which match the selector. + + + + + + + +
includeAllKeysboolean + IncludeAllKeys is a flag to include all keys in the object's `data` field to be used. False by default. +This field must not be true when `Key` is set. +
+ 		false
key string - Key is the key of the entry in the object's `data` field to be used. + Key of the entry in the object's `data` field to be used.
truefalse
name string
matchExpressions[]object + matchExpressions is a list of label selector requirements. The requirements are ANDed. +
+ 		false
matchLabels map[string]string - MatchLabels matches on the set of labels that must be present on a -Namespace for the Bundle target to be synced there. + matchLabels is a map of key-value pairs. A single key-value in the matchLabels +map is equivalent to an element of matchExpressions, whose key field is "key", the +operator is "In", and the values array contains only "value". The requirements are ANDed. +
+ 		false
+ + +### `Bundle.spec.target.namespaceSelector.matchExpressions[index]` + + +A label selector requirement is a selector that contains values, a key, and an operator that +relates the key and values. + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/scripts/gendocs/generate-approver-policy b/scripts/gendocs/generate-approver-policy index d68700cbbee..4bd0c4bba59 100755 --- a/scripts/gendocs/generate-approver-policy +++ b/scripts/gendocs/generate-approver-policy @@ -47,7 +47,7 @@ gendocs() { echo "+++ Generating reference docs..." $CRDOC \ - --resources "$tmpdir/deploy/charts/approver-policy/templates/crd-policy.cert-manager.io_certificaterequestpolicies.yaml" \ + --resources "$tmpdir/deploy/crds/policy.cert-manager.io_certificaterequestpolicies.yaml" \ --template $REPO_ROOT/scripts/gendocs/templates-approver-policy/markdown.tmpl \ --output $outputdir } diff --git a/scripts/gendocs/generate-trust-manager b/scripts/gendocs/generate-trust-manager index a411df636ec..d4d0838b677 100755 --- a/scripts/gendocs/generate-trust-manager +++ b/scripts/gendocs/generate-trust-manager @@ -61,6 +61,6 @@ gendocs() { echo "+++ Cloning trust-manager repository..." git clone "https://github.com/cert-manager/trust-manager.git" "$tmpdir" -checkout "v0.13.0" +checkout "v0.15.0" gendocs "$REPO_ROOT/content/docs/trust/trust-manager/api-reference.md"
NameTypeDescriptionRequired
keystring + key is the label key that the selector applies to. +
+ 		true
operatorstring + operator represents a key's relationship to a set of values. +Valid operators are In, NotIn, Exists and DoesNotExist. +
+ 		true
values[]string + values is an array of string values. If the operator is In or NotIn, +the values array must be non-empty. If the operator is Exists or DoesNotExist, +the values array must be empty. This array is replaced during a strategic +merge patch.
false