A trust bundle, also known as a trust list, is a group of trust anchors, such as entities, that are inherently trusted and whose trust is not transferred by another entity (trusted third parties). These trust anchors are delivered as certificate authority (CA) certificates. The certification path-building algorithm uses these CA certificates to establish a chain between a certificate obtaining validation and the trust anchors.
Google Distributed Cloud (GDC) air-gapped has dedicated trust bundles. This guide outlines the steps to fetch the trust bundle for organizational administrators.
Trust bundle types
Distributed Cloud provides two types of managed trust bundles for platform administrators:
trust-store-root-ext
: contains the internal root CA and web-tls CA. The content is different depending on where it resides, such as the root or the tenant organization. Use this trust bundle to communicate across organization boundaries or to access services like object storage within the organization.trust-store-global-root-ext
: available in the global API server and zonal API serverplatform
namespace. When the global API server is ready, the bundle populates all other zonaltrust-store-root-ext
data, including local data.
Fetch the trust bundle
You can fetch trust bundles from the well-known server endpoint, or from the
cluster using kubectl
.
Fetch from the well-known server
GDC provides a secure way to access trust bundles
through a well-known server endpoint. Use this method when you need to fetch
the trust-store-global-root-ext
bundle without directly interacting with the
cluster using kubectl
.
Export the following environment variables:
export STORAGE=STORAGE export ORG_NAME=ORG_NAME
Replace the following:
STORAGE
: the directory path where you want to store the trust bundle file.ORG_NAME
: the name of your organization within GDC.
Set the
WELL_KNOWN_URL
environment variable:export WELL_KNOWN_URL=https://console.${ORG_NAME:?}.zone1.google.gdch.test/.well-known/certificate-authority
Set the
GLOBAL_TRUST_BUNDLE_FILE
environment variable. This file stores the GDC trust bundle locally in your specified$STORAGE
location.export GLOBAL_TRUST_BUNDLE_FILE="$STORAGE/global/ca-bundles/global-trust-bundle"
Obtain the
trust-store-global-root-ext
trust bundle from the well-known server and store it in the file created in the previous step:echo -n | curl ${WELL_KNOWN_URL:?} > ${GLOBAL_TRUST_BUNDLE_FILE:?}
The fetched trust bundle file contains one or more CA certificates. The output is similar to the following:
-----BEGIN CERTIFICATE----- MIIC8TCCAdmgAwIBAgIRAODQ/dOB39RBs8ZpN0RujIswDQYJKoZIhvcNAQELBQAw EjEQMA4GA1UEAxMHcm9vdC1jYTAeFw0yNTAxMDYwNzM3MzVaFw00ODEyMzEwNzM3 MzVaMBIxEDAOBgNVBAMTB3Jvb3QtY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw ggEKAoIBAQC41U4+3M1EAHggUBw5ki97533zTvwHukmZyORwbQ3tlQ4GQDscoCEh nn+KCaG767VCaGDcQhq99hl6qa/nBoc1X6WQ3a/uhv5E2ztRD40PB5NFNdSulxTH gsitukSmv+DAx15UJnVkJtPP/FzxEWPu0piIiFZakTxT83VUSs54QRmTahxP80FI R0xZ0ohsu9jzA2CAyxTccJU0/xE2kDwN8c8kiYYuG+czMdNVdnT4Jm2ToSkzIDux Yi9MzNmarVGG/rtW5SlqnUMYzSsxtUYSmMRlCsFDVxkSzfmICmTRw2zmNkFA/3nz XneVSIsUHOA2NzvMN4eoLTVRgSFcHlZRAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIB hjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTEeB0EQwhc5p++GhwNymsBfN93 WjANBgkqhkiG9w0BAQsFAAOCAQEAKBqn4AXjUWmhIUOrWQ5cetsmI76Wl+RBeSzU HxbqMBH8Dk1oJbGHtmQbu7EmWz1pKYge650s9N83hMgjFZD24t9GiQZ7YY+i+317 D6HzJ8VIKPnxVtnUIQzCpkRTQoglDlb1f/7+fi2SYJoHdhnRI/3OaVQTnObjbW5T mBhsMxFKc0zGa3HIEm9SUH608V60xUPanl23YZ6X7W8nWAJfnzKvH+3q3Fz58u/S VR5t/FkbOktVtnU8AfcMKLof6KG2KhE2L7FAC+fp0ZsjV9vE2uqlZ+8mIQHyc3tM cbWxOx+SO/XUCenY9C1yrublln9aOEn4/s3aSURPguiSZOfDyQ== -----END CERTIFICATE-----
Fetch from the cluster using kubectl
You can fetch trust bundles directly from the GDC
cluster using the kubectl
command-line tool. Use this method if you have
direct access to the cluster and its configuration, and you need to fetch either
the trust-store-root-ext
or the trust-store-global-root-ext
trust bundles.
You must obtain the following before you can complete the steps in this section:
- Required permissions: Ask your Organization IAM Admin to grant you the
Trust Store Viewer (
trust-store-viewer
) role. - Kubeconfig file: Sign in and
generate the kubeconfig file for the Management API server
if you don't already have one. You need the path to the kubeconfig file to
replace
MANAGEMENT_API_SERVER_KUBECONFIG
in the following steps.
Fetch the trust bundle from the cluster using kubectl
:
Export the following environment variables:
export KUBECONFIG=MANAGEMENT_API_SERVER_KUBECONFIG export STORAGE=STORAGE export ZONE=ZONE
Replace the following:
MANAGEMENT_API_SERVER_KUBECONFIG
: the path to the Management API server kubeconfig.STORAGE
: the directory path where you want to store the trust bundle file.ZONE
: your GDC zone name.
Set the
TRUST_BUNDLE_FILE
environment variable. This file stores the GDC trust bundle locally in your specified$STORAGE
location for your GDC$ZONE
:export TRUST_BUNDLE_FILE="$STORAGE/$ZONE/ca-bundles/trust-bundle" export GLOBAL_TRUST_BUNDLE_FILE="$STORAGE/global/ca-bundles/global-trust-bundle"
Set the
NS
namespace environment variable for the namespace:export NS=platform
Obtain the certificate authorities (CA) and store them in the file created in step 2:
For
trust-store-root-ext
:kubectl --kubeconfig ${KUBECONFIG} get secret trust-store-root-ext -n ${NS} -o go-template='{{ index .data "ca.crt" }}' | base64 -d | sed '$a\' > ${TRUST_BUNDLE_FILE}
For
trust-store-global-root-ext
:kubectl --kubeconfig ${KUBECONFIG} get secret trust-store-global-root-ext -n ${NS} -o go-template='{{ index .data "ca.crt" }}' | base64 -d | sed '$a\' > ${GLOBAL_TRUST_BUNDLE_FILE}
The fetched trust bundle file contains one or more CA certificates. The output is similar to the following:
-----BEGIN CERTIFICATE----- MIIC8TCCAdmgAwIBAgIRAODQ/dOB39RBs8ZpN0RujIswDQYJKoZIhvcNAQELBQAw EjEQMA4GA1UEAxMHcm9vdC1jYTAeFw0yNTAxMDYwNzM3MzVaFw00ODEyMzEwNzM3 MzVaMBIxEDAOBgNVBAMTB3Jvb3QtY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw ggEKAoIBAQC41U4+3M1EAHggUBw5ki97533zTvwHukmZyORwbQ3tlQ4GQDscoCEh nn+KCaG767VCaGDcQhq99hl6qa/nBoc1X6WQ3a/uhv5E2ztRD40PB5NFNdSulxTH gsitukSmv+DAx15UJnVkJtPP/FzxEWPu0piIiFZakTxT83VUSs54QRmTahxP80FI R0xZ0ohsu9jzA2CAyxTccJU0/xE2kDwN8c8kiYYuG+czMdNVdnT4Jm2ToSkzIDux Yi9MzNmarVGG/rtW5SlqnUMYzSsxtUYSmMRlCsFDVxkSzfmICmTRw2zmNkFA/3nz XneVSIsUHOA2NzvMN4eoLTVRgSFcHlZRAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIB hjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTEeB0EQwhc5p++GhwNymsBfN93 WjANBgkqhkiG9w0BAQsFAAOCAQEAKBqn4AXjUWmhIUOrWQ5cetsmI76Wl+RBeSzU HxbqMBH8Dk1oJbGHtmQbu7EmWz1pKYge650s9N83hMgjFZD24t9GiQZ7YY+i+317 D6HzJ8VIKPnxVtnUIQzCpkRTQoglDlb1f/7+fi2SYJoHdhnRI/3OaVQTnObjbW5T mBhsMxFKc0zGa3HIEm9SUH608V60xUPanl23YZ6X7W8nWAJfnzKvH+3q3Fz58u/S VR5t/FkbOktVtnU8AfcMKLof6KG2KhE2L7FAC+fp0ZsjV9vE2uqlZ+8mIQHyc3tM cbWxOx+SO/XUCenY9C1yrublln9aOEn4/s3aSURPguiSZOfDyQ== -----END CERTIFICATE-----