Stay organized with collections
Save and categorize content based on your preferences.
The PKI Security API uses Kubernetes custom resources and relies on the
Kubernetes Resource Model (KRM). It is used to manage and configure web
certificates to secure web endpoints in your Google Distributed Cloud (GDC) air-gapped
environment.
Service endpoint and discovery document
The API endpoint for the PKI Security API is https://GDC_API_SERVER_ENDPOINT/apis/pki.security.gdc.goog/v1
where MANAGEMENT_API_SERVER_ENDPOINT is the endpoint of the
Management API server.
Using the kubectl proxy command, you can access the API endpoint URLs in your
browser or with a tool such as curl to get the discovery document for the
PKI Security API. The kubectl proxy command opens up a proxy to the
Kubernetes API server on your local machine. After that command is running, you
can access the document at the following URL:
http://127.0.0.1:8001/apis/pki.security.gdc.goog/v1.
Example PKI BYO certificate issuer
The following is an example of a PKI Security bring-your-own (BYO) certificate issuer:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThe PKI Security API utilizes Kubernetes custom resources and the Kubernetes Resource Model (KRM) for managing web certificates.\u003c/p\u003e\n"],["\u003cp\u003eThis API is designed to configure and manage web certificates in Google Distributed Cloud (GDC) air-gapped environments.\u003c/p\u003e\n"],["\u003cp\u003eThe API endpoint is located at \u003ccode\u003ehttps://\u003c/code\u003e\u003cvar translate=no\u003eGDC_API_SERVER_ENDPOINT\u003c/var\u003e\u003ccode\u003e/apis/pki.security.gdc.goog/v1\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eYou can use the \u003ccode\u003ekubectl proxy\u003c/code\u003e command to access the API endpoint URLs and obtain the discovery document.\u003c/p\u003e\n"],["\u003cp\u003eThe provided example demonstrates a PKI Security bring-your-own (BYO) certificate issuer configuration, including a fallback certificate authority.\u003c/p\u003e\n"]]],[],null,["# PKI Security API overview\n\nThe PKI Security API uses Kubernetes custom resources and relies on the\nKubernetes Resource Model (KRM). It is used to manage and configure web\ncertificates to secure web endpoints in your Google Distributed Cloud (GDC) air-gapped\nenvironment.\n\nService endpoint and discovery document\n---------------------------------------\n\nThe API endpoint for the PKI Security API is `https://`\u003cvar translate=\"no\"\u003eGDC_API_SERVER_ENDPOINT\u003c/var\u003e`/apis/pki.security.gdc.goog/v1`\nwhere \u003cvar translate=\"no\"\u003eMANAGEMENT_API_SERVER_ENDPOINT\u003c/var\u003e is the endpoint of the\nManagement API server.\n\nUsing the `kubectl proxy` command, you can access the API endpoint URLs in your\nbrowser or with a tool such as `curl` to get the discovery document for the\nPKI Security API. The `kubectl proxy` command opens up a proxy to the\nKubernetes API server on your local machine. After that command is running, you\ncan access the document at the following URL:\n`http://127.0.0.1:8001/apis/pki.security.gdc.goog/v1`.\n\nExample PKI BYO certificate issuer\n----------------------------------\n\nThe following is an example of a PKI Security bring-your-own (BYO) certificate issuer: \n\n apiVersion: pki.security.gdc.goog/v1\n kind: CertificateIssuer\n metadata:\n name: byo-cert-issuer\n namespace: pki-system\n labels:\n pki.security.gdc.goog/is-default-issuer: \"true\"\n spec:\n byoCertConfig:\n fallbackCertificateAuthority:\n name: default-web-tls-ca\n namespace: pki-system"]]
