PKI Security API overview

The PKI Security API uses Kubernetes custom resources and relies on the Kubernetes Resource Model (KRM). It is used to manage and configure web certificates to secure web endpoints in your Google Distributed Cloud (GDC) air-gapped environment.

Service endpoint and discovery document

The API endpoint for the PKI Security API is https://GDC_API_SERVER_ENDPOINT/apis/pki.security.gdc.goog/v1 where GDC_API_SERVER_ENDPOINT is the endpoint of the GDC API server.

Using the kubectl proxy command, you can access the API endpoint URLs in your browser or with a tool such as curl to get the discovery document for the PKI Security API. The kubectl proxy command opens up a proxy to the Kubernetes API server on your local machine. Once that command is running, you can access the document at the following URL: http://127.0.0.1:8001/apis/pki.security.gdc.goog/v1.

Example PKI BYO certificate issuer

The following is an example of a PKI Security bring-your-own (BYO) certificate issuer:

apiVersion: pki.security.gdc.goog/v1
kind: CertificateIssuer
metadata:
  name: byo-cert-issuer
  namespace: pki-system
  labels:
    pki.security.gdc.goog/is-default-issuer: "true"
spec:
  byoCertConfig:
    fallbackCertificateAuthority:
      name: default-web-tls-ca
      namespace: pki-system