AnthosCertManager/pkg/controller/certificates/policies/policies.go at master

Fork: 0
yangyangxie / AnthosCertManager
Find file
Newer
Older
AnthosCertManager / pkg / controller / certificates / policies / policies.go
Yangyang Xie on 23 Nov 2022 2 KB implement the trigger controller
Raw Blame History
package policies

import (
	corev1 "k8s.io/api/core/v1"
	"k8s.io/utils/clock"

	acmapi "gitbucket.jerxie.com/yangyangxie/AnthosCertManager/pkg/apis/anthoscertmanager/v1"
)

type Input struct {
	Certificate *acmapi.Certificate
	Secret      *corev1.Secret

	// The "current" certificate request designates the certificate request that
	// led to the current revision of the certificate. The "current" certificate
	// request is by definition in a ready state, and can be seen as the source
	// of information of the current certificate. Take a look at the gatherer
	// package's documentation to see more about why we care about the "current"
	// certificate request.
	CurrentRevisionRequest *acmapi.CertificateRequest

	// // The "next" certificate request is the one that is currently being issued.
	// // Take a look at the gatherer package's documentation to see more about why
	// // we care about the "next" certificate request.
	// NextRevisionRequest *cmapi.CertificateRequest
}

// A Func evaluates the given input data and decides whether a check has passed or not.
// It returns additional human readable information in the `reason` and `message` return parameters if so.
type Func func(Input) (reason, message string, failed bool)

// A chain of policy functions to be evaluated in order
type Chain []Func

// Evaluate will evaluate the entire policy chain using the provided input.
// As soon as it is discovered that the input violates one policy,
// Evaluate will return and not evaluate the rest of the chain.
func (c Chain) Evaluate(input Input) (string, string, bool) {
	for _, policyFunc := range c {
		reason, message, volidationFound := policyFunc(input)
		if volidationFound {
			return reason, message, volidationFound
		}
	}
	return "", "", false
}

// NewSecretPostIssuancePolicyChain includes policy checks that are to be
// performed _after_ issuance has been successful, testing for the presence and
// correctness of metadata and output formats of Certificate's Secrets.
func NewSecretPostIssuancePolicyChain(ownerRefEnabled bool, fieldManager string) Chain {
	// TODO: Check the owner referience value mismatch
	return Chain{SecretOwnerReferenceManagedFieldMismatch(ownerRefEnabled, fieldManager)}
}

// NewTriggerPolicyChain includes trigger policy checks, which if return true,
// should cause a Certificate to be marked for issuance.
func NewTriggerPolicyChain(c clock.Clock) Chain {
	return Chain{
		SecretDoesNotExist,
		// SecretIsMissingData,
		// SecretPublicKeysDiffer,
		// SecretPrivateKeyMatchesSpec,
		SecretIssuerAnnotationsNotUpToDate,
		// CurrentCertificateRequestNotValidForSpec,
		// CurrentCertificateNearingExpiry(c),
	}
}