pki.security.gdc.goog/v1
Contains API Schema definitions for the PKI v1 API group.
ACMEConfig
Appears in: - CertificateAuthoritySpec
| Field | Description |
|---|---|
enabled boolean |
Whether to deploy and access CA via ACME protocol. |
ACMEIssuerConfig
Appears in: - CertificateIssuerSpec
| Field | Description |
|---|---|
rootCACertificate integer array |
This contains the Root CA data of certificates issued by ACME server. |
acme ACMEIssuer |
ACME configures this issuer to communicate with a RFC 8555 (ACME) server to obtain signed certificates. ACME is an acme.cert-manager.io/v1 ACMEIssuer. |
ACMEStatus
Appears in: - CertificateAuthorityStatus
| Field | Description |
|---|---|
uri string |
URI is the unique account identifier, which can also be used to retrieve account details from the CA |
BYOCertIssuerConfig
BYOCertIssuerConfig defines an issuer based on the BYO-Cert model.
Appears in: - CertificateIssuerSpec
| Field | Description |
|---|---|
fallbackCertificateAuthority CAReference |
FallbackCertificateAuthority is the reference to a default CAaaS operated CA. API type: - Group: pki.security.gdc.goog - Kind: CertificateAuthority |
BYOCertStatus
Appears in: - CertificateStatus
| Field | Description |
|---|---|
csrStatus CSRStatus |
Certificate Signing Request (CSR) status |
signedCertStatus SignedCertStatus |
Externally signed certificate status |
BYOCertificate
Externally signed certificate
Appears in: - CertificateSpec
| Field | Description |
|---|---|
certificate integer array |
The PEM encoded x509 certificate uploaded by the customer. |
ca integer array |
The PEM encoded x509 certificate of the signer CA used to sign the certificate. |
CACertificateConfig
CACertificateConfig defines how the CA certificate is going to be provisioned. Only one of them will be set at any point in time.
Appears in: - CertificateAuthoritySpec
| Field | Description |
|---|---|
externalCA ExternalCAConfig |
Get the certificate from an external root CA. If set, a CSR will be generated on the status and signed certificate can be upload using this field. |
selfSignedCA SelfSignedCAConfig |
Issue a self-signed certificate. (Root CA) |
managedSubCA ManagedSubCAConfig |
Issue a SubCA certificate from a GDC-managed CA. (Managed Sub CA) |
CACertificateProfile
CACertificateProfile defines the profile for a CA certificate.
Appears in: - CertificateAuthoritySpec
| Field | Description |
|---|---|
commonName string |
The common name of the CA Certificate. |
organizations string array |
Organizations to be used on the Certificate. |
countries string array |
Countries to be used on the Certificate. |
organizationalUnits string array |
Organizational Units to be used on the Certificate. |
localities string array |
Cities to be used on the Certificate. |
provinces string array |
State/Provinces to be used on the Certificate. |
streetAddresses string array |
Street addresses to be used on the Certificate. |
postalCodes string array |
Postal codes to be used on the Certificate. |
duration Duration |
The requested 'duration' (i.e. lifetime) of the CA Certificate. |
renewBefore Duration |
RenewBefore implies the rotation time before the CA certificate expires. |
maxPathLength integer |
The maximum path length of the CA certificate. |
CAReference
CAReference represents a CertificateAuthority reference. It has information to retrieve a CA in any namespace.
Appears in: - BYOCertIssuerConfig - CAaaSIssuerConfig - CertificateRequestSpec - ManagedSubCAConfig
| Field | Description |
|---|---|
name string |
Name is unique within a namespace to reference a CA resource. |
namespace string |
Namespace defines the space within which the CA name must be unique. |
CAaaSIssuerConfig
CAaaSIssuerConfig defines an issuer that requests certificates from a CA created using the CAaaS service.
Appears in: - CertificateIssuerSpec
| Field | Description |
|---|---|
certificateAuthorityRef CAReference |
A reference to a CertificationAuthority which will sign the certificate. API type: - Group: pki.security.gdc.goog - Kind: CertificateAuthority |
CSRStatus
Appears in: - BYOCertStatus
| Field | Description |
|---|---|
conditions Condition array |
List of status conditions to indicate the status of a BYO Certificate CSR - WaitingforSigning: Indicates that a new CSR has been generated to be signed by the customer. - Ready: Indicates that the CSR has been signed |
csr integer array |
Stores the CSR for the customer to sign. |
Certificate
A Certificate represents a managed certificate.
Appears in: - CertificateList
| Field | Description |
|---|---|
apiVersion string |
pki.security.gdc.goog/v1 |
kind string |
Certificate |
metadata ObjectMeta |
Refer to Kubernetes API documentation for fields of metadata. |
spec CertificateSpec |
|
status CertificateStatus |
CertificateAuthority
CertificateAuthority represents the individual Certificate Authority that will be used to issue the certificates.
Appears in: - CertificateAuthorityList
| Field | Description |
|---|---|
apiVersion string |
pki.security.gdc.goog/v1 |
kind string |
CertificateAuthority |
metadata ObjectMeta |
Refer to Kubernetes API documentation for fields of metadata. |
spec CertificateAuthoritySpec |
|
status CertificateAuthorityStatus |
CertificateAuthorityList
CertificateAuthorityList represents a collection of certiifcate authorities.
| Field | Description |
|---|---|
apiVersion string |
pki.security.gdc.goog/v1 |
kind string |
CertificateAuthorityList |
metadata ListMeta |
Refer to Kubernetes API documentation for fields of metadata. |
items CertificateAuthority array |
CertificateAuthoritySpec
Appears in: - CertificateAuthority
| Field | Description |
|---|---|
caProfile CACertificateProfile |
The profile of the CertificateAuthority. |
caCertificate CACertificateConfig |
The CA Certificate provisioning configuration. |
secretConfig SecretConfig |
Configuration of the CA secret |
certificateProfile CertificateProfile |
Defines the profile of the certificates that will be issued. |
acme ACMEConfig |
Config related to enable ACME protocol. |
CertificateAuthorityStatus
Appears in: - CertificateAuthority
| Field | Description |
|---|---|
externalCA ExternalCAStatus |
ExternalCA specifies status options for SunCA signed by External root CA. |
errorStatus ErrorStatus |
ErrorStatus contain a list of current errors and the timestamp this field gets updated. |
conditions Condition array |
List of status conditions to indicate the status of a Certification Authority. - Pending: CSR are pending to be signed by the customer. - Ready: Indicates that the certificate authority is ready to use. |
acme ACMEStatus |
ACME specific status options. This field should only be set if the Certificate Authority is configured with ACME enabled. |
CertificateConfig
CertificateConfig represents the subject information in an issued certificate.
Appears in: - CertificateRequestSpec
| Field | Description |
|---|---|
subjectConfig SubjectConfig |
These values are used to create the distinguished name and subject alternative name fields in an X.509 certificate. |
privateKeyConfig CertificatePrivateKey |
Private key options. These include the key algorithm and size. |
CertificateIssuer
CertificateIssuer represents an issuer for Certificate as a Service.
You can mark a CertificateIssuer as the default issuer by adding/setting
the label pki.security.gdc.goog/is-default-issuer: true.
Appears in: - CertificateIssuerList
| Field | Description |
|---|---|
apiVersion string |
pki.security.gdc.goog/v1 |
kind string |
CertificateIssuer |
metadata ObjectMeta |
Refer to Kubernetes API documentation for fields of metadata. |
spec CertificateIssuerSpec |
|
status CertificateIssuerStatus |
CertificateIssuerList
CertificateIssuerList represents a collection of certiifcate issuers.
| Field | Description |
|---|---|
apiVersion string |
pki.security.gdc.goog/v1 |
kind string |
CertificateIssuerList |
metadata ListMeta |
Refer to Kubernetes API documentation for fields of metadata. |
items CertificateIssuer array |
CertificateIssuerSpec
Appears in: - CertificateIssuer
| Field | Description |
|---|---|
byoCertConfig BYOCertIssuerConfig |
BYOCertConfig configures this issuer in BYO-Cert mode. |
caaasConfig CAaaSIssuerConfig |
CAaaSConfig configures this issuer to sign certificates using CA deployed by the CertificateAuthority API. |
acmeConfig ACMEIssuerConfig |
ACMEConfig configures this issuer to sign certificates using ACME server. |
CertificateIssuerStatus
Appears in: - CertificateIssuer
| Field | Description |
|---|---|
ca integer array |
Stores the root CA used by the current certificate issuer. |
conditions Condition array |
List of status conditions to indicate the status of the CertificateIssuer. - Ready: Indicates that the CertificateIssuer is ready to use. |
CertificateList
CertificateList represents a collection of certificates.
| Field | Description |
|---|---|
apiVersion string |
pki.security.gdc.goog/v1 |
kind string |
CertificateList |
metadata ListMeta |
Refer to Kubernetes API documentation for fields of metadata. |
items Certificate array |
CertificatePrivateKey
Appears in: - CertificateConfig
| Field | Description |
|---|---|
algorithm PrivateKeyAlgorithm |
Algorithm is the private key algorithm of the corresponding private key for this certificate. If provided, allowed values are either RSA,Ed25519 or ECDSA If algorithm is specified and size is not provided, key size of 384 will be used for ECDSA key algorithm and key size of 3072 will be used for RSA key algorithm. key size is ignored when using the Ed25519 key algorithm. See github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1/types_certificate.go for more information. |
size integer |
Size is the key bit size of the corresponding private key for this certificate. If algorithm is set to RSA, valid values are 2048, 3072, 4096 or 8192, and will default to 3072 if not specified. If algorithm is set to ECDSA, valid values are 256, 384 or 521, and will default to 384 if not specified. If algorithm is set to Ed25519, Size is ignored. No other values are allowed. See github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1/types_certificate.go for more information. |
CertificateProfile
CertificateProfile defines the specification of the profile of an issued certificate.
Appears in: - CertificateAuthoritySpec
| Field | Description |
|---|---|
keyUsage KeyUsageBits array |
Allowed key usages for certificates issued under this profile. |
extendedKeyUsage ExtendedKeyUsageBits array |
Allowed extended key usages for certificates issued under this profile. This is optional for SelfSignedCA and is required for both ManagedSubCA and ExternalCA. |
CertificateRequest
CertificateRequest represents a request to issue certificate from the referenced CertificateAuthority.
All fields within the CertificateRequest's spec are immutable after creation.
Appears in: - CertificateRequestList
| Field | Description |
|---|---|
apiVersion string |
pki.security.gdc.goog/v1 |
kind string |
CertificateRequest |
metadata ObjectMeta |
Refer to Kubernetes API documentation for fields of metadata. |
spec CertificateRequestSpec |
|
status CertificateRequestStatus |
CertificateRequestList
CertificateRequestList represents a collection of certiifcate requests.
| Field | Description |
|---|---|
apiVersion string |
pki.security.gdc.goog/v1 |
kind string |
CertificateRequestList |
metadata ListMeta |
Refer to Kubernetes API documentation for fields of metadata. |
items CertificateRequest array |
CertificateRequestSpec
CertificateRequestSpec defines a request for the issuance of a certificate.
Appears in: - CertificateRequest
| Field | Description |
|---|---|
csr integer array |
Certificate Signing Request to sign using CA. |
certificateConfig CertificateConfig |
certificate config that will be use to create the CSR. |
notBefore Time |
Validity start time of the certificate. If not set, we will use the current time of the request. |
notAfter Time |
Validity end time of the certificate. If not set, we will use 90 days from the notBefore time as default. |
signedCertificateSecret string |
Name of the secret to store the signed certificate. |
certificateAuthorityRef CAReference |
A reference to a CertificateAuthority which will sign the certificate. API type: - Group: pki.security.gdc.goog - Kind: CertificateAuthority |
CertificateRequestStatus
Appears in: - CertificateRequest
| Field | Description |
|---|---|
conditions Condition array |
List of status conditions to indicate the status of a certificate to be issued. - PENDING: CSR are pending to be signed. - Ready: Indicates that the certificateRequest is fulfilled. |
autoGeneratedPrivateKey SecretReference |
If no CSR is provided, an auto-generated private key will be used. optional |
CertificateSpec
Appears in: - Certificate
| Field | Description |
|---|---|
issuer IssuerReference |
A reference to the CertificateIssuer that will be used for the issuance of the certificate. If not set, a label named pki.security.gdc.goog/use-default-issuer: true needs to be set in order to issue the certificate using the default issuer. API type: - Group: pki.security.gdc.goog - Kind: CertificateIssuer |
commonName string |
Requested common name X509 certificate subject attribute. It should have a length of 64 characters or fewer. For backward compatibility, the behaviour is as follows: If nil, we use the current behavior to set commonName as first DNSName if length is 64 characters or fewer. if empty string, don't set it. if it is set, ensure it is a part of the SANs. |
dnsNames string array |
DNSNames is a list of fully-qualified host names to be set on the Certificate. |
ipAddresses string array |
IPAddresses is a list of IPAddress subjectAltNames to be set on the Certificate. |
duration Duration |
The requested 'duration' (i.e. lifetime) of the Certificate. |
renewBefore Duration |
RenewBefore implies the rotation time before the certificate expires. |
secretConfig SecretConfig |
Configuration of the Certificate secret. |
byoCertificate BYOCertificate |
Contains the externally signed certificate |
CertificateStatus
Appears in: - Certificate
| Field | Description |
|---|---|
conditions Condition array |
List of status conditions to indicate the status of the certificate. - Ready: Indicates that the certificate is ready to use. |
issuedBy IssuerReference |
A reference to the CertificateIssuer that is used for the issuance of the certificate. API type: - Group: pki.security.gdc.goog - Kind: CertificateIssuer |
byoCertStatus BYOCertStatus |
BYOCertStatus specifies status options for byo-certificates mode. |
errorStatus ErrorStatus |
ErrorStatus contain a list of current errors and the timestamp this field gets updated. |
ExtendedKeyUsageBits
Underlying type: string
ExtendedKeyUsageBits defines the different allowed extended key usages according to RFC 5280 4.2.1.12.
Many extended key usages have been defined by follow-up RFCs, and can be implemented as a later feature
if issuance of such certificates is needed, for cases such as certificates used for personal
authentication, code signing or IPSec.
Appears in: - CertificateProfile
ExternalCAConfig
Appears in: - CACertificateConfig
| Field | Description |
|---|---|
signedCertificate SignedCertificateConfig |
Stores a signed certificate signed by external root CA. |
ExternalCAStatus
Appears in: - CertificateAuthorityStatus
| Field | Description |
|---|---|
csr integer array |
A certificate signing request waiting to be signed by an external CA. |
IssuerReference
IssuerReference represents an Issuer Reference. It has information to retrieve an issuer in any namespace.
Appears in: - CertificateSpec - CertificateStatus
| Field | Description |
|---|---|
name string |
Name is unique within a namespace to reference an issuer resource. |
namespace string |
Namespace defines the space within which the issuer name must be unique. |
KeyUsageBits
Underlying type: string
KeyUsageBits defines the different allowed key usages according to RFC 5280 4.2.1.3. Note that
many of the key usages below are used for certificates outside the context of TLS, and the
implementation of setting non-TLS bits can be implemented as a later feature.
Appears in: - CertificateProfile
ManagedSubCAConfig
ManagedSubCAConfig defines the configuration for a SubCA CA certificate.
Appears in: - CACertificateConfig
| Field | Description |
|---|---|
certificateAuthorityRef CAReference |
A reference to a CertificateAuthority which will sign the SubCA certificate. API type: - Group: pki.security.gdc.goog - Kind: CertificateAuthority |
PrivateKeyAlgorithm
Underlying type: string
Appears in: - CertificatePrivateKey - PrivateKeyConfig
PrivateKeyConfig
PrivateKeyConfig defines the configuration of the certificate private key
Appears in: - SecretConfig
| Field | Description |
|---|---|
algorithm PrivateKeyAlgorithm |
Algorithm is the private key algorithm of the corresponding private key for this certificate. If provided, allowed values are either RSA,Ed25519 or ECDSA If algorithm is specified and size is not provided, key size of 384 will be used for ECDSA key algorithm and key size of 3072 will be used for RSA key algorithm. key size is ignored when using the Ed25519 key algorithm. |
size integer |
Size is the key bit size of the corresponding private key for this certificate. If algorithm is set to RSA, valid values are 2048, 3072, 4096 or 8192, and will default to 3072 if not specified. If algorithm is set to ECDSA, valid values are 256, 384 or 521, and will default to 384 if not specified. If algorithm is set to Ed25519, Size is ignored. No other values are allowed. |
SecretConfig
SecretConfig defines the configuration for the certificate secret.
Appears in: - CertificateAuthoritySpec - CertificateSpec
| Field | Description |
|---|---|
secretName string |
The name of the Secret that will hold the private key and signed certificate. |
secretTemplate SecretTemplate |
Defines annotations and labels to be copied to the Secret. |
privateKeyConfig PrivateKeyConfig |
Options for the certificate private key |
SecretTemplate
SecretTemplate defines the default labels and annotations to be copied
to the Kubernetes Secret resource named in SecretConfig.SecretName.
Appears in: - SecretConfig
| Field | Description |
|---|---|
annotations object (keys:string, values:string) |
Annotations is a key value map to be copied to the target Kubernetes Secret. |
labels object (keys:string, values:string) |
Labels is a key value map to be copied to the target Kubernetes Secret. |
SelfSignedCAConfig
SelfSignedCAConfig defines the configuration for a Root CA certificate.
Appears in: - CACertificateConfig
SignedCertStatus
Appears in: - BYOCertStatus
| Field | Description |
|---|---|
conditions Condition array |
List of status conditions to indicate the status of BYO certificate. - Rejected: Indicates that the certificate does not match with the csr - Ready: Indicates that the certificate is ready to use. |
SignedCertificateConfig
Appears in: - ExternalCAConfig
| Field | Description |
|---|---|
certificate integer array |
The PEM encoded x509 certificate uploaded by the customer. |
ca integer array |
The PEM encoded x509 certificate of the signer CA used to sign the certificate. |
SubjectConfig
Appears in: - CertificateConfig
| Field | Description |
|---|---|
commonName string |
The common name of the Certificate. |
organization string |
The organization of the Certificate. |
locality string |
The locality of the Certificate. |
state string |
The state of the Certificate. |
country string |
The country of the Certificate. |
dnsNames string array |
DNSNames is a list of dNSName subjectAltNames to be set on the Certificate. |
ipAddresses string array |
IPAddresses is a list of ipAddress subjectAltNames to be set on the Certificate. |
rfc822Names string array |
RFC822Names is a list of rfc822Name subjectAltNames to be set on the Certificate. |
uris string array |
URIs is a list of uniformResourceIdentifier subjectAltNames to be set on the Certificate. |