2
0
mirror of https://github.com/xcat2/confluent.git synced 2026-07-18 00:16:50 +00:00

Merge pull request #220 from Obihoernchen/pubkeys_addpolicy

Fix pubkeys.addpolicy documentation to match implementation
This commit is contained in:
Jarrod Johnson
2026-07-02 10:31:04 -04:00
committed by GitHub
@@ -655,13 +655,19 @@ node = {
},
'pubkeys.addpolicy': {
'description': ('Policy to use when encountering unknown public '
'keys. Choices are "automatic" to accept and '
'store new key if no key known and "manual" '
'to always reject a new key, even if no key known'
'Note that if the trusted CA verifies the certificate,'
' that is accepted ignoring this policy. Default '
'policy is "automatic"'),
'validvalues': ('automatic', 'manual'),
'keys. If unset (default), behaves as "tofu" '
'(trust-on-first-use): accept and store a new key '
'if no key is currently known. "manual" always '
'rejects a new key, even if no key is known, '
'requiring it to be pinned manually. "ca" requires '
'the trusted CA to validate the certificate before '
'pinning a new or changed key, but a previously '
'pinned key that still matches is trusted without '
're-checking the CA. "ca-only" is stricter: it '
'requires the trusted CA to validate the '
'certificate on every check, even when a '
'previously pinned key would otherwise match.'),
'validvalues': ('tofu', 'manual', 'ca', 'ca-only'),
},
'pubkeys.tls_hardwaremanager': {
'description': ('Fingerprint of the TLS certificate recognized as'