Skip to content

Commit

Permalink
Make more use of api-server validation
Browse files Browse the repository at this point in the history
Signed-off-by: Erik Godding Boye <[email protected]>
  • Loading branch information
erikgb committed Nov 16, 2024
1 parent 41dc93d commit d9853ff
Show file tree
Hide file tree
Showing 7 changed files with 302 additions and 282 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -82,11 +82,13 @@ spec:
type: boolean
key:
description: Key of the entry in the object's `data` field to be used.
minLength: 1
type: string
name:
description: |-
Name is the name of the source object in the trust Namespace.
This field must be left empty when `selector` is set
minLength: 1
type: string
selector:
description: |-
Expand Down Expand Up @@ -135,6 +137,11 @@ spec:
type: object
x-kubernetes-map-type: atomic
type: object
x-kubernetes-validations:
- message: must specify one and only one of {name, selector}
rule: '[has(self.name), has(self.selector)].exists_one(x,x)'
- message: must specify key or includeAllKeys
rule: '[has(self.key), has(self.includeAllKeys) && self.includeAllKeys].exists_one(x,x)'
inLine:
description: InLine is a simple string to append as the source data.
type: string
Expand All @@ -150,11 +157,13 @@ spec:
type: boolean
key:
description: Key of the entry in the object's `data` field to be used.
minLength: 1
type: string
name:
description: |-
Name is the name of the source object in the trust Namespace.
This field must be left empty when `selector` is set
minLength: 1
type: string
selector:
description: |-
Expand Down Expand Up @@ -203,6 +212,11 @@ spec:
type: object
x-kubernetes-map-type: atomic
type: object
x-kubernetes-validations:
- message: must specify one and only one of {name, selector}
rule: '[has(self.name), has(self.selector)].exists_one(x,x)'
- message: must specify key or includeAllKeys
rule: '[has(self.key), has(self.includeAllKeys) && self.includeAllKeys].exists_one(x,x)'
useDefaultCAs:
description: |-
UseDefaultCAs, when true, requests the default CA bundle to be used as a source.
Expand All @@ -215,7 +229,15 @@ spec:
defaultCAPackageVersion field of the Bundle's status field.
type: boolean
type: object
x-kubernetes-validations:
- message: must define exactly one source
rule: '[has(self.configMap), has(self.secret), has(self.inLine), has(self.useDefaultCAs) && self.useDefaultCAs].exists_one(x,x)'
maxItems: 100
minItems: 1
type: array
x-kubernetes-validations:
- message: must request default CAs at most once
rule: size(self.filter(s, has(s.useDefaultCAs) && s.useDefaultCAs)) <= 1
target:
description: Target is the target location in all namespaces to sync source data to.
properties:
Expand All @@ -230,6 +252,7 @@ spec:
properties:
key:
description: Key is the key of the entry in the object's `data` field to be used.
minLength: 1
type: string
password:
default: changeit
Expand All @@ -247,6 +270,7 @@ spec:
properties:
key:
description: Key is the key of the entry in the object's `data` field to be used.
minLength: 1
type: string
password:
default: ""
Expand All @@ -264,6 +288,7 @@ spec:
properties:
key:
description: Key is the key of the entry in the object's `data` field to be used.
minLength: 1
type: string
required:
- key
Expand All @@ -289,11 +314,17 @@ spec:
properties:
key:
description: Key is the key of the entry in the object's `data` field to be used.
minLength: 1
type: string
required:
- key
type: object
type: object
x-kubernetes-validations:
- message: must define at least one target configMap/secret
rule: '[has(self.configMap), has(self.secret)].exists(x,x)'
- message: additional format keys must be unique
rule: '!has(self.additionalFormats) || ![has(self.additionalFormats.jks), has(self.additionalFormats.pkcs12)].all(x,x) || self.additionalFormats.jks.key != self.additionalFormats.pkcs12.key'
required:
- sources
- target
Expand Down
34 changes: 20 additions & 14 deletions docs/api/api.md
Original file line number Diff line number Diff line change
Expand Up @@ -125,7 +125,7 @@ func Resource(resource string) schema.GroupResource
Resource takes an unqualified resource and returns a Group qualified GroupResource

<a name="AdditionalFormats"></a>
## type [AdditionalFormats](<https://github.com/cert-manager/trust-manager/blob/main/pkg/apis/trust/v1alpha1/types_bundle.go#L120-L128>)
## type [AdditionalFormats](<https://github.com/cert-manager/trust-manager/blob/main/pkg/apis/trust/v1alpha1/types_bundle.go#L126-L134>)

AdditionalFormats specifies any additional formats to write to the target

Expand Down Expand Up @@ -206,7 +206,7 @@ func (in *Bundle) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

<a name="BundleCondition"></a>
## type [BundleCondition](<https://github.com/cert-manager/trust-manager/blob/main/pkg/apis/trust/v1alpha1/types_bundle.go#L206-L245>)
## type [BundleCondition](<https://github.com/cert-manager/trust-manager/blob/main/pkg/apis/trust/v1alpha1/types_bundle.go#L217-L256>)

BundleCondition contains condition information for a Bundle.

Expand Down Expand Up @@ -313,9 +313,9 @@ func (in *BundleList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

<a name="BundleSource"></a>
## type [BundleSource](<https://github.com/cert-manager/trust-manager/blob/main/pkg/apis/trust/v1alpha1/types_bundle.go#L70-L95>)
## type [BundleSource](<https://github.com/cert-manager/trust-manager/blob/main/pkg/apis/trust/v1alpha1/types_bundle.go#L74-L99>)

BundleSource is the set of sources whose data will be appended and synced to the BundleTarget in all Namespaces.
BundleSource is the set of sources whose data will be appended and synced to the BundleTarget in all Namespaces. \+kubebuilder:validation:XValidation:rule="\[has\(self.configMap\), has\(self.secret\), has\(self.inLine\), has\(self.useDefaultCAs\) && self.useDefaultCAs\].exists\_one\(x,x\)", message="must define exactly one source"

```go
type BundleSource struct {
Expand Down Expand Up @@ -365,13 +365,16 @@ func (in *BundleSource) DeepCopyInto(out *BundleSource)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non\-nil.

<a name="BundleSpec"></a>
## type [BundleSpec](<https://github.com/cert-manager/trust-manager/blob/main/pkg/apis/trust/v1alpha1/types_bundle.go#L60-L66>)
## type [BundleSpec](<https://github.com/cert-manager/trust-manager/blob/main/pkg/apis/trust/v1alpha1/types_bundle.go#L60-L69>)

BundleSpec defines the desired state of a Bundle.

```go
type BundleSpec struct {
// Sources is a set of references to data whose data will sync to the target.
// +kubebuilder:validation:MinItems=1
// +kubebuilder:validation:MaxItems=100
// +kubebuilder:validation:XValidation:rule="size(self.filter(s, has(s.useDefaultCAs) && s.useDefaultCAs)) <= 1", message="must request default CAs at most once"
Sources []BundleSource `json:"sources"`

// Target is the target location in all namespaces to sync source data to.
Expand All @@ -398,7 +401,7 @@ func (in *BundleSpec) DeepCopyInto(out *BundleSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non\-nil.

<a name="BundleStatus"></a>
## type [BundleStatus](<https://github.com/cert-manager/trust-manager/blob/main/pkg/apis/trust/v1alpha1/types_bundle.go#L189-L203>)
## type [BundleStatus](<https://github.com/cert-manager/trust-manager/blob/main/pkg/apis/trust/v1alpha1/types_bundle.go#L200-L214>)

BundleStatus defines the observed state of the Bundle.

Expand Down Expand Up @@ -439,9 +442,9 @@ func (in *BundleStatus) DeepCopyInto(out *BundleStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non\-nil.

<a name="BundleTarget"></a>
## type [BundleTarget](<https://github.com/cert-manager/trust-manager/blob/main/pkg/apis/trust/v1alpha1/types_bundle.go#L99-L117>)
## type [BundleTarget](<https://github.com/cert-manager/trust-manager/blob/main/pkg/apis/trust/v1alpha1/types_bundle.go#L105-L123>)

BundleTarget is the target resource that the Bundle will sync all source data to.
BundleTarget is the target resource that the Bundle will sync all source data to. \+kubebuilder:validation:XValidation:rule="\[has\(self.configMap\), has\(self.secret\)\].exists\(x,x\)", message="must define at least one target configMap/secret" \+kubebuilder:validation:XValidation:rule="\!has\(self.additionalFormats\) || \!\[has\(self.additionalFormats.jks\), has\(self.additionalFormats.pkcs12\)\].all\(x,x\) || self.additionalFormats.jks.key \!= self.additionalFormats.pkcs12.key", message="additional format keys must be unique"

```go
type BundleTarget struct {
Expand Down Expand Up @@ -484,7 +487,7 @@ func (in *BundleTarget) DeepCopyInto(out *BundleTarget)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non\-nil.

<a name="JKS"></a>
## type [JKS](<https://github.com/cert-manager/trust-manager/blob/main/pkg/apis/trust/v1alpha1/types_bundle.go#L130-L139>)
## type [JKS](<https://github.com/cert-manager/trust-manager/blob/main/pkg/apis/trust/v1alpha1/types_bundle.go#L136-L145>)



Expand Down Expand Up @@ -520,13 +523,14 @@ func (in *JKS) DeepCopyInto(out *JKS)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non\-nil.

<a name="KeySelector"></a>
## type [KeySelector](<https://github.com/cert-manager/trust-manager/blob/main/pkg/apis/trust/v1alpha1/types_bundle.go#L183-L186>)
## type [KeySelector](<https://github.com/cert-manager/trust-manager/blob/main/pkg/apis/trust/v1alpha1/types_bundle.go#L193-L197>)

KeySelector is a reference to a key for some map data object.

```go
type KeySelector struct {
// Key is the key of the entry in the object's `data` field to be used.
// +kubebuilder:validation:MinLength=1
Key string `json:"key"`
}
```
Expand All @@ -550,7 +554,7 @@ func (in *KeySelector) DeepCopyInto(out *KeySelector)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non\-nil.

<a name="NamespaceSelector"></a>
## type [NamespaceSelector](<https://github.com/cert-manager/trust-manager/blob/main/pkg/apis/trust/v1alpha1/types_bundle.go#L152-L157>)
## type [NamespaceSelector](<https://github.com/cert-manager/trust-manager/blob/main/pkg/apis/trust/v1alpha1/types_bundle.go#L158-L163>)

NamespaceSelector defines selectors to match on Namespaces.

Expand Down Expand Up @@ -582,7 +586,7 @@ func (in *NamespaceSelector) DeepCopyInto(out *NamespaceSelector)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non\-nil.

<a name="PKCS12"></a>
## type [PKCS12](<https://github.com/cert-manager/trust-manager/blob/main/pkg/apis/trust/v1alpha1/types_bundle.go#L141-L149>)
## type [PKCS12](<https://github.com/cert-manager/trust-manager/blob/main/pkg/apis/trust/v1alpha1/types_bundle.go#L147-L155>)



Expand Down Expand Up @@ -617,15 +621,16 @@ func (in *PKCS12) DeepCopyInto(out *PKCS12)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non\-nil.

<a name="SourceObjectKeySelector"></a>
## type [SourceObjectKeySelector](<https://github.com/cert-manager/trust-manager/blob/main/pkg/apis/trust/v1alpha1/types_bundle.go#L161-L180>)
## type [SourceObjectKeySelector](<https://github.com/cert-manager/trust-manager/blob/main/pkg/apis/trust/v1alpha1/types_bundle.go#L169-L190>)

SourceObjectKeySelector is a reference to a source object and its \`data\` key\(s\) in the trust Namespace.
SourceObjectKeySelector is a reference to a source object and its \`data\` key\(s\) in the trust Namespace. \+kubebuilder:validation:XValidation:rule="\[has\(self.name\), has\(self.selector\)\].exists\_one\(x,x\)", message="must specify one and only one of \{name, selector\}" \+kubebuilder:validation:XValidation:rule="\[has\(self.key\), has\(self.includeAllKeys\) && self.includeAllKeys\].exists\_one\(x,x\)", message="must specify key or includeAllKeys"
```go
type SourceObjectKeySelector struct {
// Name is the name of the source object in the trust Namespace.
// This field must be left empty when `selector` is set
//+optional
// +kubebuilder:validation:MinLength=1
Name string `json:"name,omitempty"`
// Selector is the label selector to use to fetch a list of objects. Must not be set
Expand All @@ -635,6 +640,7 @@ type SourceObjectKeySelector struct {
// Key of the entry in the object's `data` field to be used.
//+optional
// +kubebuilder:validation:MinLength=1
Key string `json:"key,omitempty"`
// IncludeAllKeys is a flag to include all keys in the object's `data` field to be used. False by default.
Expand Down
11 changes: 11 additions & 0 deletions pkg/apis/trust/v1alpha1/types_bundle.go
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,9 @@ type BundleList struct {
// BundleSpec defines the desired state of a Bundle.
type BundleSpec struct {
// Sources is a set of references to data whose data will sync to the target.
// +kubebuilder:validation:MinItems=1
// +kubebuilder:validation:MaxItems=100
// +kubebuilder:validation:XValidation:rule="size(self.filter(s, has(s.useDefaultCAs) && s.useDefaultCAs)) <= 1", message="must request default CAs at most once"
Sources []BundleSource `json:"sources"`

// Target is the target location in all namespaces to sync source data to.
Expand All @@ -67,6 +70,7 @@ type BundleSpec struct {

// BundleSource is the set of sources whose data will be appended and synced to
// the BundleTarget in all Namespaces.
// +kubebuilder:validation:XValidation:rule="[has(self.configMap), has(self.secret), has(self.inLine), has(self.useDefaultCAs) && self.useDefaultCAs].exists_one(x,x)", message="must define exactly one source"
type BundleSource struct {
// ConfigMap is a reference (by name) to a ConfigMap's `data` key(s), or to a
// list of ConfigMap's `data` key(s) using label selector, in the trust Namespace.
Expand Down Expand Up @@ -96,6 +100,8 @@ type BundleSource struct {

// BundleTarget is the target resource that the Bundle will sync all source
// data to.
// +kubebuilder:validation:XValidation:rule="[has(self.configMap), has(self.secret)].exists(x,x)", message="must define at least one target configMap/secret"
// +kubebuilder:validation:XValidation:rule="!has(self.additionalFormats) || ![has(self.additionalFormats.jks), has(self.additionalFormats.pkcs12)].all(x,x) || self.additionalFormats.jks.key != self.additionalFormats.pkcs12.key", message="additional format keys must be unique"
type BundleTarget struct {
// ConfigMap is the target ConfigMap in Namespaces that all Bundle source
// data will be synced to.
Expand Down Expand Up @@ -158,10 +164,13 @@ type NamespaceSelector struct {

// SourceObjectKeySelector is a reference to a source object and its `data` key(s)
// in the trust Namespace.
// +kubebuilder:validation:XValidation:rule="[has(self.name), has(self.selector)].exists_one(x,x)", message="must specify one and only one of {name, selector}"
// +kubebuilder:validation:XValidation:rule="[has(self.key), has(self.includeAllKeys) && self.includeAllKeys].exists_one(x,x)", message="must specify key or includeAllKeys"
type SourceObjectKeySelector struct {
// Name is the name of the source object in the trust Namespace.
// This field must be left empty when `selector` is set
//+optional
// +kubebuilder:validation:MinLength=1
Name string `json:"name,omitempty"`

// Selector is the label selector to use to fetch a list of objects. Must not be set
Expand All @@ -171,6 +180,7 @@ type SourceObjectKeySelector struct {

// Key of the entry in the object's `data` field to be used.
//+optional
// +kubebuilder:validation:MinLength=1
Key string `json:"key,omitempty"`

// IncludeAllKeys is a flag to include all keys in the object's `data` field to be used. False by default.
Expand All @@ -182,6 +192,7 @@ type SourceObjectKeySelector struct {
// KeySelector is a reference to a key for some map data object.
type KeySelector struct {
// Key is the key of the entry in the object's `data` field to be used.
// +kubebuilder:validation:MinLength=1
Key string `json:"key"`
}

Expand Down
Loading

0 comments on commit d9853ff

Please sign in to comment.