KRM API pki.security.gdc.goog/v1

pki.security.gdc.goog/v1

Contains API Schema definitions for the PKI v1 API group.

ACMEIssuerConfig

Field	Description
`rootCACertificate` integer array	This contains the Root CA data of certificates issued by ACME server.
`acme` ACMEIssuer	ACME configures this issuer to communicate with a RFC 8555 (ACME) server to obtain signed certificates. ACME is an acme.cert-manager.io/v1 ACMEIssuer.

BYOCertIssuerConfig

BYOCertIssuerConfig defines an issuer based on the BYO-Cert model.

Appears in: - CertificateIssuerSpec

Field	Description
`fallbackCertificateAuthority` CAReference	FallbackCertificateAuthority is the reference to a default CAaaS operated CA. API type: - Group: pki.security.gdc.goog - Kind: CertificateAuthority

BYOCertStatus

Appears in: - CertificateStatus

Field	Description
`csrStatus` CSRStatus	Certificate Signing Request (CSR) status
`signedCertStatus` SignedCertStatus	Externally signed certificate status

BYOCertificate

Externally signed certificate

Appears in: - CertificateSpec

Field	Description
`certificate` integer array	The PEM encoded x509 certificate uploaded by the customer.
`ca` integer array	The PEM encoded x509 certificate of the signer CA used to sign the certificate.

CACertificateConfig

CACertificateConfig defines how the CA certificate is going to be provisioned. Only one of them will be set at any point in time.

Appears in: - CertificateAuthoritySpec

Field	Description
`externalCA` ExternalCAConfig	Get the certificate from an external root CA. If set, a CSR will be generated on the status and signed certificate can be upload using this field.
`selfSignedCA` SelfSignedCAConfig	Issue a self-signed certificate. (Root CA)
`managedSubCA` ManagedSubCAConfig	Issue a SubCA certificate from a GDC-managed CA. (Managed Sub CA)

CACertificateProfile

CACertificateProfile defines the profile for a CA certificate.

Appears in: - CertificateAuthoritySpec

Field	Description
`commonName` string	The common name of the CA Certificate.
`organization` string	The organization of the CA Certificate.
`locality` string	The locality of the CA Certificate.
`province` string	The province/state of the CA Certificate.
`country` string	The country of the CA Certificate.
`duration` Duration	The requested 'duration' (i.e. lifetime) of the CA Certificate.
`renewBefore` Duration	RenewBefore implies the rotation time before the CA certificate expires.
`maxPathLength` integer	The maximum path length of the CA certificate.

CAReference

CAReference represents a CertificateAuthority reference. It has information to retrieve a CA in any namespace.

Appears in: - BYOCertIssuerConfig - CAaaSIssuerConfig - ManagedSubCAConfig

Field	Description
`name` string	Name is unique within a namespace to reference a CA resource.
`namespace` string	Namespace defines the space within which the CA name must be unique.

CAaaSIssuerConfig

CAaaSIssuerConfig defines an issuer that requests certificates from a CA created using the CAaaS service.

Appears in: - CertificateIssuerSpec

Field	Description
`certificateAuthorityRef` CAReference	A reference to a CertificationAuthority which will sign the certificate. API type: - Group: pki.security.gdc.goog - Kind: CertificateAuthority

CSRStatus

Appears in: - BYOCertStatus

Field	Description
`conditions` Condition array	List of status conditions to indicate the status of a BYO Certificate CSR - WaitingforSigning: Indicates that a new CSR has been generated to be signed by the customer. - Ready: Indicates that the CSR has been signed
`csr` integer array	Stores the CSR for the customer to sign.

Certificate

A Certificate represents a managed certificate.

Appears in: - CertificateList

Field	Description
`apiVersion` string	`pki.security.gdc.goog/v1`
`kind` string	`Certificate`
`metadata` ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` CertificateSpec
`status` CertificateStatus

CertificateAuthority

CertificateAuthority represents the individual Certificate Authority that will be used to issue the certificates.

Appears in: - CertificateAuthorityList

Field	Description
`apiVersion` string	`pki.security.gdc.goog/v1`
`kind` string	`CertificateAuthority`
`metadata` ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` CertificateAuthoritySpec
`status` CertificateAuthorityStatus

CertificateAuthorityList

CertificateAuthorityList represents a collection of certiifcate authorities.

Field	Description
`apiVersion` string	`pki.security.gdc.goog/v1`
`kind` string	`CertificateAuthorityList`
`metadata` ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`items` CertificateAuthority array

CertificateAuthoritySpec

Appears in: - CertificateAuthority

Field	Description
`caProfile` CACertificateProfile	The profile of the CertificateAuthority.
`caCertificate` CACertificateConfig	The CA Certificate provisioning configuration.
`secretConfig` SecretConfig	Configuration of the CA secret
`certificateProfile` CertificateProfile	Defines the profile of the certificates that will be issued.

CertificateAuthorityStatus

Appears in: - CertificateAuthority

Field	Description
`externalCA` ExternalCAStatus	ExternalCA specifies status options for SunCA signed by External root CA.
`errorStatus` ErrorStatus	ErrorStatus contain a list of current errors and the timestamp this field gets updated.
`conditions` Condition array	List of status conditions to indicate the status of a Certification Authority. - Pending: CSR are pending to be signed by the customer. - Ready: Indicates that the certificate authority is ready to use.

CertificateIssuer

CertificateIssuer represents an issuer for Certificate as a Service. You can mark a CertificateIssuer as the default issuer by adding/setting the label pki.security.gdc.goog/is-default-issuer: true.

Appears in: - CertificateIssuerList

Field	Description
`apiVersion` string	`pki.security.gdc.goog/v1`
`kind` string	`CertificateIssuer`
`metadata` ObjectMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`spec` CertificateIssuerSpec
`status` CertificateIssuerStatus

CertificateIssuerList

CertificateIssuerList represents a collection of certiifcate issuers.

Field	Description
`apiVersion` string	`pki.security.gdc.goog/v1`
`kind` string	`CertificateIssuerList`
`metadata` ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`items` CertificateIssuer array

CertificateIssuerSpec

Appears in: - CertificateIssuer

Field	Description
`byoCertConfig` BYOCertIssuerConfig	BYOCertConfig configures this issuer in BYO-Cert mode.
`caaasConfig` CAaaSIssuerConfig	CAaaSConfig configures this issuer to sign certificates using CA deployed by the CertificateAuthority API.
`acmeConfig` ACMEIssuerConfig	ACMEConfig configures this issuer to sign certificates using ACME server.

CertificateIssuerStatus

Appears in: - CertificateIssuer

Field	Description
`ca` integer array	Stores the root CA used by the current certificate issuer.
`conditions` Condition array	List of status conditions to indicate the status of the CertificateIssuer. - Ready: Indicates that the CertificateIssuer is ready to use.

CertificateList

CertificateList represents a collection of certificates.

Field	Description
`apiVersion` string	`pki.security.gdc.goog/v1`
`kind` string	`CertificateList`
`metadata` ListMeta	Refer to Kubernetes API documentation for fields of `metadata`.
`items` Certificate array

CertificateProfile

CertificateProfile defines the specification of the profile of an issued certificate.

Appears in: - CertificateAuthoritySpec

Field	Description
`keyUsage` KeyUsageBits array	Allowed key usages for certificates issued under this profile.
`extendedKeyUsage` ExtendedKeyUsageBits array	Allowed extended key usages for certificates issued under this profile. This is optional for SelfSignedCA and is required for both ManagedSubCA and ExternalCA.

CertificateSpec

Appears in: - Certificate

Field	Description
`issuer` IssuerReference	A reference to the CertificateIssuer that will be used for the issuance of the certificate. If not set, a label named `pki.security.gdc.goog/use-default-issuer: true` needs to be set in order to issue the certificate using the default issuer. API type: - Group: pki.security.gdc.goog - Kind: CertificateIssuer
`dnsNames` string array	DNSNames is a list of fully-qualified host names to be set on the Certificate.
`ipAddresses` string array	IPAddresses is a list of IPAddress subjectAltNames to be set on the Certificate.
`duration` Duration	The requested 'duration' (i.e. lifetime) of the Certificate.
`renewBefore` Duration	RenewBefore implies the rotation time before the certificate expires.
`secretConfig` SecretConfig	Configuration of the Certificate secret.
`byoCertificate` BYOCertificate	Contains the externally signed certificate

CertificateStatus

Appears in: - Certificate

Field	Description
`conditions` Condition array	List of status conditions to indicate the status of the certificate. - Ready: Indicates that the certificate is ready to use.
`issuedBy` IssuerReference	A reference to the CertificateIssuer that is used for the issuance of the certificate. API type: - Group: pki.security.gdc.goog - Kind: CertificateIssuer
`byoCertStatus` BYOCertStatus	BYOCertStatus specifies status options for byo-certificates mode.
`errorStatus` ErrorStatus	ErrorStatus contain a list of current errors and the timestamp this field gets updated.

ExtendedKeyUsageBits

Underlying type: string ExtendedKeyUsageBits defines the different allowed extended key usages according to RFC 5280 4.2.1.12. Many extended key usages have been defined by follow-up RFCs, and can be implemented as a later feature if issuance of such certificates is needed, for cases such as certificates used for personal authentication, code signing or IPSec.

Appears in: - CertificateProfile

ExternalCAConfig

Appears in: - CACertificateConfig

Field	Description
`signedCertificate` SignedCertificateConfig	Stores a signed certificate signed by external root CA.

ExternalCAStatus

Appears in: - CertificateAuthorityStatus

Field	Description
`csr` integer array	A certificate signing request waiting to be signed by an external CA.

IssuerReference

IssuerReference represents an Issuer Reference. It has information to retrieve an issuer in any namespace.

Appears in: - CertificateSpec - CertificateStatus

Field	Description
`name` string	Name is unique within a namespace to reference an issuer resource.
`namespace` string	Namespace defines the space within which the issuer name must be unique.

KeyUsageBits

Underlying type: string KeyUsageBits defines the different allowed key usages according to RFC 5280 4.2.1.3. Note that many of the key usages below are used for certificates outside the context of TLS, and the implementation of setting non-TLS bits can be implemented as a later feature.

Appears in: - CertificateProfile

ManagedSubCAConfig

ManagedSubCAConfig defines the configuration for a SubCA CA certificate.

Appears in: - CACertificateConfig

Field	Description
`certificateAuthorityRef` CAReference	A reference to a CertificateAuthority which will sign the SubCA certificate. API type: - Group: pki.security.gdc.goog - Kind: CertificateAuthority

PrivateKeyAlgorithm

Underlying type: string

Appears in: - PrivateKeyConfig

PrivateKeyConfig

PrivateKeyConfig defines the configuration of the certificate private key

Appears in: - SecretConfig

Field Description

algorithm PrivateKeyAlgorithm Algorithm is the private key algorithm of the corresponding private key for this certificate. If provided, allowed values are either RSA,Ed25519 or ECDSA If algorithm is specified and size is not provided, key size of 256 will be used for ECDSA key algorithm and key size of 2048 will be used for RSA key algorithm. key size is ignored when using the Ed25519 key algorithm. See github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1/types_certificate.go for more information.

size integer Size is the key bit size of the corresponding private key for this certificate. If algorithm is set to RSA, valid values are 2048, 3072, 4096 or 8192, and will default to 2048 if not specified. If algorithm is set to ECDSA, valid values are 256, 384 or 521, and will default to 256 if not specified. If algorithm is set to Ed25519, Size is ignored. No other values are allowed. See github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1/types_certificate.go for more information.

Field	Description
`algorithm` PrivateKeyAlgorithm	Algorithm is the private key algorithm of the corresponding private key for this certificate. If provided, allowed values are either `RSA`,`Ed25519` or `ECDSA` If `algorithm` is specified and `size` is not provided, key size of 256 will be used for `ECDSA` key algorithm and key size of 2048 will be used for `RSA` key algorithm. key size is ignored when using the `Ed25519` key algorithm. See github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1/types_certificate.go for more information.
`size` integer	Size is the key bit size of the corresponding private key for this certificate. If `algorithm` is set to `RSA`, valid values are `2048`, `3072`, `4096` or `8192`, and will default to `2048` if not specified. If `algorithm` is set to `ECDSA`, valid values are `256`, `384` or `521`, and will default to `256` if not specified. If `algorithm` is set to `Ed25519`, Size is ignored. No other values are allowed. See github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1/types_certificate.go for more information.

SecretConfig

SecretConfig defines the configuration for the certificate secret.

Appears in: - CertificateAuthoritySpec - CertificateSpec

Field	Description
`secretName` string	The name of the Secret that will hold the private key and signed certificate.
`secretTemplate` SecretTemplate	Defines annotations and labels to be copied to the Secret.
`privateKeyConfig` PrivateKeyConfig	Options for the certificate private key

SecretTemplate

SecretTemplate defines the default labels and annotations to be copied to the Kubernetes Secret resource named in SecretConfig.SecretName.

Appears in: - SecretConfig

Field	Description
`annotations` object (keys:string, values:string)	Annotations is a key value map to be copied to the target Kubernetes Secret.
`labels` object (keys:string, values:string)	Labels is a key value map to be copied to the target Kubernetes Secret.

SelfSignedCAConfig

SelfSignedCAConfig defines the configuration for a Root CA certificate.

Appears in: - CACertificateConfig

SignedCertStatus

Appears in: - BYOCertStatus

Field	Description
`conditions` Condition array	List of status conditions to indicate the status of BYO certificate. - Rejected: Indicates that the certificate does not match with the csr - Ready: Indicates that the certificate is ready to use.

SignedCertificateConfig

Appears in: - ExternalCAConfig

Field	Description
`certificate` integer array	The PEM encoded x509 certificate uploaded by the customer.
`ca` integer array	The PEM encoded x509 certificate of the signer CA used to sign the certificate.