Fetch GDC trust bundles

A trust bundle, also known as a trust list, is a group of trust anchors, such as entities, that are inherently trusted and whose trust is not transferred by another entity (trusted third parties). These trust anchors are delivered as certificate authority (CA) certificates. The certification path-building algorithm uses these CA certificates to establish a chain between a certificate obtaining validation and the trust anchors.

Google Distributed Cloud (GDC) air-gapped has dedicated trust bundles. This guide outlines the steps to fetch the trust bundle for organizational administrators.

Trust bundle types

Distributed Cloud provides two types of managed trust bundles for platform administrators:

  • trust-store-root-ext: contains the internal root CA and web-tls CA. The content is different depending on where it resides, for example, the root or the tenant organization. Use this trust bundle to communicate across organization boundaries or to access service like object storage within the organization.

  • trust-store-global-root-ext: available in the global API server cert-manager namespace and all namespaces in the zonal API server. When The global API server is ready, the bundle populates all other zonal trust-store-root-ext data, including local data.

Before you begin

To get the permissions you need to fetch trust bundles, ask your Organization IAM Admin to grant you the Trust Store Viewer (trust-store-viewer) role in the platform namespace.

Get the kubeconfig file

To run commands using the kubeconfig file of the org admin cluster, ensure you have the following resources:

  1. Sign in and generate the kubeconfig file for the org admin cluster if you don't have one.

  2. Use the path to the kubeconfig file of the org admin cluster kubeconfig to replace ORG_ADMIN_KUBECONFIG in these instructions.

Fetch the trust bundle

  1. Export the following environment variables:

    export KUBECONFIG=ORG_ADMIN_KUBECONFIG
    export STORAGE=STORAGE
    export ZONE=ZONE
    

    Replace the following:

    • ORG_ADMIN_KUBECONFIG: the path to the kubeconfig file from the org admin cluster.
    • STORAGE: the directory path where you want to store the trust bundle file.
    • ZONE: your GDC zone name.
  2. Set the TRUST_BUNDLE_FILE environment variable. This file stores the GDC trust bundle locally in your specified $STORAGE location for your GDC $ZONE:

    export TRUST_BUNDLE_FILE="$STORAGE/$ZONE/ca-bundles/trust-bundle"
    export GLOBAL_TRUST_BUNDLE_FILE="$STORAGE/global/ca-bundles/global-trust-bundle"
    
  3. Set the NS namespace environment variable for the namespace:

    export NS=platform
    
  4. Obtain the certificate authorities (CA) and store them in the file created in step 2:

    For trust-store-root-ext:

    kubectl --kubeconfig ${KUBECONFIG} get secret trust-store-root-ext -n ${NS} -o go-template='{{ index .data "ca.crt" }}' | base64 -d | sed '$a\' > ${TRUST_BUNDLE_FILE}
    

    For trust-store-global-root-ext:

    kubectl --kubeconfig ${KUBECONFIG} get secret trust-store-global-root-ext -n ${NS} -o go-template='{{ index .data "ca.crt" }}' | base64 -d | sed '$a\' > ${GLOBAL_TRUST_BUNDLE_FILE}
    

    The fetched trust bundle file contains one or more CA certificates. The output is similar to the following:

    -----BEGIN CERTIFICATE-----
    MIIC8TCCAdmgAwIBAgIRAODQ/dOB39RBs8ZpN0RujIswDQYJKoZIhvcNAQELBQAw
    EjEQMA4GA1UEAxMHcm9vdC1jYTAeFw0yNTAxMDYwNzM3MzVaFw00ODEyMzEwNzM3
    MzVaMBIxEDAOBgNVBAMTB3Jvb3QtY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
    ggEKAoIBAQC41U4+3M1EAHggUBw5ki97533zTvwHukmZyORwbQ3tlQ4GQDscoCEh
    nn+KCaG767VCaGDcQhq99hl6qa/nBoc1X6WQ3a/uhv5E2ztRD40PB5NFNdSulxTH
    gsitukSmv+DAx15UJnVkJtPP/FzxEWPu0piIiFZakTxT83VUSs54QRmTahxP80FI
    R0xZ0ohsu9jzA2CAyxTccJU0/xE2kDwN8c8kiYYuG+czMdNVdnT4Jm2ToSkzIDux
    Yi9MzNmarVGG/rtW5SlqnUMYzSsxtUYSmMRlCsFDVxkSzfmICmTRw2zmNkFA/3nz
    XneVSIsUHOA2NzvMN4eoLTVRgSFcHlZRAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIB
    hjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTEeB0EQwhc5p++GhwNymsBfN93
    WjANBgkqhkiG9w0BAQsFAAOCAQEAKBqn4AXjUWmhIUOrWQ5cetsmI76Wl+RBeSzU
    HxbqMBH8Dk1oJbGHtmQbu7EmWz1pKYge650s9N83hMgjFZD24t9GiQZ7YY+i+317
    D6HzJ8VIKPnxVtnUIQzCpkRTQoglDlb1f/7+fi2SYJoHdhnRI/3OaVQTnObjbW5T
    mBhsMxFKc0zGa3HIEm9SUH608V60xUPanl23YZ6X7W8nWAJfnzKvH+3q3Fz58u/S
    VR5t/FkbOktVtnU8AfcMKLof6KG2KhE2L7FAC+fp0ZsjV9vE2uqlZ+8mIQHyc3tM
    cbWxOx+SO/XUCenY9C1yrublln9aOEn4/s3aSURPguiSZOfDyQ==
    -----END CERTIFICATE-----