[[["容易理解","easyToUnderstand","thumb-up"],["確實解決了我的問題","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["難以理解","hardToUnderstand","thumb-down"],["資訊或程式碼範例有誤","incorrectInformationOrSampleCode","thumb-down"],["缺少我需要的資訊/範例","missingTheInformationSamplesINeed","thumb-down"],["翻譯問題","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["上次更新時間:2025-09-04 (世界標準時間)。"],[[["\u003cp\u003eTrust bundles in Google Distributed Cloud (GDC) air-gapped environments are groups of trusted entities, such as certificate authorities (CAs), used to establish secure communication and are delivered as CA certificates.\u003c/p\u003e\n"],["\u003cp\u003eGDC provides two types of managed trust bundles: \u003ccode\u003etrust-store-root-ext\u003c/code\u003e for internal communication within or between organizations, and \u003ccode\u003etrust-store-global-root-ext\u003c/code\u003e for global API server access, which then populates \u003ccode\u003etrust-store-root-ext\u003c/code\u003e data.\u003c/p\u003e\n"],["\u003cp\u003eTo fetch these trust bundles, users need the Trust Store Viewer role and must have the kubeconfig file for the Management API server.\u003c/p\u003e\n"],["\u003cp\u003eThe process involves exporting environment variables, setting a trust bundle file location, and using \u003ccode\u003ekubectl\u003c/code\u003e commands to retrieve the CA certificates and store them in the designated file.\u003c/p\u003e\n"],["\u003cp\u003eThe fetched trust bundle file will store one or more CA certificates in a format that begin and end with the "BEGIN CERTIFICATE" and "END CERTIFICATE" header and footer, respectively.\u003c/p\u003e\n"]]],[],null,["# Fetch GDC trust bundles\n\nA trust bundle, also known as a trust list, is a group of trust anchors, such\nas entities, that are inherently trusted and whose trust is not transferred by\nanother entity (trusted third parties). These trust anchors are delivered as\ncertificate authority (CA) certificates. The certification path-building\nalgorithm uses these CA certificates to establish a chain between a certificate\nobtaining validation and the trust anchors.\n\nGoogle Distributed Cloud (GDC) air-gapped has dedicated trust bundles. This guide outlines\nthe steps to fetch the trust bundle for organizational administrators.\n\nTrust bundle types\n------------------\n\nDistributed Cloud provides two types of managed trust bundles for platform\nadministrators:\n\n- `trust-store-root-ext`: contains the internal root CA and web-tls CA. The\n content is different depending on where it resides, such as the root or\n the tenant organization. Use this trust bundle to communicate across\n organization boundaries or to access services like object storage within the\n organization.\n\n- `trust-store-global-root-ext`: available in the global API server and zonal\n API server `platform` namespace. When the global API server is ready, the\n bundle populates all other zonal `trust-store-root-ext` data, including local\n data.\n\nFetch the trust bundle\n----------------------\n\nYou can fetch trust bundles from the well-known server endpoint, or from the\ncluster using `kubectl`.\n\n### Fetch from the well-known server\n\nGDC provides a secure way to access trust bundles\nthrough a well-known server endpoint. Use this method when you need to fetch\nthe `trust-store-global-root-ext` bundle without directly interacting with the\ncluster using `kubectl`.\n| **Caution:** When fetching trust bundles from the well-known server, it's crucial to protect against person-in-the-middle (PITM) attacks. Make sure that you're connecting to a secure and controlled environment.\n\n1. Export the following environment variables:\n\n export STORAGE=\u003cvar translate=\"no\"\u003eSTORAGE\u003c/var\u003e\n export ORG_NAME=\u003cvar translate=\"no\"\u003eORG_NAME\u003c/var\u003e\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eSTORAGE\u003c/var\u003e: the directory path where you want to store the trust bundle file.\n - \u003cvar translate=\"no\"\u003eORG_NAME\u003c/var\u003e: the name of your organization within GDC.\n2. Set the `WELL_KNOWN_URL` environment variable:\n\n export WELL_KNOWN_URL=https://console.${ORG_NAME:?}.google.gdch.test/.well-known/certificate-authority\n\n3. Set the `GLOBAL_TRUST_BUNDLE_FILE`environment variable. This file stores the\n GDC trust bundle locally in your specified `$STORAGE`\n location.\n\n export GLOBAL_TRUST_BUNDLE_FILE=\"$STORAGE/global/ca-bundles/global-trust-bundle\"\n\n4. Obtain the `trust-store-global-root-ext` trust bundle from the well-known\n server and store it in the file created in the previous step:\n\n ### Linux\n\n echo -n | curl ${WELL_KNOWN_URL:?} \u003e ${GLOBAL_TRUST_BUNDLE_FILE:?}\n\n ### Windows\n\n Invoke-WebRequest -Uri \"https://console.${ORG_NAME}.google.gdch.test/.well-known/certificate-authority\" -OutFile \".\\global-trust-bundle.crt\"\n\n The fetched trust bundle file contains one or more CA certificates. The\n output is similar to the following: \n\n -----BEGIN CERTIFICATE-----\n MIIC8TCCAdmgAwIBAgIRAODQ/dOB39RBs8ZpN0RujIswDQYJKoZIhvcNAQELBQAw\n EjEQMA4GA1UEAxMHcm9vdC1jYTAeFw0yNTAxMDYwNzM3MzVaFw00ODEyMzEwNzM3\n MzVaMBIxEDAOBgNVBAMTB3Jvb3QtY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw\n ggEKAoIBAQC41U4+3M1EAHggUBw5ki97533zTvwHukmZyORwbQ3tlQ4GQDscoCEh\n nn+KCaG767VCaGDcQhq99hl6qa/nBoc1X6WQ3a/uhv5E2ztRD40PB5NFNdSulxTH\n gsitukSmv+DAx15UJnVkJtPP/FzxEWPu0piIiFZakTxT83VUSs54QRmTahxP80FI\n R0xZ0ohsu9jzA2CAyxTccJU0/xE2kDwN8c8kiYYuG+czMdNVdnT4Jm2ToSkzIDux\n Yi9MzNmarVGG/rtW5SlqnUMYzSsxtUYSmMRlCsFDVxkSzfmICmTRw2zmNkFA/3nz\n XneVSIsUHOA2NzvMN4eoLTVRgSFcHlZRAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIB\n hjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTEeB0EQwhc5p++GhwNymsBfN93\n WjANBgkqhkiG9w0BAQsFAAOCAQEAKBqn4AXjUWmhIUOrWQ5cetsmI76Wl+RBeSzU\n HxbqMBH8Dk1oJbGHtmQbu7EmWz1pKYge650s9N83hMgjFZD24t9GiQZ7YY+i+317\n D6HzJ8VIKPnxVtnUIQzCpkRTQoglDlb1f/7+fi2SYJoHdhnRI/3OaVQTnObjbW5T\n mBhsMxFKc0zGa3HIEm9SUH608V60xUPanl23YZ6X7W8nWAJfnzKvH+3q3Fz58u/S\n VR5t/FkbOktVtnU8AfcMKLof6KG2KhE2L7FAC+fp0ZsjV9vE2uqlZ+8mIQHyc3tM\n cbWxOx+SO/XUCenY9C1yrublln9aOEn4/s3aSURPguiSZOfDyQ==\n -----END CERTIFICATE-----\n\n### Fetch from the cluster using kubectl\n\nYou can fetch trust bundles directly from the GDC\ncluster using the `kubectl` command-line tool. Use this method if you have\ndirect access to the cluster and its configuration, and you need to fetch either\nthe `trust-store-root-ext` or the `trust-store-global-root-ext` trust bundles.\n\nYou must obtain the following before you can complete the steps in this section:\n\n- **Required permissions** : Ask your Organization IAM Admin to grant you the Trust Store Viewer (`trust-store-viewer`) role.\n- **Kubeconfig file** : Sign in and [generate the kubeconfig file for the Management API server](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/iam/sign-in#zonal-resources-kubeconfig) if you don't already have one. You need the path to the kubeconfig file to replace \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER_KUBECONFIG\u003c/var\u003e in the following steps.\n\nFetch the trust bundle from the cluster using `kubectl`:\n\n1. Export the following environment variables:\n\n export KUBECONFIG=\u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER_KUBECONFIG\u003c/var\u003e\n export STORAGE=\u003cvar translate=\"no\"\u003eSTORAGE\u003c/var\u003e\n export ZONE=\u003cvar translate=\"no\"\u003eZONE\u003c/var\u003e\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER_KUBECONFIG\u003c/var\u003e: the path to the Management API server kubeconfig.\n - \u003cvar translate=\"no\"\u003eSTORAGE\u003c/var\u003e: the directory path where you want to store the trust bundle file.\n - \u003cvar translate=\"no\"\u003eZONE\u003c/var\u003e: your GDC zone name.\n2. Set the `TRUST_BUNDLE_FILE` environment variable. This file stores\n the GDC trust bundle locally in your specified `$STORAGE`\n location for your GDC `$ZONE`:\n\n export TRUST_BUNDLE_FILE=\"$STORAGE/$ZONE/ca-bundles/trust-bundle\"\n export GLOBAL_TRUST_BUNDLE_FILE=\"$STORAGE/global/ca-bundles/global-trust-bundle\"\n\n3. Set the `NS` namespace environment variable for the namespace:\n\n export NS=platform\n\n4. Obtain the certificate authorities (CA) and store them in the file created in\n step 2:\n\n For `trust-store-root-ext`: \n\n kubectl --kubeconfig ${KUBECONFIG} get secret trust-store-root-ext -n ${NS} -o go-template='{{ index .data \"ca.crt\" }}' | base64 -d | sed '$a\\' \u003e ${TRUST_BUNDLE_FILE}\n\n For `trust-store-global-root-ext`: \n\n kubectl --kubeconfig ${KUBECONFIG} get secret trust-store-global-root-ext -n ${NS} -o go-template='{{ index .data \"ca.crt\" }}' | base64 -d | sed '$a\\' \u003e ${GLOBAL_TRUST_BUNDLE_FILE}\n\n The fetched trust bundle file contains one or more CA certificates. The\n output is similar to the following: \n\n -----BEGIN CERTIFICATE-----\n MIIC8TCCAdmgAwIBAgIRAODQ/dOB39RBs8ZpN0RujIswDQYJKoZIhvcNAQELBQAw\n EjEQMA4GA1UEAxMHcm9vdC1jYTAeFw0yNTAxMDYwNzM3MzVaFw00ODEyMzEwNzM3\n MzVaMBIxEDAOBgNVBAMTB3Jvb3QtY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw\n ggEKAoIBAQC41U4+3M1EAHggUBw5ki97533zTvwHukmZyORwbQ3tlQ4GQDscoCEh\n nn+KCaG767VCaGDcQhq99hl6qa/nBoc1X6WQ3a/uhv5E2ztRD40PB5NFNdSulxTH\n gsitukSmv+DAx15UJnVkJtPP/FzxEWPu0piIiFZakTxT83VUSs54QRmTahxP80FI\n R0xZ0ohsu9jzA2CAyxTccJU0/xE2kDwN8c8kiYYuG+czMdNVdnT4Jm2ToSkzIDux\n Yi9MzNmarVGG/rtW5SlqnUMYzSsxtUYSmMRlCsFDVxkSzfmICmTRw2zmNkFA/3nz\n XneVSIsUHOA2NzvMN4eoLTVRgSFcHlZRAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIB\n hjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTEeB0EQwhc5p++GhwNymsBfN93\n WjANBgkqhkiG9w0BAQsFAAOCAQEAKBqn4AXjUWmhIUOrWQ5cetsmI76Wl+RBeSzU\n HxbqMBH8Dk1oJbGHtmQbu7EmWz1pKYge650s9N83hMgjFZD24t9GiQZ7YY+i+317\n D6HzJ8VIKPnxVtnUIQzCpkRTQoglDlb1f/7+fi2SYJoHdhnRI/3OaVQTnObjbW5T\n mBhsMxFKc0zGa3HIEm9SUH608V60xUPanl23YZ6X7W8nWAJfnzKvH+3q3Fz58u/S\n VR5t/FkbOktVtnU8AfcMKLof6KG2KhE2L7FAC+fp0ZsjV9vE2uqlZ+8mIQHyc3tM\n cbWxOx+SO/XUCenY9C1yrublln9aOEn4/s3aSURPguiSZOfDyQ==\n -----END CERTIFICATE-----"]]