pki.security.gdc.goog/v1
Contains API Schema definitions for the PKI v1 API group.
ACMEIssuerConfig
Appears in: - CertificateIssuerSpec
Field | Description |
---|---|
rootCACertificate integer array |
This contains the Root CA data of certificates issued by ACME server. |
acme ACMEIssuer |
ACME configures this issuer to communicate with a RFC 8555 (ACME) server to obtain signed certificates. ACME is an acme.cert-manager.io/v1 ACMEIssuer. |
BYOCertIssuerConfig
BYOCertIssuerConfig defines an issuer based on the BYO-Cert model.
Appears in: - CertificateIssuerSpec
Field | Description |
---|---|
fallbackCertificateAuthority CAReference |
FallbackCertificateAuthority is the reference to a default CAaaS operated CA. API type: - Group: pki.security.gdc.goog - Kind: CertificateAuthority |
BYOCertStatus
Appears in: - CertificateStatus
Field | Description |
---|---|
csrStatus CSRStatus |
Certificate Signing Request (CSR) status |
signedCertStatus SignedCertStatus |
Externally signed certificate status |
BYOCertificate
Externally signed certificate
Appears in: - CertificateSpec
Field | Description |
---|---|
certificate integer array |
The PEM encoded x509 certificate uploaded by the customer. |
ca integer array |
The PEM encoded x509 certificate of the signer CA used to sign the certificate. |
CACertificateConfig
CACertificateConfig defines how the CA certificate is going to be provisioned. Only one of them will be set at any point in time.
Appears in: - CertificateAuthoritySpec
Field | Description |
---|---|
externalCA ExternalCAConfig |
Get the certificate from an external root CA. If set, a CSR will be generated on the status and signed certificate can be upload using this field. |
selfSignedCA SelfSignedCAConfig |
Issue a self-signed certificate. (Root CA) |
managedSubCA ManagedSubCAConfig |
Issue a SubCA certificate from a GDC-managed CA. (Managed Sub CA) |
CACertificateProfile
CACertificateProfile defines the profile for a CA certificate.
Appears in: - CertificateAuthoritySpec
Field | Description |
---|---|
commonName string |
The common name of the CA Certificate. |
organizations string array |
Organizations to be used on the Certificate. |
countries string array |
Countries to be used on the Certificate. |
organizationalUnits string array |
Organizational Units to be used on the Certificate. |
localities string array |
Cities to be used on the Certificate. |
provinces string array |
State/Provinces to be used on the Certificate. |
streetAddresses string array |
Street addresses to be used on the Certificate. |
postalCodes string array |
Postal codes to be used on the Certificate. |
duration Duration |
The requested 'duration' (i.e. lifetime) of the CA Certificate. |
renewBefore Duration |
RenewBefore implies the rotation time before the CA certificate expires. |
maxPathLength integer |
The maximum path length of the CA certificate. |
CAReference
CAReference represents a CertificateAuthority reference. It has information to retrieve a CA in any namespace.
Appears in: - BYOCertIssuerConfig - CAaaSIssuerConfig - ManagedSubCAConfig
Field | Description |
---|---|
name string |
Name is unique within a namespace to reference a CA resource. |
namespace string |
Namespace defines the space within which the CA name must be unique. |
CAaaSIssuerConfig
CAaaSIssuerConfig defines an issuer that requests certificates from a CA created using the CAaaS service.
Appears in: - CertificateIssuerSpec
Field | Description |
---|---|
certificateAuthorityRef CAReference |
A reference to a CertificationAuthority which will sign the certificate. API type: - Group: pki.security.gdc.goog - Kind: CertificateAuthority |
CSRStatus
Appears in: - BYOCertStatus
Field | Description |
---|---|
conditions Condition array |
List of status conditions to indicate the status of a BYO Certificate CSR - WaitingforSigning: Indicates that a new CSR has been generated to be signed by the customer. - Ready: Indicates that the CSR has been signed |
csr integer array |
Stores the CSR for the customer to sign. |
Certificate
A Certificate represents a managed certificate.
Appears in: - CertificateList
Field | Description |
---|---|
apiVersion string |
pki.security.gdc.goog/v1 |
kind string |
Certificate |
metadata ObjectMeta |
Refer to Kubernetes API documentation for fields of metadata . |
spec CertificateSpec |
|
status CertificateStatus |
CertificateAuthority
CertificateAuthority represents the individual Certificate Authority that will be used to issue the certificates.
Appears in: - CertificateAuthorityList
Field | Description |
---|---|
apiVersion string |
pki.security.gdc.goog/v1 |
kind string |
CertificateAuthority |
metadata ObjectMeta |
Refer to Kubernetes API documentation for fields of metadata . |
spec CertificateAuthoritySpec |
|
status CertificateAuthorityStatus |
CertificateAuthorityList
CertificateAuthorityList represents a collection of certiifcate authorities.
Field | Description |
---|---|
apiVersion string |
pki.security.gdc.goog/v1 |
kind string |
CertificateAuthorityList |
metadata ListMeta |
Refer to Kubernetes API documentation for fields of metadata . |
items CertificateAuthority array |
CertificateAuthoritySpec
Appears in: - CertificateAuthority
Field | Description |
---|---|
caProfile CACertificateProfile |
The profile of the CertificateAuthority. |
caCertificate CACertificateConfig |
The CA Certificate provisioning configuration. |
secretConfig SecretConfig |
Configuration of the CA secret |
certificateProfile CertificateProfile |
Defines the profile of the certificates that will be issued. |
CertificateAuthorityStatus
Appears in: - CertificateAuthority
Field | Description |
---|---|
externalCA ExternalCAStatus |
ExternalCA specifies status options for SunCA signed by External root CA. |
errorStatus ErrorStatus |
ErrorStatus contain a list of current errors and the timestamp this field gets updated. |
conditions Condition array |
List of status conditions to indicate the status of a Certification Authority. - Pending: CSR are pending to be signed by the customer. - Ready: Indicates that the certificate authority is ready to use. |
CertificateIssuer
CertificateIssuer represents an issuer for Certificate as a Service. You can mark a CertificateIssuer as the default issuer by adding/setting the label pki.security.gdc.goog/is-default-issuer: true
.
Appears in: - CertificateIssuerList
Field | Description |
---|---|
apiVersion string |
pki.security.gdc.goog/v1 |
kind string |
CertificateIssuer |
metadata ObjectMeta |
Refer to Kubernetes API documentation for fields of metadata . |
spec CertificateIssuerSpec |
|
status CertificateIssuerStatus |
CertificateIssuerList
CertificateIssuerList represents a collection of certiifcate issuers.
Field | Description |
---|---|
apiVersion string |
pki.security.gdc.goog/v1 |
kind string |
CertificateIssuerList |
metadata ListMeta |
Refer to Kubernetes API documentation for fields of metadata . |
items CertificateIssuer array |
CertificateIssuerSpec
Appears in: - CertificateIssuer
Field | Description |
---|---|
byoCertConfig BYOCertIssuerConfig |
BYOCertConfig configures this issuer in BYO-Cert mode. |
caaasConfig CAaaSIssuerConfig |
CAaaSConfig configures this issuer to sign certificates using CA deployed by the CertificateAuthority API. |
acmeConfig ACMEIssuerConfig |
ACMEConfig configures this issuer to sign certificates using ACME server. |
CertificateIssuerStatus
Appears in: - CertificateIssuer
Field | Description |
---|---|
ca integer array |
Stores the root CA used by the current certificate issuer. |
conditions Condition array |
List of status conditions to indicate the status of the CertificateIssuer. - Ready: Indicates that the CertificateIssuer is ready to use. |
CertificateList
CertificateList represents a collection of certificates.
Field | Description |
---|---|
apiVersion string |
pki.security.gdc.goog/v1 |
kind string |
CertificateList |
metadata ListMeta |
Refer to Kubernetes API documentation for fields of metadata . |
items Certificate array |
CertificateProfile
CertificateProfile defines the specification of the profile of an issued certificate.
Appears in: - CertificateAuthoritySpec
Field | Description |
---|---|
keyUsage KeyUsageBits array |
Allowed key usages for certificates issued under this profile. |
extendedKeyUsage ExtendedKeyUsageBits array |
Allowed extended key usages for certificates issued under this profile. This is optional for SelfSignedCA and is required for both ManagedSubCA and ExternalCA. |
CertificateSpec
Appears in: - Certificate
Field | Description |
---|---|
issuer IssuerReference |
A reference to the CertificateIssuer that will be used for the issuance of the certificate. If not set, a label named pki.security.gdc.goog/use-default-issuer: true needs to be set in order to issue the certificate using the default issuer. API type: - Group: pki.security.gdc.goog - Kind: CertificateIssuer |
commonName string |
Requested common name X509 certificate subject attribute. It should have a length of 64 characters or fewer. For backward compatibility, the behaviour is as follows: If nil, we use the current behavior to set commonName as first DNSName if length is 64 characters or fewer. if empty string, don't set it. if it is set, ensure it is a part of the SANs. |
dnsNames string array |
DNSNames is a list of fully-qualified host names to be set on the Certificate. |
ipAddresses string array |
IPAddresses is a list of IPAddress subjectAltNames to be set on the Certificate. |
duration Duration |
The requested 'duration' (i.e. lifetime) of the Certificate. |
renewBefore Duration |
RenewBefore implies the rotation time before the certificate expires. |
secretConfig SecretConfig |
Configuration of the Certificate secret. |
byoCertificate BYOCertificate |
Contains the externally signed certificate |
CertificateStatus
Appears in: - Certificate
Field | Description |
---|---|
conditions Condition array |
List of status conditions to indicate the status of the certificate. - Ready: Indicates that the certificate is ready to use. |
issuedBy IssuerReference |
A reference to the CertificateIssuer that is used for the issuance of the certificate. API type: - Group: pki.security.gdc.goog - Kind: CertificateIssuer |
byoCertStatus BYOCertStatus |
BYOCertStatus specifies status options for byo-certificates mode. |
errorStatus ErrorStatus |
ErrorStatus contain a list of current errors and the timestamp this field gets updated. |
ExtendedKeyUsageBits
Underlying type: string
ExtendedKeyUsageBits defines the different allowed extended key usages according to RFC 5280 4.2.1.12. Many extended key usages have been defined by follow-up RFCs, and can be implemented as a later feature if issuance of such certificates is needed, for cases such as certificates used for personal authentication, code signing or IPSec.
Appears in: - CertificateProfile
ExternalCAConfig
Appears in: - CACertificateConfig
Field | Description |
---|---|
signedCertificate SignedCertificateConfig |
Stores a signed certificate signed by external root CA. |
ExternalCAStatus
Appears in: - CertificateAuthorityStatus
Field | Description |
---|---|
csr integer array |
A certificate signing request waiting to be signed by an external CA. |
IssuerReference
IssuerReference represents an Issuer Reference. It has information to retrieve an issuer in any namespace.
Appears in: - CertificateSpec - CertificateStatus
Field | Description |
---|---|
name string |
Name is unique within a namespace to reference an issuer resource. |
namespace string |
Namespace defines the space within which the issuer name must be unique. |
KeyUsageBits
Underlying type: string
KeyUsageBits defines the different allowed key usages according to RFC 5280 4.2.1.3. Note that many of the key usages below are used for certificates outside the context of TLS, and the implementation of setting non-TLS bits can be implemented as a later feature.
Appears in: - CertificateProfile
ManagedSubCAConfig
ManagedSubCAConfig defines the configuration for a SubCA CA certificate.
Appears in: - CACertificateConfig
Field | Description |
---|---|
certificateAuthorityRef CAReference |
A reference to a CertificateAuthority which will sign the SubCA certificate. API type: - Group: pki.security.gdc.goog - Kind: CertificateAuthority |
PrivateKeyAlgorithm
Underlying type: string
Appears in: - PrivateKeyConfig
PrivateKeyConfig
PrivateKeyConfig defines the configuration of the certificate private key
Appears in: - SecretConfig
Field | Description |
---|---|
algorithm PrivateKeyAlgorithm |
Algorithm is the private key algorithm of the corresponding private key for this certificate. If provided, allowed values are either RSA ,Ed25519 or ECDSA If algorithm is specified and size is not provided, key size of 256 will be used for ECDSA key algorithm and key size of 2048 will be used for RSA key algorithm. key size is ignored when using the Ed25519 key algorithm. See github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1/types_certificate.go for more information. |
size integer |
Size is the key bit size of the corresponding private key for this certificate. If algorithm is set to RSA , valid values are 2048 , 3072 , 4096 or 8192 , and will default to 2048 if not specified. If algorithm is set to ECDSA , valid values are 256 , 384 or 521 , and will default to 256 if not specified. If algorithm is set to Ed25519 , Size is ignored. No other values are allowed. See github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1/types_certificate.go for more information. |
SecretConfig
SecretConfig defines the configuration for the certificate secret.
Appears in: - CertificateAuthoritySpec - CertificateSpec
Field | Description |
---|---|
secretName string |
The name of the Secret that will hold the private key and signed certificate. |
secretTemplate SecretTemplate |
Defines annotations and labels to be copied to the Secret. |
privateKeyConfig PrivateKeyConfig |
Options for the certificate private key |
SecretTemplate
SecretTemplate defines the default labels and annotations to be copied to the Kubernetes Secret resource named in SecretConfig.SecretName
.
Appears in: - SecretConfig
Field | Description |
---|---|
annotations object (keys:string, values:string) |
Annotations is a key value map to be copied to the target Kubernetes Secret. |
labels object (keys:string, values:string) |
Labels is a key value map to be copied to the target Kubernetes Secret. |
SelfSignedCAConfig
SelfSignedCAConfig defines the configuration for a Root CA certificate.
Appears in: - CACertificateConfig
SignedCertStatus
Appears in: - BYOCertStatus
Field | Description |
---|---|
conditions Condition array |
List of status conditions to indicate the status of BYO certificate. - Rejected: Indicates that the certificate does not match with the csr - Ready: Indicates that the certificate is ready to use. |
SignedCertificateConfig
Appears in: - ExternalCAConfig
Field | Description |
---|---|
certificate integer array |
The PEM encoded x509 certificate uploaded by the customer. |
ca integer array |
The PEM encoded x509 certificate of the signer CA used to sign the certificate. |