1apiVersion: apiextensions.k8s.io/v1
2kind: CustomResourceDefinition
3metadata:
4 annotations:
5 cnrm.cloud.google.com/version: 0.0.0-dev
6 creationTimestamp: null
7 labels:
8 cnrm.cloud.google.com/dcl2crd: "true"
9 cnrm.cloud.google.com/managed-by-kcc: "true"
10 cnrm.cloud.google.com/stability-level: stable
11 cnrm.cloud.google.com/system: "true"
12 name: privatecacapools.privateca.cnrm.cloud.google.com
13spec:
14 group: privateca.cnrm.cloud.google.com
15 names:
16 categories:
17 - gcp
18 kind: PrivateCACAPool
19 plural: privatecacapools
20 shortNames:
21 - gcpprivatecacapool
22 - gcpprivatecacapools
23 singular: privatecacapool
24 preserveUnknownFields: false
25 scope: Namespaced
26 versions:
27 - additionalPrinterColumns:
28 - jsonPath: .metadata.creationTimestamp
29 name: Age
30 type: date
31 - description: When 'True', the most recent reconcile of the resource succeeded
32 jsonPath: .status.conditions[?(@.type=='Ready')].status
33 name: Ready
34 type: string
35 - description: The reason for the value in 'Ready'
36 jsonPath: .status.conditions[?(@.type=='Ready')].reason
37 name: Status
38 type: string
39 - description: The last transition time for the value in 'Status'
40 jsonPath: .status.conditions[?(@.type=='Ready')].lastTransitionTime
41 name: Status Age
42 type: date
43 name: v1beta1
44 schema:
45 openAPIV3Schema:
46 properties:
47 apiVersion:
48 description: 'apiVersion defines the versioned schema of this representation
49 of an object. Servers should convert recognized schemas to the latest
50 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
51 type: string
52 kind:
53 description: 'kind is a string value representing the REST resource this
54 object represents. Servers may infer this from the endpoint the client
55 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
56 type: string
57 metadata:
58 type: object
59 spec:
60 properties:
61 issuancePolicy:
62 description: Optional. The IssuancePolicy to control how Certificates
63 will be issued from this CaPool.
64 properties:
65 allowedIssuanceModes:
66 description: Optional. If specified, then only methods allowed
67 in the IssuanceModes may be used to issue Certificates.
68 properties:
69 allowConfigBasedIssuance:
70 description: Optional. When true, allows callers to create
71 Certificates by specifying a CertificateConfig.
72 type: boolean
73 allowCsrBasedIssuance:
74 description: Optional. When true, allows callers to create
75 Certificates by specifying a CSR.
76 type: boolean
77 type: object
78 allowedKeyTypes:
79 description: Optional. If any AllowedKeyType is specified, then
80 the certificate request's public key must match one of the key
81 types listed here. Otherwise, any key may be used.
82 items:
83 properties:
84 ellipticCurve:
85 description: Represents an allowed Elliptic Curve key type.
86 properties:
87 signatureAlgorithm:
88 description: 'Optional. A signature algorithm that must
89 be used. If this is omitted, any EC-based signature
90 algorithm will be allowed. Possible values: EC_SIGNATURE_ALGORITHM_UNSPECIFIED,
91 ECDSA_P256, ECDSA_P384, EDDSA_25519'
92 type: string
93 type: object
94 rsa:
95 description: Represents an allowed RSA key type.
96 properties:
97 maxModulusSize:
98 description: Optional. The maximum allowed RSA modulus
99 size, in bits. If this is not set, or if set to zero,
100 the service will not enforce an explicit upper bound
101 on RSA modulus sizes.
102 format: int64
103 type: integer
104 minModulusSize:
105 description: Optional. The minimum allowed RSA modulus
106 size, in bits. If this is not set, or if set to zero,
107 the service-level min RSA modulus size will continue
108 to apply.
109 format: int64
110 type: integer
111 type: object
112 type: object
113 type: array
114 baselineValues:
115 description: Optional. A set of X.509 values that will be applied
116 to all certificates issued through this CaPool. If a certificate
117 request includes conflicting values for the same properties,
118 they will be overwritten by the values defined here. If a certificate
119 request uses a CertificateTemplate that defines conflicting
120 predefined_values for the same properties, the certificate issuance
121 request will fail.
122 properties:
123 additionalExtensions:
124 description: Optional. Describes custom X.509 extensions.
125 items:
126 properties:
127 critical:
128 description: Optional. Indicates whether or not this
129 extension is critical (i.e., if the client does not
130 know how to handle this extension, the client should
131 consider this to be an error).
132 type: boolean
133 objectId:
134 description: Required. The OID for this X.509 extension.
135 properties:
136 objectIdPath:
137 description: Required. The parts of an OID path.
138 The most significant parts of the path come first.
139 items:
140 format: int64
141 type: integer
142 type: array
143 required:
144 - objectIdPath
145 type: object
146 value:
147 description: Required. The value of this X.509 extension.
148 type: string
149 required:
150 - objectId
151 - value
152 type: object
153 type: array
154 aiaOcspServers:
155 description: Optional. Describes Online Certificate Status
156 Protocol (OCSP) endpoint addresses that appear in the "Authority
157 Information Access" extension in the certificate.
158 items:
159 type: string
160 type: array
161 caOptions:
162 description: Optional. Describes options in this X509Parameters
163 that are relevant in a CA certificate.
164 properties:
165 isCa:
166 description: Optional. Refers to the "CA" X.509 extension,
167 which is a boolean value. When this value is missing,
168 the extension will be omitted from the CA certificate.
169 type: boolean
170 maxIssuerPathLength:
171 description: Optional. Refers to the path length restriction
172 X.509 extension. For a CA certificate, this value describes
173 the depth of subordinate CA certificates that are allowed.
174 If this value is less than 0, the request will fail.
175 If this value is missing, the max path length will be
176 omitted from the CA certificate.
177 format: int64
178 type: integer
179 zeroMaxIssuerPathLength:
180 description: Optional. When true, the "path length constraint"
181 in Basic Constraints extension will be set to 0. if
182 both max_issuer_path_length and zero_max_issuer_path_length
183 are unset, the max path length will be omitted from
184 the CA certificate.
185 type: boolean
186 type: object
187 keyUsage:
188 description: Optional. Indicates the intended use for keys
189 that correspond to a certificate.
190 properties:
191 baseKeyUsage:
192 description: Describes high-level ways in which a key
193 may be used.
194 properties:
195 certSign:
196 description: The key may be used to sign certificates.
197 type: boolean
198 contentCommitment:
199 description: The key may be used for cryptographic
200 commitments. Note that this may also be referred
201 to as "non-repudiation".
202 type: boolean
203 crlSign:
204 description: The key may be used sign certificate
205 revocation lists.
206 type: boolean
207 dataEncipherment:
208 description: The key may be used to encipher data.
209 type: boolean
210 decipherOnly:
211 description: The key may be used to decipher only.
212 type: boolean
213 digitalSignature:
214 description: The key may be used for digital signatures.
215 type: boolean
216 encipherOnly:
217 description: The key may be used to encipher only.
218 type: boolean
219 keyAgreement:
220 description: The key may be used in a key agreement
221 protocol.
222 type: boolean
223 keyEncipherment:
224 description: The key may be used to encipher other
225 keys.
226 type: boolean
227 type: object
228 extendedKeyUsage:
229 description: Detailed scenarios in which a key may be
230 used.
231 properties:
232 clientAuth:
233 description: Corresponds to OID 1.3.6.1.5.5.7.3.2.
234 Officially described as "TLS WWW client authentication",
235 though regularly used for non-WWW TLS.
236 type: boolean
237 codeSigning:
238 description: Corresponds to OID 1.3.6.1.5.5.7.3.3.
239 Officially described as "Signing of downloadable
240 executable code client authentication".
241 type: boolean
242 emailProtection:
243 description: Corresponds to OID 1.3.6.1.5.5.7.3.4.
244 Officially described as "Email protection".
245 type: boolean
246 ocspSigning:
247 description: Corresponds to OID 1.3.6.1.5.5.7.3.9.
248 Officially described as "Signing OCSP responses".
249 type: boolean
250 serverAuth:
251 description: Corresponds to OID 1.3.6.1.5.5.7.3.1.
252 Officially described as "TLS WWW server authentication",
253 though regularly used for non-WWW TLS.
254 type: boolean
255 timeStamping:
256 description: Corresponds to OID 1.3.6.1.5.5.7.3.8.
257 Officially described as "Binding the hash of an
258 object to a time".
259 type: boolean
260 type: object
261 unknownExtendedKeyUsages:
262 description: Used to describe extended key usages that
263 are not listed in the KeyUsage.ExtendedKeyUsageOptions
264 message.
265 items:
266 properties:
267 objectIdPath:
268 description: Required. The parts of an OID path.
269 The most significant parts of the path come first.
270 items:
271 format: int64
272 type: integer
273 type: array
274 required:
275 - objectIdPath
276 type: object
277 type: array
278 type: object
279 policyIds:
280 description: Optional. Describes the X.509 certificate policy
281 object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4.
282 items:
283 properties:
284 objectIdPath:
285 description: Required. The parts of an OID path. The
286 most significant parts of the path come first.
287 items:
288 format: int64
289 type: integer
290 type: array
291 required:
292 - objectIdPath
293 type: object
294 type: array
295 type: object
296 identityConstraints:
297 description: Optional. Describes constraints on identities that
298 may appear in Certificates issued through this CaPool. If this
299 is omitted, then this CaPool will not add restrictions on a
300 certificate's identity.
301 properties:
302 allowSubjectAltNamesPassthrough:
303 description: Required. If this is true, the SubjectAltNames
304 extension may be copied from a certificate request into
305 the signed certificate. Otherwise, the requested SubjectAltNames
306 will be discarded.
307 type: boolean
308 allowSubjectPassthrough:
309 description: Required. If this is true, the Subject field
310 may be copied from a certificate request into the signed
311 certificate. Otherwise, the requested Subject will be discarded.
312 type: boolean
313 celExpression:
314 description: Optional. A CEL expression that may be used to
315 validate the resolved X.509 Subject and/or Subject Alternative
316 Name before a certificate is signed. To see the full allowed
317 syntax and some examples, see https://cloud.google.com/certificate-authority-service/docs/using-cel
318 properties:
319 description:
320 description: Optional. Description of the expression.
321 This is a longer text which describes the expression,
322 e.g. when hovered over it in a UI.
323 type: string
324 expression:
325 description: Textual representation of an expression in
326 Common Expression Language syntax.
327 type: string
328 location:
329 description: Optional. String indicating the location
330 of the expression for error reporting, e.g. a file name
331 and a position in the file.
332 type: string
333 title:
334 description: Optional. Title for the expression, i.e.
335 a short string describing its purpose. This can be used
336 e.g. in UIs which allow to enter the expression.
337 type: string
338 type: object
339 required:
340 - allowSubjectAltNamesPassthrough
341 - allowSubjectPassthrough
342 type: object
343 maximumLifetime:
344 description: Optional. The maximum lifetime allowed for issued
345 Certificates. Note that if the issuing CertificateAuthority
346 expires before a Certificate's requested maximum_lifetime, the
347 effective lifetime will be explicitly truncated to match it.
348 type: string
349 passthroughExtensions:
350 description: Optional. Describes the set of X.509 extensions that
351 may appear in a Certificate issued through this CaPool. If a
352 certificate request sets extensions that don't appear in the
353 passthrough_extensions, those extensions will be dropped. If
354 a certificate request uses a CertificateTemplate with predefined_values
355 that don't appear here, the certificate issuance request will
356 fail. If this is omitted, then this CaPool will not add restrictions
357 on a certificate's X.509 extensions. These constraints do not
358 apply to X.509 extensions set in this CaPool's baseline_values.
359 properties:
360 additionalExtensions:
361 description: Optional. A set of ObjectIds identifying custom
362 X.509 extensions. Will be combined with known_extensions
363 to determine the full set of X.509 extensions.
364 items:
365 properties:
366 objectIdPath:
367 description: Required. The parts of an OID path. The
368 most significant parts of the path come first.
369 items:
370 format: int64
371 type: integer
372 type: array
373 required:
374 - objectIdPath
375 type: object
376 type: array
377 knownExtensions:
378 description: Optional. A set of named X.509 extensions. Will
379 be combined with additional_extensions to determine the
380 full set of X.509 extensions.
381 items:
382 type: string
383 type: array
384 type: object
385 type: object
386 location:
387 description: Immutable. The location for the resource
388 type: string
389 projectRef:
390 description: Immutable. The Project that this resource belongs to.
391 oneOf:
392 - not:
393 required:
394 - external
395 required:
396 - name
397 - not:
398 anyOf:
399 - required:
400 - name
401 - required:
402 - namespace
403 required:
404 - external
405 properties:
406 external:
407 description: |-
408 The project for the resource
409
410 Allowed value: The Google Cloud resource name of a `Project` resource (format: `projects/{{name}}`).
411 type: string
412 name:
413 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
414 type: string
415 namespace:
416 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
417 type: string
418 type: object
419 publishingOptions:
420 description: Optional. The PublishingOptions to follow when issuing
421 Certificates from any CertificateAuthority in this CaPool.
422 properties:
423 publishCaCert:
424 description: Optional. When true, publishes each CertificateAuthority's
425 CA certificate and includes its URL in the "Authority Information
426 Access" X.509 extension in all issued Certificates. If this
427 is false, the CA certificate will not be published and the corresponding
428 X.509 extension will not be written in issued certificates.
429 type: boolean
430 publishCrl:
431 description: Optional. When true, publishes each CertificateAuthority's
432 CRL and includes its URL in the "CRL Distribution Points" X.509
433 extension in all issued Certificates. If this is false, CRLs
434 will not be published and the corresponding X.509 extension
435 will not be written in issued certificates. CRLs will expire
436 7 days from their creation. However, we will rebuild daily.
437 CRLs are also rebuilt shortly after a certificate is revoked.
438 type: boolean
439 type: object
440 resourceID:
441 description: Immutable. Optional. The name of the resource. Used for
442 creation and acquisition. When unset, the value of `metadata.name`
443 is used as the default.
444 type: string
445 tier:
446 description: 'Immutable. Required. Immutable. The Tier of this CaPool.
447 Possible values: TIER_UNSPECIFIED, ENTERPRISE, DEVOPS'
448 type: string
449 required:
450 - location
451 - projectRef
452 - tier
453 type: object
454 status:
455 properties:
456 conditions:
457 description: Conditions represent the latest available observation
458 of the resource's current state.
459 items:
460 properties:
461 lastTransitionTime:
462 description: Last time the condition transitioned from one status
463 to another.
464 type: string
465 message:
466 description: Human-readable message indicating details about
467 last transition.
468 type: string
469 reason:
470 description: Unique, one-word, CamelCase reason for the condition's
471 last transition.
472 type: string
473 status:
474 description: Status is the status of the condition. Can be True,
475 False, Unknown.
476 type: string
477 type:
478 description: Type is the type of the condition.
479 type: string
480 type: object
481 type: array
482 observedGeneration:
483 description: ObservedGeneration is the generation of the resource
484 that was most recently observed by the Config Connector controller.
485 If this is equal to metadata.generation, then that means that the
486 current reported status reflects the most recent desired state of
487 the resource.
488 type: integer
489 type: object
490 required:
491 - spec
492 type: object
493 served: true
494 storage: true
495 subresources:
496 status: {}
497status:
498 acceptedNames:
499 kind: ""
500 plural: ""
501 conditions: []
502 storedVersions: []
View as plain text