NetworkSecurityServerTLSPolicy

Property Value
Google Cloud Service Name Network Security
Google Cloud Service Documentation /traffic-director/docs/
Google Cloud REST Resource Name v1beta1/projects.locations.clientTlsPolicies
Google Cloud REST Resource Documentation /traffic-director/docs/reference/network-security/rest/v1beta1/projects.locations.serverTlsPolicies
Config Connector Resource Short Names gcpnetworksecurityservertlspolicy
gcpnetworksecurityservertlspolicies
networksecurityservertlspolicy
Config Connector Service Name networksecurity.googleapis.com
Config Connector Resource Fully Qualified Name networksecurityservertlspolicies.networksecurity.cnrm.cloud.google.com
Can Be Referenced by IAMPolicy/IAMPolicyMember No

Custom Resource Definition Properties

Spec

Schema

  allowOpen: boolean
  description: string
  location: string
  mtlsPolicy:
    clientValidationCa:
    - certificateProviderInstance:
        pluginInstance: string
      grpcEndpoint:
        targetUri: string
  projectRef:
    external: string
    name: string
    namespace: string
  resourceID: string
  serverCertificate:
    certificateProviderInstance:
      pluginInstance: string
    grpcEndpoint:
      targetUri: string
Fields

allowOpen

Optional

boolean

Optional. Determines if server allows plaintext connections. If set to true, server allows plain text connections. By default, it is set to false. This setting is not exclusive of other encryption modes. For example, if allow_open and mtls_policy are set, server allows both plain text and mTLS connections. See documentation of other encryption modes to confirm compatibility.

description

Optional

string

Optional. Free-text description of the resource.

location

Required

string

The location for the resource

mtlsPolicy

Optional

object

Optional. Defines a mechanism to provision peer validation certificates for peer to peer authentication (Mutual TLS - mTLS). If not specified, client certificate will not be requested. The connection is treated as TLS and not mTLS. If allow_open and mtls_policy are set, server allows both plain text and mTLS connections.

mtlsPolicy.clientValidationCa

Required*

list (object)

Required. Defines the mechanism to obtain the Certificate Authority certificate to validate the client certificate.

mtlsPolicy.clientValidationCa.[]

Required*

object

mtlsPolicy.clientValidationCa.[].certificateProviderInstance

Optional

object

The certificate provider instance specification that will be passed to the data plane, which will be used to load necessary credential information.

mtlsPolicy.clientValidationCa.[].certificateProviderInstance.pluginInstance

Required*

string

Required. Plugin instance name, used to locate and load CertificateProvider instance configuration. Set to "google_cloud_private_spiffe" to use Certificate Authority Service certificate provider instance.

mtlsPolicy.clientValidationCa.[].grpcEndpoint

Optional

object

gRPC specific configuration to access the gRPC server to obtain the CA certificate.

mtlsPolicy.clientValidationCa.[].grpcEndpoint.targetUri

Required*

string

Required. The target URI of the gRPC endpoint. Only UDS path is supported, and should start with “unix:”.

projectRef

Optional

object

The Project that this resource belongs to.

projectRef.external

Optional

string

The project for the resource

projectRef.name

Optional

string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

projectRef.namespace

Optional

string

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

resourceID

Optional

string

Immutable. Optional. The name of the resource. Used for creation and acquisition. When unset, the value of `metadata.name` is used as the default.

serverCertificate

Optional

object

Optional. Defines a mechanism to provision server identity (public and private keys). Cannot be combined with allow_open as a permissive mode that allows both plain text and TLS is not supported.

serverCertificate.certificateProviderInstance

Optional

object

The certificate provider instance specification that will be passed to the data plane, which will be used to load necessary credential information.

serverCertificate.certificateProviderInstance.pluginInstance

Required*

string

Required. Plugin instance name, used to locate and load CertificateProvider instance configuration. Set to "google_cloud_private_spiffe" to use Certificate Authority Service certificate provider instance.

serverCertificate.grpcEndpoint

Optional

object

gRPC specific configuration to access the gRPC server to obtain the cert and private key.

serverCertificate.grpcEndpoint.targetUri

Required*

string

Required. The target URI of the gRPC endpoint. Only UDS path is supported, and should start with “unix:”.

* Field is required when parent field is specified

Status

Schema

  conditions:
  - lastTransitionTime: string
    message: string
    reason: string
    status: string
    type: string
  createTime: string
  observedGeneration: integer
  updateTime: string
Fields
conditions

list (object)

Conditions represent the latest available observation of the resource's current state.

conditions.[]

object

conditions.[].lastTransitionTime

string

Last time the condition transitioned from one status to another.

conditions.[].message

string

Human-readable message indicating details about last transition.

conditions.[].reason

string

Unique, one-word, CamelCase reason for the condition's last transition.

conditions.[].status

string

Status is the status of the condition. Can be True, False, Unknown.

conditions.[].type

string

Type is the type of the condition.

createTime

string

Output only. The timestamp when the resource was created.

observedGeneration

integer

ObservedGeneration is the generation of the resource that was most recently observed by the Config Connector controller. If this is equal to metadata.generation, then that means that the current reported status reflects the most recent desired state of the resource.

updateTime

string

Output only. The timestamp when the resource was updated.

Sample YAML(s)

Typical Use Case

  # Copyright 2021 Google LLC
  #
  # Licensed under the Apache License, Version 2.0 (the "License");
  # you may not use this file except in compliance with the License.
  # You may obtain a copy of the License at
  #
  #     http://www.apache.org/licenses/LICENSE-2.0
  #
  # Unless required by applicable law or agreed to in writing, software
  # distributed under the License is distributed on an "AS IS" BASIS,
  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  # See the License for the specific language governing permissions and
  # limitations under the License.
  
  apiVersion: networksecurity.cnrm.cloud.google.com/v1beta1
  kind: NetworkSecurityServerTLSPolicy
  metadata:
    name: networksecurityservertlspolicy-sample
    labels:
      label-one: "value-one"
  spec:
    description: Sample global server TLS policy
    location: global
    allowOpen: true
    serverCertificate:
      certificateProviderInstance:
        pluginInstance: google_cloud_private_spiffe
    mtlsPolicy:
      clientValidationCa:
        - certificateProviderInstance:
            pluginInstance: google_cloud_private_spiffe