KRM API pki.security.gdc.goog/v1

pki.security.gdc.goog/v1

Contains API Schema definitions for the PKI v1 API group.

ACMEIssuerConfig

Appears in: - CertificateIssuerSpec

Field Description
rootCACertificate integer array This contains the Root CA data of certificates issued by ACME server.
acme ACMEIssuer ACME configures this issuer to communicate with a RFC 8555 (ACME) server to obtain signed certificates. ACME is an acme.cert-manager.io/v1 ACMEIssuer.

BYOCertIssuerConfig

BYOCertIssuerConfig defines an issuer based on the BYO-Cert model.

Appears in: - CertificateIssuerSpec

Field Description
fallbackCertificateAuthority CAReference FallbackCertificateAuthority is the reference to a default CAaaS operated CA. API type: - Group: pki.security.gdc.goog - Kind: CertificateAuthority

BYOCertStatus

Appears in: - CertificateStatus

Field Description
csrStatus CSRStatus Certificate Signing Request (CSR) status
signedCertStatus SignedCertStatus Externally signed certificate status

BYOCertificate

Externally signed certificate

Appears in: - CertificateSpec

Field Description
certificate integer array The PEM encoded x509 certificate uploaded by the customer.
ca integer array The PEM encoded x509 certificate of the signer CA used to sign the certificate.

CACertificateConfig

CACertificateConfig defines how the CA certificate is going to be provisioned. Only one of them will be set at any point in time.

Appears in: - CertificateAuthoritySpec

Field Description
externalCA ExternalCAConfig Get the certificate from an external root CA. If set, a CSR will be generated on the status and signed certificate can be upload using this field.
selfSignedCA SelfSignedCAConfig Issue a self-signed certificate. (Root CA)
managedSubCA ManagedSubCAConfig Issue a SubCA certificate from a GDC-managed CA. (Managed Sub CA)

CACertificateProfile

CACertificateProfile defines the profile for a CA certificate.

Appears in: - CertificateAuthoritySpec

Field Description
commonName string The common name of the CA Certificate.
organizations string array Organizations to be used on the Certificate.
countries string array Countries to be used on the Certificate.
organizationalUnits string array Organizational Units to be used on the Certificate.
localities string array Cities to be used on the Certificate.
provinces string array State/Provinces to be used on the Certificate.
streetAddresses string array Street addresses to be used on the Certificate.
postalCodes string array Postal codes to be used on the Certificate.
duration Duration The requested 'duration' (i.e. lifetime) of the CA Certificate.
renewBefore Duration RenewBefore implies the rotation time before the CA certificate expires.
maxPathLength integer The maximum path length of the CA certificate.

CAReference

CAReference represents a CertificateAuthority reference. It has information to retrieve a CA in any namespace.

Appears in: - BYOCertIssuerConfig - CAaaSIssuerConfig - ManagedSubCAConfig

Field Description
name string Name is unique within a namespace to reference a CA resource.
namespace string Namespace defines the space within which the CA name must be unique.

CAaaSIssuerConfig

CAaaSIssuerConfig defines an issuer that requests certificates from a CA created using the CAaaS service.

Appears in: - CertificateIssuerSpec

Field Description
certificateAuthorityRef CAReference A reference to a CertificationAuthority which will sign the certificate. API type: - Group: pki.security.gdc.goog - Kind: CertificateAuthority

CSRStatus

Appears in: - BYOCertStatus

Field Description
conditions Condition array List of status conditions to indicate the status of a BYO Certificate CSR - WaitingforSigning: Indicates that a new CSR has been generated to be signed by the customer. - Ready: Indicates that the CSR has been signed
csr integer array Stores the CSR for the customer to sign.

Certificate

A Certificate represents a managed certificate.

Appears in: - CertificateList

Field Description
apiVersion string pki.security.gdc.goog/v1
kind string Certificate
metadata ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec CertificateSpec
status CertificateStatus

CertificateAuthority

CertificateAuthority represents the individual Certificate Authority that will be used to issue the certificates.

Appears in: - CertificateAuthorityList

Field Description
apiVersion string pki.security.gdc.goog/v1
kind string CertificateAuthority
metadata ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec CertificateAuthoritySpec
status CertificateAuthorityStatus

CertificateAuthorityList

CertificateAuthorityList represents a collection of certiifcate authorities.

Field Description
apiVersion string pki.security.gdc.goog/v1
kind string CertificateAuthorityList
metadata ListMeta Refer to Kubernetes API documentation for fields of metadata.
items CertificateAuthority array

CertificateAuthoritySpec

Appears in: - CertificateAuthority

Field Description
caProfile CACertificateProfile The profile of the CertificateAuthority.
caCertificate CACertificateConfig The CA Certificate provisioning configuration.
secretConfig SecretConfig Configuration of the CA secret
certificateProfile CertificateProfile Defines the profile of the certificates that will be issued.

CertificateAuthorityStatus

Appears in: - CertificateAuthority

Field Description
externalCA ExternalCAStatus ExternalCA specifies status options for SunCA signed by External root CA.
errorStatus ErrorStatus ErrorStatus contain a list of current errors and the timestamp this field gets updated.
conditions Condition array List of status conditions to indicate the status of a Certification Authority. - Pending: CSR are pending to be signed by the customer. - Ready: Indicates that the certificate authority is ready to use.

CertificateIssuer

CertificateIssuer represents an issuer for Certificate as a Service. You can mark a CertificateIssuer as the default issuer by adding/setting the label pki.security.gdc.goog/is-default-issuer: true.

Appears in: - CertificateIssuerList

Field Description
apiVersion string pki.security.gdc.goog/v1
kind string CertificateIssuer
metadata ObjectMeta Refer to Kubernetes API documentation for fields of metadata.
spec CertificateIssuerSpec
status CertificateIssuerStatus

CertificateIssuerList

CertificateIssuerList represents a collection of certiifcate issuers.

Field Description
apiVersion string pki.security.gdc.goog/v1
kind string CertificateIssuerList
metadata ListMeta Refer to Kubernetes API documentation for fields of metadata.
items CertificateIssuer array

CertificateIssuerSpec

Appears in: - CertificateIssuer

Field Description
byoCertConfig BYOCertIssuerConfig BYOCertConfig configures this issuer in BYO-Cert mode.
caaasConfig CAaaSIssuerConfig CAaaSConfig configures this issuer to sign certificates using CA deployed by the CertificateAuthority API.
acmeConfig ACMEIssuerConfig ACMEConfig configures this issuer to sign certificates using ACME server.

CertificateIssuerStatus

Appears in: - CertificateIssuer

Field Description
ca integer array Stores the root CA used by the current certificate issuer.
conditions Condition array List of status conditions to indicate the status of the CertificateIssuer. - Ready: Indicates that the CertificateIssuer is ready to use.

CertificateList

CertificateList represents a collection of certificates.

Field Description
apiVersion string pki.security.gdc.goog/v1
kind string CertificateList
metadata ListMeta Refer to Kubernetes API documentation for fields of metadata.
items Certificate array

CertificateProfile

CertificateProfile defines the specification of the profile of an issued certificate.

Appears in: - CertificateAuthoritySpec

Field Description
keyUsage KeyUsageBits array Allowed key usages for certificates issued under this profile.
extendedKeyUsage ExtendedKeyUsageBits array Allowed extended key usages for certificates issued under this profile. This is optional for SelfSignedCA and is required for both ManagedSubCA and ExternalCA.

CertificateSpec

Appears in: - Certificate

Field Description
issuer IssuerReference A reference to the CertificateIssuer that will be used for the issuance of the certificate. If not set, a label named pki.security.gdc.goog/use-default-issuer: true needs to be set in order to issue the certificate using the default issuer. API type: - Group: pki.security.gdc.goog - Kind: CertificateIssuer
commonName string Requested common name X509 certificate subject attribute. It should have a length of 64 characters or fewer. For backward compatibility, the behaviour is as follows: If nil, we use the current behavior to set commonName as first DNSName if length is 64 characters or fewer. if empty string, don't set it. if it is set, ensure it is a part of the SANs.
dnsNames string array DNSNames is a list of fully-qualified host names to be set on the Certificate.
ipAddresses string array IPAddresses is a list of IPAddress subjectAltNames to be set on the Certificate.
duration Duration The requested 'duration' (i.e. lifetime) of the Certificate.
renewBefore Duration RenewBefore implies the rotation time before the certificate expires.
secretConfig SecretConfig Configuration of the Certificate secret.
byoCertificate BYOCertificate Contains the externally signed certificate

CertificateStatus

Appears in: - Certificate

Field Description
conditions Condition array List of status conditions to indicate the status of the certificate. - Ready: Indicates that the certificate is ready to use.
issuedBy IssuerReference A reference to the CertificateIssuer that is used for the issuance of the certificate. API type: - Group: pki.security.gdc.goog - Kind: CertificateIssuer
byoCertStatus BYOCertStatus BYOCertStatus specifies status options for byo-certificates mode.
errorStatus ErrorStatus ErrorStatus contain a list of current errors and the timestamp this field gets updated.

ExtendedKeyUsageBits

Underlying type: string ExtendedKeyUsageBits defines the different allowed extended key usages according to RFC 5280 4.2.1.12. Many extended key usages have been defined by follow-up RFCs, and can be implemented as a later feature if issuance of such certificates is needed, for cases such as certificates used for personal authentication, code signing or IPSec.

Appears in: - CertificateProfile

ExternalCAConfig

Appears in: - CACertificateConfig

Field Description
signedCertificate SignedCertificateConfig Stores a signed certificate signed by external root CA.

ExternalCAStatus

Appears in: - CertificateAuthorityStatus

Field Description
csr integer array A certificate signing request waiting to be signed by an external CA.

IssuerReference

IssuerReference represents an Issuer Reference. It has information to retrieve an issuer in any namespace.

Appears in: - CertificateSpec - CertificateStatus

Field Description
name string Name is unique within a namespace to reference an issuer resource.
namespace string Namespace defines the space within which the issuer name must be unique.

KeyUsageBits

Underlying type: string KeyUsageBits defines the different allowed key usages according to RFC 5280 4.2.1.3. Note that many of the key usages below are used for certificates outside the context of TLS, and the implementation of setting non-TLS bits can be implemented as a later feature.

Appears in: - CertificateProfile

ManagedSubCAConfig

ManagedSubCAConfig defines the configuration for a SubCA CA certificate.

Appears in: - CACertificateConfig

Field Description
certificateAuthorityRef CAReference A reference to a CertificateAuthority which will sign the SubCA certificate. API type: - Group: pki.security.gdc.goog - Kind: CertificateAuthority

PrivateKeyAlgorithm

Underlying type: string

Appears in: - PrivateKeyConfig

PrivateKeyConfig

PrivateKeyConfig defines the configuration of the certificate private key

Appears in: - SecretConfig

Field Description
algorithm PrivateKeyAlgorithm Algorithm is the private key algorithm of the corresponding private key for this certificate. If provided, allowed values are either RSA,Ed25519 or ECDSA If algorithm is specified and size is not provided, key size of 256 will be used for ECDSA key algorithm and key size of 2048 will be used for RSA key algorithm. key size is ignored when using the Ed25519 key algorithm. See github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1/types_certificate.go for more information.
size integer Size is the key bit size of the corresponding private key for this certificate. If algorithm is set to RSA, valid values are 2048, 3072, 4096 or 8192, and will default to 2048 if not specified. If algorithm is set to ECDSA, valid values are 256, 384 or 521, and will default to 256 if not specified. If algorithm is set to Ed25519, Size is ignored. No other values are allowed. See github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1/types_certificate.go for more information.

SecretConfig

SecretConfig defines the configuration for the certificate secret.

Appears in: - CertificateAuthoritySpec - CertificateSpec

Field Description
secretName string The name of the Secret that will hold the private key and signed certificate.
secretTemplate SecretTemplate Defines annotations and labels to be copied to the Secret.
privateKeyConfig PrivateKeyConfig Options for the certificate private key

SecretTemplate

SecretTemplate defines the default labels and annotations to be copied to the Kubernetes Secret resource named in SecretConfig.SecretName.

Appears in: - SecretConfig

Field Description
annotations object (keys:string, values:string) Annotations is a key value map to be copied to the target Kubernetes Secret.
labels object (keys:string, values:string) Labels is a key value map to be copied to the target Kubernetes Secret.

SelfSignedCAConfig

SelfSignedCAConfig defines the configuration for a Root CA certificate.

Appears in: - CACertificateConfig

SignedCertStatus

Appears in: - BYOCertStatus

Field Description
conditions Condition array List of status conditions to indicate the status of BYO certificate. - Rejected: Indicates that the certificate does not match with the csr - Ready: Indicates that the certificate is ready to use.

SignedCertificateConfig

Appears in: - ExternalCAConfig

Field Description
certificate integer array The PEM encoded x509 certificate uploaded by the customer.
ca integer array The PEM encoded x509 certificate of the signer CA used to sign the certificate.