Mantenha tudo organizado com as coleções
Salve e categorize o conteúdo com base nas suas preferências.
Um pacote de confiança, também conhecido como lista de confiança, é um grupo de âncoras de confiança, como entidades, que são inerentemente confiáveis e cuja confiança não é transferida por outra entidade (terceiros confiáveis). Essas âncoras de confiança são fornecidas como certificados de autoridade de certificação (CA). O algoritmo de criação de caminhos de certificação usa esses certificados de CA para estabelecer uma cadeia entre um certificado que recebe validação e as âncoras de confiança.
O Google Distributed Cloud (GDC) com isolamento físico tem pacotes de confiança dedicados. Este guia descreve as etapas para buscar o pacote de confiança dos administradores organizacionais.
Tipos de pacote de confiança
O Distributed Cloud oferece dois tipos de pacotes de confiança gerenciados para administradores
de plataforma:
trust-store-root-ext: contém a CA raiz interna e a CA web-tls. O conteúdo é diferente dependendo de onde ele reside, como a raiz ou a organização do locatário. Use esse pacote de confiança para se comunicar entre limites da organização ou acessar serviços como armazenamento de objetos dentro dela.
trust-store-global-root-ext: disponível no servidor de API global e no namespace platform do servidor de API zonal. Quando o servidor de API global estiver pronto, o
pacote vai preencher todos os outros dados zonais trust-store-root-ext, incluindo dados
locais.
Buscar o pacote de confiança
É possível buscar pacotes de confiança do endpoint de servidor conhecido ou do
cluster usando kubectl.
Buscar do servidor conhecido
O GDC oferece uma maneira segura de acessar pacotes de confiança
por um endpoint de servidor conhecido. Use esse método quando precisar buscar
o pacote trust-store-global-root-ext sem interagir diretamente com o
cluster usando kubectl.
Exporte as seguintes variáveis de ambiente:
exportSTORAGE=STORAGEexportORG_NAME=ORG_NAME
Substitua:
STORAGE: o caminho do diretório em que você quer
armazenar o arquivo do pacote de confiança.
É possível buscar pacotes de confiança diretamente do cluster do GDC usando a ferramenta de linha de comando kubectl. Use esse método se tiver
acesso direto ao cluster e à configuração dele e precisar buscar os pacotes de confiança
trust-store-root-ext ou trust-store-global-root-ext.
Antes de concluir as etapas desta seção, você precisa ter o seguinte:
Permissões necessárias: peça ao administrador do IAM da organização para conceder a você o papel de Leitor da loja de confiança (trust-store-viewer).
Arquivo kubeconfig: faça login e
gere o arquivo kubeconfig para o servidor da API Management
se você ainda não tiver um. Você precisa do caminho para o arquivo kubeconfig para
substituir MANAGEMENT_API_SERVER_KUBECONFIG nas
etapas a seguir.
Extraia o pacote de confiança do cluster usando kubectl:
MANAGEMENT_API_SERVER_KUBECONFIG: o caminho até o arquivo kubeconfig do servidor da API Management.
STORAGE: o caminho do diretório em que você quer
armazenar o arquivo do pacote de confiança.
ZONE: o nome da sua zona do GDC.
Defina a variável de ambiente TRUST_BUNDLE_FILE. Esse arquivo armazena o pacote de confiança do GDC localmente no local $STORAGE especificado para seu $ZONE do GDC:
[[["Fácil de entender","easyToUnderstand","thumb-up"],["Meu problema foi resolvido","solvedMyProblem","thumb-up"],["Outro","otherUp","thumb-up"]],[["Difícil de entender","hardToUnderstand","thumb-down"],["Informações incorretas ou exemplo de código","incorrectInformationOrSampleCode","thumb-down"],["Não contém as informações/amostras de que eu preciso","missingTheInformationSamplesINeed","thumb-down"],["Problema na tradução","translationIssue","thumb-down"],["Outro","otherDown","thumb-down"]],["Última atualização 2025-09-04 UTC."],[[["\u003cp\u003eTrust bundles in Google Distributed Cloud (GDC) air-gapped environments are groups of trusted entities, such as certificate authorities (CAs), used to establish secure communication and are delivered as CA certificates.\u003c/p\u003e\n"],["\u003cp\u003eGDC provides two types of managed trust bundles: \u003ccode\u003etrust-store-root-ext\u003c/code\u003e for internal communication within or between organizations, and \u003ccode\u003etrust-store-global-root-ext\u003c/code\u003e for global API server access, which then populates \u003ccode\u003etrust-store-root-ext\u003c/code\u003e data.\u003c/p\u003e\n"],["\u003cp\u003eTo fetch these trust bundles, users need the Trust Store Viewer role and must have the kubeconfig file for the Management API server.\u003c/p\u003e\n"],["\u003cp\u003eThe process involves exporting environment variables, setting a trust bundle file location, and using \u003ccode\u003ekubectl\u003c/code\u003e commands to retrieve the CA certificates and store them in the designated file.\u003c/p\u003e\n"],["\u003cp\u003eThe fetched trust bundle file will store one or more CA certificates in a format that begin and end with the "BEGIN CERTIFICATE" and "END CERTIFICATE" header and footer, respectively.\u003c/p\u003e\n"]]],[],null,["# Fetch GDC trust bundles\n\nA trust bundle, also known as a trust list, is a group of trust anchors, such\nas entities, that are inherently trusted and whose trust is not transferred by\nanother entity (trusted third parties). These trust anchors are delivered as\ncertificate authority (CA) certificates. The certification path-building\nalgorithm uses these CA certificates to establish a chain between a certificate\nobtaining validation and the trust anchors.\n\nGoogle Distributed Cloud (GDC) air-gapped has dedicated trust bundles. This guide outlines\nthe steps to fetch the trust bundle for organizational administrators.\n\nTrust bundle types\n------------------\n\nDistributed Cloud provides two types of managed trust bundles for platform\nadministrators:\n\n- `trust-store-root-ext`: contains the internal root CA and web-tls CA. The\n content is different depending on where it resides, such as the root or\n the tenant organization. Use this trust bundle to communicate across\n organization boundaries or to access services like object storage within the\n organization.\n\n- `trust-store-global-root-ext`: available in the global API server and zonal\n API server `platform` namespace. When the global API server is ready, the\n bundle populates all other zonal `trust-store-root-ext` data, including local\n data.\n\nFetch the trust bundle\n----------------------\n\nYou can fetch trust bundles from the well-known server endpoint, or from the\ncluster using `kubectl`.\n\n### Fetch from the well-known server\n\nGDC provides a secure way to access trust bundles\nthrough a well-known server endpoint. Use this method when you need to fetch\nthe `trust-store-global-root-ext` bundle without directly interacting with the\ncluster using `kubectl`.\n| **Caution:** When fetching trust bundles from the well-known server, it's crucial to protect against person-in-the-middle (PITM) attacks. Make sure that you're connecting to a secure and controlled environment.\n\n1. Export the following environment variables:\n\n export STORAGE=\u003cvar translate=\"no\"\u003eSTORAGE\u003c/var\u003e\n export ORG_NAME=\u003cvar translate=\"no\"\u003eORG_NAME\u003c/var\u003e\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eSTORAGE\u003c/var\u003e: the directory path where you want to store the trust bundle file.\n - \u003cvar translate=\"no\"\u003eORG_NAME\u003c/var\u003e: the name of your organization within GDC.\n2. Set the `WELL_KNOWN_URL` environment variable:\n\n export WELL_KNOWN_URL=https://console.${ORG_NAME:?}.google.gdch.test/.well-known/certificate-authority\n\n3. Set the `GLOBAL_TRUST_BUNDLE_FILE`environment variable. This file stores the\n GDC trust bundle locally in your specified `$STORAGE`\n location.\n\n export GLOBAL_TRUST_BUNDLE_FILE=\"$STORAGE/global/ca-bundles/global-trust-bundle\"\n\n4. Obtain the `trust-store-global-root-ext` trust bundle from the well-known\n server and store it in the file created in the previous step:\n\n ### Linux\n\n echo -n | curl ${WELL_KNOWN_URL:?} \u003e ${GLOBAL_TRUST_BUNDLE_FILE:?}\n\n ### Windows\n\n Invoke-WebRequest -Uri \"https://console.${ORG_NAME}.google.gdch.test/.well-known/certificate-authority\" -OutFile \".\\global-trust-bundle.crt\"\n\n The fetched trust bundle file contains one or more CA certificates. The\n output is similar to the following: \n\n -----BEGIN CERTIFICATE-----\n MIIC8TCCAdmgAwIBAgIRAODQ/dOB39RBs8ZpN0RujIswDQYJKoZIhvcNAQELBQAw\n EjEQMA4GA1UEAxMHcm9vdC1jYTAeFw0yNTAxMDYwNzM3MzVaFw00ODEyMzEwNzM3\n MzVaMBIxEDAOBgNVBAMTB3Jvb3QtY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw\n ggEKAoIBAQC41U4+3M1EAHggUBw5ki97533zTvwHukmZyORwbQ3tlQ4GQDscoCEh\n nn+KCaG767VCaGDcQhq99hl6qa/nBoc1X6WQ3a/uhv5E2ztRD40PB5NFNdSulxTH\n gsitukSmv+DAx15UJnVkJtPP/FzxEWPu0piIiFZakTxT83VUSs54QRmTahxP80FI\n R0xZ0ohsu9jzA2CAyxTccJU0/xE2kDwN8c8kiYYuG+czMdNVdnT4Jm2ToSkzIDux\n Yi9MzNmarVGG/rtW5SlqnUMYzSsxtUYSmMRlCsFDVxkSzfmICmTRw2zmNkFA/3nz\n XneVSIsUHOA2NzvMN4eoLTVRgSFcHlZRAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIB\n hjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTEeB0EQwhc5p++GhwNymsBfN93\n WjANBgkqhkiG9w0BAQsFAAOCAQEAKBqn4AXjUWmhIUOrWQ5cetsmI76Wl+RBeSzU\n HxbqMBH8Dk1oJbGHtmQbu7EmWz1pKYge650s9N83hMgjFZD24t9GiQZ7YY+i+317\n D6HzJ8VIKPnxVtnUIQzCpkRTQoglDlb1f/7+fi2SYJoHdhnRI/3OaVQTnObjbW5T\n mBhsMxFKc0zGa3HIEm9SUH608V60xUPanl23YZ6X7W8nWAJfnzKvH+3q3Fz58u/S\n VR5t/FkbOktVtnU8AfcMKLof6KG2KhE2L7FAC+fp0ZsjV9vE2uqlZ+8mIQHyc3tM\n cbWxOx+SO/XUCenY9C1yrublln9aOEn4/s3aSURPguiSZOfDyQ==\n -----END CERTIFICATE-----\n\n### Fetch from the cluster using kubectl\n\nYou can fetch trust bundles directly from the GDC\ncluster using the `kubectl` command-line tool. Use this method if you have\ndirect access to the cluster and its configuration, and you need to fetch either\nthe `trust-store-root-ext` or the `trust-store-global-root-ext` trust bundles.\n\nYou must obtain the following before you can complete the steps in this section:\n\n- **Required permissions** : Ask your Organization IAM Admin to grant you the Trust Store Viewer (`trust-store-viewer`) role.\n- **Kubeconfig file** : Sign in and [generate the kubeconfig file for the Management API server](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/iam/sign-in#zonal-resources-kubeconfig) if you don't already have one. You need the path to the kubeconfig file to replace \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER_KUBECONFIG\u003c/var\u003e in the following steps.\n\nFetch the trust bundle from the cluster using `kubectl`:\n\n1. Export the following environment variables:\n\n export KUBECONFIG=\u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER_KUBECONFIG\u003c/var\u003e\n export STORAGE=\u003cvar translate=\"no\"\u003eSTORAGE\u003c/var\u003e\n export ZONE=\u003cvar translate=\"no\"\u003eZONE\u003c/var\u003e\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER_KUBECONFIG\u003c/var\u003e: the path to the Management API server kubeconfig.\n - \u003cvar translate=\"no\"\u003eSTORAGE\u003c/var\u003e: the directory path where you want to store the trust bundle file.\n - \u003cvar translate=\"no\"\u003eZONE\u003c/var\u003e: your GDC zone name.\n2. Set the `TRUST_BUNDLE_FILE` environment variable. This file stores\n the GDC trust bundle locally in your specified `$STORAGE`\n location for your GDC `$ZONE`:\n\n export TRUST_BUNDLE_FILE=\"$STORAGE/$ZONE/ca-bundles/trust-bundle\"\n export GLOBAL_TRUST_BUNDLE_FILE=\"$STORAGE/global/ca-bundles/global-trust-bundle\"\n\n3. Set the `NS` namespace environment variable for the namespace:\n\n export NS=platform\n\n4. Obtain the certificate authorities (CA) and store them in the file created in\n step 2:\n\n For `trust-store-root-ext`: \n\n kubectl --kubeconfig ${KUBECONFIG} get secret trust-store-root-ext -n ${NS} -o go-template='{{ index .data \"ca.crt\" }}' | base64 -d | sed '$a\\' \u003e ${TRUST_BUNDLE_FILE}\n\n For `trust-store-global-root-ext`: \n\n kubectl --kubeconfig ${KUBECONFIG} get secret trust-store-global-root-ext -n ${NS} -o go-template='{{ index .data \"ca.crt\" }}' | base64 -d | sed '$a\\' \u003e ${GLOBAL_TRUST_BUNDLE_FILE}\n\n The fetched trust bundle file contains one or more CA certificates. The\n output is similar to the following: \n\n -----BEGIN CERTIFICATE-----\n MIIC8TCCAdmgAwIBAgIRAODQ/dOB39RBs8ZpN0RujIswDQYJKoZIhvcNAQELBQAw\n EjEQMA4GA1UEAxMHcm9vdC1jYTAeFw0yNTAxMDYwNzM3MzVaFw00ODEyMzEwNzM3\n MzVaMBIxEDAOBgNVBAMTB3Jvb3QtY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw\n ggEKAoIBAQC41U4+3M1EAHggUBw5ki97533zTvwHukmZyORwbQ3tlQ4GQDscoCEh\n nn+KCaG767VCaGDcQhq99hl6qa/nBoc1X6WQ3a/uhv5E2ztRD40PB5NFNdSulxTH\n gsitukSmv+DAx15UJnVkJtPP/FzxEWPu0piIiFZakTxT83VUSs54QRmTahxP80FI\n R0xZ0ohsu9jzA2CAyxTccJU0/xE2kDwN8c8kiYYuG+czMdNVdnT4Jm2ToSkzIDux\n Yi9MzNmarVGG/rtW5SlqnUMYzSsxtUYSmMRlCsFDVxkSzfmICmTRw2zmNkFA/3nz\n XneVSIsUHOA2NzvMN4eoLTVRgSFcHlZRAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIB\n hjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTEeB0EQwhc5p++GhwNymsBfN93\n WjANBgkqhkiG9w0BAQsFAAOCAQEAKBqn4AXjUWmhIUOrWQ5cetsmI76Wl+RBeSzU\n HxbqMBH8Dk1oJbGHtmQbu7EmWz1pKYge650s9N83hMgjFZD24t9GiQZ7YY+i+317\n D6HzJ8VIKPnxVtnUIQzCpkRTQoglDlb1f/7+fi2SYJoHdhnRI/3OaVQTnObjbW5T\n mBhsMxFKc0zGa3HIEm9SUH608V60xUPanl23YZ6X7W8nWAJfnzKvH+3q3Fz58u/S\n VR5t/FkbOktVtnU8AfcMKLof6KG2KhE2L7FAC+fp0ZsjV9vE2uqlZ+8mIQHyc3tM\n cbWxOx+SO/XUCenY9C1yrublln9aOEn4/s3aSURPguiSZOfDyQ==\n -----END CERTIFICATE-----"]]