1apiVersion: apiextensions.k8s.io/v1
2kind: CustomResourceDefinition
3metadata:
4 annotations:
5 cnrm.cloud.google.com/version: 0.0.0-dev
6 creationTimestamp: null
7 labels:
8 cnrm.cloud.google.com/dcl2crd: "true"
9 cnrm.cloud.google.com/managed-by-kcc: "true"
10 cnrm.cloud.google.com/stability-level: stable
11 cnrm.cloud.google.com/system: "true"
12 name: privatecacertificateauthorities.privateca.cnrm.cloud.google.com
13spec:
14 group: privateca.cnrm.cloud.google.com
15 names:
16 categories:
17 - gcp
18 kind: PrivateCACertificateAuthority
19 plural: privatecacertificateauthorities
20 shortNames:
21 - gcpprivatecacertificateauthority
22 - gcpprivatecacertificateauthorities
23 singular: privatecacertificateauthority
24 preserveUnknownFields: false
25 scope: Namespaced
26 versions:
27 - additionalPrinterColumns:
28 - jsonPath: .metadata.creationTimestamp
29 name: Age
30 type: date
31 - description: When 'True', the most recent reconcile of the resource succeeded
32 jsonPath: .status.conditions[?(@.type=='Ready')].status
33 name: Ready
34 type: string
35 - description: The reason for the value in 'Ready'
36 jsonPath: .status.conditions[?(@.type=='Ready')].reason
37 name: Status
38 type: string
39 - description: The last transition time for the value in 'Status'
40 jsonPath: .status.conditions[?(@.type=='Ready')].lastTransitionTime
41 name: Status Age
42 type: date
43 name: v1beta1
44 schema:
45 openAPIV3Schema:
46 properties:
47 apiVersion:
48 description: 'apiVersion defines the versioned schema of this representation
49 of an object. Servers should convert recognized schemas to the latest
50 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
51 type: string
52 kind:
53 description: 'kind is a string value representing the REST resource this
54 object represents. Servers may infer this from the endpoint the client
55 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
56 type: string
57 metadata:
58 type: object
59 spec:
60 properties:
61 caPoolRef:
62 description: Immutable.
63 oneOf:
64 - not:
65 required:
66 - external
67 required:
68 - name
69 - not:
70 anyOf:
71 - required:
72 - name
73 - required:
74 - namespace
75 required:
76 - external
77 properties:
78 external:
79 description: |-
80 The caPool for the resource
81
82 Allowed value: The Google Cloud resource name of a `PrivateCACAPool` resource (format: `projects/{{project}}/locations/{{location}}/caPools/{{name}}`).
83 type: string
84 name:
85 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
86 type: string
87 namespace:
88 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
89 type: string
90 type: object
91 config:
92 description: Immutable. Required. Immutable. The config used to create
93 a self-signed X.509 certificate or CSR.
94 properties:
95 subjectConfig:
96 description: Immutable. Required. Specifies some of the values
97 in a certificate that are related to the subject.
98 properties:
99 subject:
100 description: Immutable. Required. Contains distinguished name
101 fields such as the common name, location and organization.
102 properties:
103 commonName:
104 description: Immutable. The "common name" of the subject.
105 type: string
106 countryCode:
107 description: Immutable. The country code of the subject.
108 type: string
109 locality:
110 description: Immutable. The locality or city of the subject.
111 type: string
112 organization:
113 description: Immutable. The organization of the subject.
114 type: string
115 organizationalUnit:
116 description: Immutable. The organizational_unit of the
117 subject.
118 type: string
119 postalCode:
120 description: Immutable. The postal code of the subject.
121 type: string
122 province:
123 description: Immutable. The province, territory, or regional
124 state of the subject.
125 type: string
126 streetAddress:
127 description: Immutable. The street address of the subject.
128 type: string
129 type: object
130 subjectAltName:
131 description: Immutable. Optional. The subject alternative
132 name fields.
133 properties:
134 customSans:
135 description: Immutable. Contains additional subject alternative
136 name values.
137 items:
138 properties:
139 critical:
140 description: Immutable. Optional. Indicates whether
141 or not this extension is critical (i.e., if the
142 client does not know how to handle this extension,
143 the client should consider this to be an error).
144 type: boolean
145 objectId:
146 description: Immutable. Required. The OID for this
147 X.509 extension.
148 properties:
149 objectIdPath:
150 description: Immutable. Required. The parts
151 of an OID path. The most significant parts
152 of the path come first.
153 items:
154 format: int64
155 type: integer
156 type: array
157 required:
158 - objectIdPath
159 type: object
160 value:
161 description: Immutable. Required. The value of this
162 X.509 extension.
163 type: string
164 required:
165 - objectId
166 - value
167 type: object
168 type: array
169 dnsNames:
170 description: Immutable. Contains only valid, fully-qualified
171 host names.
172 items:
173 type: string
174 type: array
175 emailAddresses:
176 description: Immutable. Contains only valid RFC 2822 E-mail
177 addresses.
178 items:
179 type: string
180 type: array
181 ipAddresses:
182 description: Immutable. Contains only valid 32-bit IPv4
183 addresses or RFC 4291 IPv6 addresses.
184 items:
185 type: string
186 type: array
187 uris:
188 description: Immutable. Contains only valid RFC 3986 URIs.
189 items:
190 type: string
191 type: array
192 type: object
193 required:
194 - subject
195 type: object
196 x509Config:
197 description: Immutable. Required. Describes how some of the technical
198 X.509 fields in a certificate should be populated.
199 properties:
200 additionalExtensions:
201 description: Immutable. Optional. Describes custom X.509 extensions.
202 items:
203 properties:
204 critical:
205 description: Immutable. Optional. Indicates whether
206 or not this extension is critical (i.e., if the client
207 does not know how to handle this extension, the client
208 should consider this to be an error).
209 type: boolean
210 objectId:
211 description: Immutable. Required. The OID for this X.509
212 extension.
213 properties:
214 objectIdPath:
215 description: Immutable. Required. The parts of an
216 OID path. The most significant parts of the path
217 come first.
218 items:
219 format: int64
220 type: integer
221 type: array
222 required:
223 - objectIdPath
224 type: object
225 value:
226 description: Immutable. Required. The value of this
227 X.509 extension.
228 type: string
229 required:
230 - objectId
231 - value
232 type: object
233 type: array
234 caOptions:
235 description: Immutable. Optional. Describes options in this
236 X509Parameters that are relevant in a CA certificate.
237 properties:
238 isCa:
239 description: Immutable. Optional. Refers to the "CA" X.509
240 extension, which is a boolean value. When this value
241 is missing, the extension will be omitted from the CA
242 certificate.
243 type: boolean
244 maxIssuerPathLength:
245 description: Immutable. Optional. Refers to the path length
246 restriction X.509 extension. For a CA certificate, this
247 value describes the depth of subordinate CA certificates
248 that are allowed. If this value is less than 0, the
249 request will fail. If this value is missing, the max
250 path length will be omitted from the CA certificate.
251 format: int64
252 type: integer
253 zeroMaxIssuerPathLength:
254 description: Immutable. Optional. When true, the "path
255 length constraint" in Basic Constraints extension will
256 be set to 0. if both max_issuer_path_length and zero_max_issuer_path_length
257 are unset, the max path length will be omitted from
258 the CA certificate.
259 type: boolean
260 type: object
261 keyUsage:
262 description: Immutable. Optional. Indicates the intended use
263 for keys that correspond to a certificate.
264 properties:
265 baseKeyUsage:
266 description: Immutable. Describes high-level ways in which
267 a key may be used.
268 properties:
269 certSign:
270 description: Immutable. The key may be used to sign
271 certificates.
272 type: boolean
273 contentCommitment:
274 description: Immutable. The key may be used for cryptographic
275 commitments. Note that this may also be referred
276 to as "non-repudiation".
277 type: boolean
278 crlSign:
279 description: Immutable. The key may be used sign certificate
280 revocation lists.
281 type: boolean
282 dataEncipherment:
283 description: Immutable. The key may be used to encipher
284 data.
285 type: boolean
286 decipherOnly:
287 description: Immutable. The key may be used to decipher
288 only.
289 type: boolean
290 digitalSignature:
291 description: Immutable. The key may be used for digital
292 signatures.
293 type: boolean
294 encipherOnly:
295 description: Immutable. The key may be used to encipher
296 only.
297 type: boolean
298 keyAgreement:
299 description: Immutable. The key may be used in a key
300 agreement protocol.
301 type: boolean
302 keyEncipherment:
303 description: Immutable. The key may be used to encipher
304 other keys.
305 type: boolean
306 type: object
307 extendedKeyUsage:
308 description: Immutable. Detailed scenarios in which a
309 key may be used.
310 properties:
311 clientAuth:
312 description: Immutable. Corresponds to OID 1.3.6.1.5.5.7.3.2.
313 Officially described as "TLS WWW client authentication",
314 though regularly used for non-WWW TLS.
315 type: boolean
316 codeSigning:
317 description: Immutable. Corresponds to OID 1.3.6.1.5.5.7.3.3.
318 Officially described as "Signing of downloadable
319 executable code client authentication".
320 type: boolean
321 emailProtection:
322 description: Immutable. Corresponds to OID 1.3.6.1.5.5.7.3.4.
323 Officially described as "Email protection".
324 type: boolean
325 ocspSigning:
326 description: Immutable. Corresponds to OID 1.3.6.1.5.5.7.3.9.
327 Officially described as "Signing OCSP responses".
328 type: boolean
329 serverAuth:
330 description: Immutable. Corresponds to OID 1.3.6.1.5.5.7.3.1.
331 Officially described as "TLS WWW server authentication",
332 though regularly used for non-WWW TLS.
333 type: boolean
334 timeStamping:
335 description: Immutable. Corresponds to OID 1.3.6.1.5.5.7.3.8.
336 Officially described as "Binding the hash of an
337 object to a time".
338 type: boolean
339 type: object
340 unknownExtendedKeyUsages:
341 description: Immutable. Used to describe extended key
342 usages that are not listed in the KeyUsage.ExtendedKeyUsageOptions
343 message.
344 items:
345 properties:
346 objectIdPath:
347 description: Immutable. Required. The parts of an
348 OID path. The most significant parts of the path
349 come first.
350 items:
351 format: int64
352 type: integer
353 type: array
354 required:
355 - objectIdPath
356 type: object
357 type: array
358 type: object
359 policyIds:
360 description: Immutable. Optional. Describes the X.509 certificate
361 policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4.
362 items:
363 properties:
364 objectIdPath:
365 description: Immutable. Required. The parts of an OID
366 path. The most significant parts of the path come
367 first.
368 items:
369 format: int64
370 type: integer
371 type: array
372 required:
373 - objectIdPath
374 type: object
375 type: array
376 type: object
377 required:
378 - subjectConfig
379 - x509Config
380 type: object
381 gcsBucketRef:
382 description: Immutable.
383 oneOf:
384 - not:
385 required:
386 - external
387 required:
388 - name
389 - not:
390 anyOf:
391 - required:
392 - name
393 - required:
394 - namespace
395 required:
396 - external
397 properties:
398 external:
399 description: |-
400 Immutable. The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as `gs://`) or suffixes (such as `.googleapis.com`). For example, to use a bucket named `my-bucket`, you would simply specify `my-bucket`. If not specified, a managed bucket will be created.
401
402 Allowed value: The Google Cloud resource name of a `StorageBucket` resource (format: `{{name}}`).
403 type: string
404 name:
405 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
406 type: string
407 namespace:
408 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
409 type: string
410 type: object
411 keySpec:
412 description: Immutable. Required. Immutable. Used when issuing certificates
413 for this CertificateAuthority. If this CertificateAuthority is a
414 self-signed CertificateAuthority, this key is also used to sign
415 the self-signed CA certificate. Otherwise, it is used to sign a
416 CSR.
417 properties:
418 algorithm:
419 description: 'Immutable. The algorithm to use for creating a managed
420 Cloud KMS key for a for a simplified experience. All managed
421 keys will be have their ProtectionLevel as `HSM`. Possible values:
422 RSA_PSS_2048_SHA256, RSA_PSS_3072_SHA256, RSA_PSS_4096_SHA256,
423 RSA_PKCS1_2048_SHA256, RSA_PKCS1_3072_SHA256, RSA_PKCS1_4096_SHA256,
424 EC_P256_SHA256, EC_P384_SHA384'
425 type: string
426 cloudKmsKeyVersionRef:
427 description: Immutable.
428 oneOf:
429 - not:
430 required:
431 - external
432 required:
433 - name
434 - not:
435 anyOf:
436 - required:
437 - name
438 - required:
439 - namespace
440 required:
441 - external
442 properties:
443 external:
444 description: The resource name for an existing Cloud KMS CryptoKeyVersion
445 in the format `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
446 This option enables full flexibility in the key's capabilities
447 and properties.
448 type: string
449 name:
450 description: |-
451 [WARNING] KMSCryptoKeyVersion not yet supported in Config Connector, use 'external' field to reference existing resources.
452 Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
453 type: string
454 namespace:
455 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
456 type: string
457 type: object
458 type: object
459 lifetime:
460 description: Immutable. Required. The desired lifetime of the CA certificate.
461 Used to create the "not_before_time" and "not_after_time" fields
462 inside an X.509 certificate.
463 type: string
464 location:
465 description: Immutable. The location for the resource
466 type: string
467 projectRef:
468 description: Immutable. The Project that this resource belongs to.
469 oneOf:
470 - not:
471 required:
472 - external
473 required:
474 - name
475 - not:
476 anyOf:
477 - required:
478 - name
479 - required:
480 - namespace
481 required:
482 - external
483 properties:
484 external:
485 description: |-
486 The project for the resource
487
488 Allowed value: The Google Cloud resource name of a `Project` resource (format: `projects/{{name}}`).
489 type: string
490 name:
491 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
492 type: string
493 namespace:
494 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
495 type: string
496 type: object
497 resourceID:
498 description: Immutable. Optional. The name of the resource. Used for
499 creation and acquisition. When unset, the value of `metadata.name`
500 is used as the default.
501 type: string
502 type:
503 description: 'Immutable. Required. Immutable. The Type of this CertificateAuthority.
504 Possible values: SELF_SIGNED, SUBORDINATE'
505 type: string
506 required:
507 - caPoolRef
508 - config
509 - keySpec
510 - lifetime
511 - location
512 - projectRef
513 - type
514 type: object
515 status:
516 properties:
517 accessUrls:
518 description: Output only. URLs for accessing content published by
519 this CA, such as the CA certificate and CRLs.
520 properties:
521 caCertificateAccessUrl:
522 description: The URL where this CertificateAuthority's CA certificate
523 is published. This will only be set for CAs that have been activated.
524 type: string
525 crlAccessUrls:
526 description: The URLs where this CertificateAuthority's CRLs are
527 published. This will only be set for CAs that have been activated.
528 items:
529 type: string
530 type: array
531 type: object
532 caCertificateDescriptions:
533 description: Output only. A structured description of this CertificateAuthority's
534 CA certificate and its issuers. Ordered as self-to-root.
535 items:
536 properties:
537 aiaIssuingCertificateUrls:
538 description: Describes lists of issuer CA certificate URLs that
539 appear in the "Authority Information Access" extension in
540 the certificate.
541 items:
542 type: string
543 type: array
544 authorityKeyId:
545 description: Identifies the subject_key_id of the parent certificate,
546 per https://tools.ietf.org/html/rfc5280#section-4.2.1.1
547 properties:
548 keyId:
549 description: Optional. The value of this KeyId encoded in
550 lowercase hexadecimal. This is most likely the 160 bit
551 SHA-1 hash of the public key.
552 type: string
553 type: object
554 certFingerprint:
555 description: The hash of the x.509 certificate.
556 properties:
557 sha256Hash:
558 description: The SHA 256 hash, encoded in hexadecimal, of
559 the DER x509 certificate.
560 type: string
561 type: object
562 crlDistributionPoints:
563 description: Describes a list of locations to obtain CRL information,
564 i.e. the DistributionPoint.fullName described by https://tools.ietf.org/html/rfc5280#section-4.2.1.13
565 items:
566 type: string
567 type: array
568 publicKey:
569 description: The public key that corresponds to an issued certificate.
570 properties:
571 format:
572 description: 'Required. The format of the public key. Possible
573 values: PEM'
574 type: string
575 key:
576 description: Required. A public key. The padding and encoding
577 must match with the `KeyFormat` value specified for the
578 `format` field.
579 type: string
580 type: object
581 subjectDescription:
582 description: Describes some of the values in a certificate that
583 are related to the subject and lifetime.
584 properties:
585 hexSerialNumber:
586 description: The serial number encoded in lowercase hexadecimal.
587 type: string
588 lifetime:
589 description: For convenience, the actual lifetime of an
590 issued certificate.
591 type: string
592 notAfterTime:
593 description: The time after which the certificate is expired.
594 Per RFC 5280, the validity period for a certificate is
595 the period of time from not_before_time through not_after_time,
596 inclusive. Corresponds to 'not_before_time' + 'lifetime'
597 - 1 second.
598 format: date-time
599 type: string
600 notBeforeTime:
601 description: The time at which the certificate becomes valid.
602 format: date-time
603 type: string
604 subject:
605 description: Contains distinguished name fields such as
606 the common name, location and organization.
607 properties:
608 commonName:
609 description: The "common name" of the subject.
610 type: string
611 countryCode:
612 description: The country code of the subject.
613 type: string
614 locality:
615 description: The locality or city of the subject.
616 type: string
617 organization:
618 description: The organization of the subject.
619 type: string
620 organizationalUnit:
621 description: The organizational_unit of the subject.
622 type: string
623 postalCode:
624 description: The postal code of the subject.
625 type: string
626 province:
627 description: The province, territory, or regional state
628 of the subject.
629 type: string
630 streetAddress:
631 description: The street address of the subject.
632 type: string
633 type: object
634 subjectAltName:
635 description: The subject alternative name fields.
636 properties:
637 customSans:
638 description: Contains additional subject alternative
639 name values.
640 items:
641 properties:
642 critical:
643 description: Optional. Indicates whether or not
644 this extension is critical (i.e., if the client
645 does not know how to handle this extension,
646 the client should consider this to be an error).
647 type: boolean
648 objectId:
649 description: Required. The OID for this X.509
650 extension.
651 properties:
652 objectIdPath:
653 description: Required. The parts of an OID
654 path. The most significant parts of the
655 path come first.
656 items:
657 format: int64
658 type: integer
659 type: array
660 type: object
661 value:
662 description: Required. The value of this X.509
663 extension.
664 type: string
665 type: object
666 type: array
667 dnsNames:
668 description: Contains only valid, fully-qualified host
669 names.
670 items:
671 type: string
672 type: array
673 emailAddresses:
674 description: Contains only valid RFC 2822 E-mail addresses.
675 items:
676 type: string
677 type: array
678 ipAddresses:
679 description: Contains only valid 32-bit IPv4 addresses
680 or RFC 4291 IPv6 addresses.
681 items:
682 type: string
683 type: array
684 uris:
685 description: Contains only valid RFC 3986 URIs.
686 items:
687 type: string
688 type: array
689 type: object
690 type: object
691 subjectKeyId:
692 description: Provides a means of identifiying certificates that
693 contain a particular public key, per https://tools.ietf.org/html/rfc5280#section-4.2.1.2.
694 properties:
695 keyId:
696 description: Optional. The value of this KeyId encoded in
697 lowercase hexadecimal. This is most likely the 160 bit
698 SHA-1 hash of the public key.
699 type: string
700 type: object
701 x509Description:
702 description: Describes some of the technical X.509 fields in
703 a certificate.
704 properties:
705 additionalExtensions:
706 description: Optional. Describes custom X.509 extensions.
707 items:
708 properties:
709 critical:
710 description: Optional. Indicates whether or not this
711 extension is critical (i.e., if the client does
712 not know how to handle this extension, the client
713 should consider this to be an error).
714 type: boolean
715 objectId:
716 description: Required. The OID for this X.509 extension.
717 properties:
718 objectIdPath:
719 description: Required. The parts of an OID path.
720 The most significant parts of the path come
721 first.
722 items:
723 format: int64
724 type: integer
725 type: array
726 type: object
727 value:
728 description: Required. The value of this X.509 extension.
729 type: string
730 type: object
731 type: array
732 aiaOcspServers:
733 description: Optional. Describes Online Certificate Status
734 Protocol (OCSP) endpoint addresses that appear in the
735 "Authority Information Access" extension in the certificate.
736 items:
737 type: string
738 type: array
739 caOptions:
740 description: Optional. Describes options in this X509Parameters
741 that are relevant in a CA certificate.
742 properties:
743 isCa:
744 description: Optional. Refers to the "CA" X.509 extension,
745 which is a boolean value. When this value is missing,
746 the extension will be omitted from the CA certificate.
747 type: boolean
748 maxIssuerPathLength:
749 description: Optional. Refers to the path length restriction
750 X.509 extension. For a CA certificate, this value
751 describes the depth of subordinate CA certificates
752 that are allowed. If this value is less than 0, the
753 request will fail. If this value is missing, the max
754 path length will be omitted from the CA certificate.
755 format: int64
756 type: integer
757 type: object
758 keyUsage:
759 description: Optional. Indicates the intended use for keys
760 that correspond to a certificate.
761 properties:
762 baseKeyUsage:
763 description: Describes high-level ways in which a key
764 may be used.
765 properties:
766 certSign:
767 description: The key may be used to sign certificates.
768 type: boolean
769 contentCommitment:
770 description: The key may be used for cryptographic
771 commitments. Note that this may also be referred
772 to as "non-repudiation".
773 type: boolean
774 crlSign:
775 description: The key may be used sign certificate
776 revocation lists.
777 type: boolean
778 dataEncipherment:
779 description: The key may be used to encipher data.
780 type: boolean
781 decipherOnly:
782 description: The key may be used to decipher only.
783 type: boolean
784 digitalSignature:
785 description: The key may be used for digital signatures.
786 type: boolean
787 encipherOnly:
788 description: The key may be used to encipher only.
789 type: boolean
790 keyAgreement:
791 description: The key may be used in a key agreement
792 protocol.
793 type: boolean
794 keyEncipherment:
795 description: The key may be used to encipher other
796 keys.
797 type: boolean
798 type: object
799 extendedKeyUsage:
800 description: Detailed scenarios in which a key may be
801 used.
802 properties:
803 clientAuth:
804 description: Corresponds to OID 1.3.6.1.5.5.7.3.2.
805 Officially described as "TLS WWW client authentication",
806 though regularly used for non-WWW TLS.
807 type: boolean
808 codeSigning:
809 description: Corresponds to OID 1.3.6.1.5.5.7.3.3.
810 Officially described as "Signing of downloadable
811 executable code client authentication".
812 type: boolean
813 emailProtection:
814 description: Corresponds to OID 1.3.6.1.5.5.7.3.4.
815 Officially described as "Email protection".
816 type: boolean
817 ocspSigning:
818 description: Corresponds to OID 1.3.6.1.5.5.7.3.9.
819 Officially described as "Signing OCSP responses".
820 type: boolean
821 serverAuth:
822 description: Corresponds to OID 1.3.6.1.5.5.7.3.1.
823 Officially described as "TLS WWW server authentication",
824 though regularly used for non-WWW TLS.
825 type: boolean
826 timeStamping:
827 description: Corresponds to OID 1.3.6.1.5.5.7.3.8.
828 Officially described as "Binding the hash of an
829 object to a time".
830 type: boolean
831 type: object
832 unknownExtendedKeyUsages:
833 description: Used to describe extended key usages that
834 are not listed in the KeyUsage.ExtendedKeyUsageOptions
835 message.
836 items:
837 properties:
838 objectIdPath:
839 description: Required. The parts of an OID path.
840 The most significant parts of the path come
841 first.
842 items:
843 format: int64
844 type: integer
845 type: array
846 type: object
847 type: array
848 type: object
849 policyIds:
850 description: Optional. Describes the X.509 certificate policy
851 object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4.
852 items:
853 properties:
854 objectIdPath:
855 description: Required. The parts of an OID path. The
856 most significant parts of the path come first.
857 items:
858 format: int64
859 type: integer
860 type: array
861 type: object
862 type: array
863 type: object
864 type: object
865 type: array
866 conditions:
867 description: Conditions represent the latest available observation
868 of the resource's current state.
869 items:
870 properties:
871 lastTransitionTime:
872 description: Last time the condition transitioned from one status
873 to another.
874 type: string
875 message:
876 description: Human-readable message indicating details about
877 last transition.
878 type: string
879 reason:
880 description: Unique, one-word, CamelCase reason for the condition's
881 last transition.
882 type: string
883 status:
884 description: Status is the status of the condition. Can be True,
885 False, Unknown.
886 type: string
887 type:
888 description: Type is the type of the condition.
889 type: string
890 type: object
891 type: array
892 config:
893 properties:
894 publicKey:
895 description: Optional. The public key that corresponds to this
896 config. This is, for example, used when issuing Certificates,
897 but not when creating a self-signed CertificateAuthority or
898 CertificateAuthority CSR.
899 properties:
900 format:
901 description: 'Required. The format of the public key. Possible
902 values: PEM'
903 type: string
904 key:
905 description: Required. A public key. The padding and encoding
906 must match with the `KeyFormat` value specified for the
907 `format` field.
908 type: string
909 type: object
910 x509Config:
911 properties:
912 aiaOcspServers:
913 description: Optional. Describes Online Certificate Status
914 Protocol (OCSP) endpoint addresses that appear in the "Authority
915 Information Access" extension in the certificate.
916 items:
917 type: string
918 type: array
919 type: object
920 type: object
921 createTime:
922 description: Output only. The time at which this CertificateAuthority
923 was created.
924 format: date-time
925 type: string
926 deleteTime:
927 description: Output only. The time at which this CertificateAuthority
928 was soft deleted, if it is in the DELETED state.
929 format: date-time
930 type: string
931 expireTime:
932 description: Output only. The time at which this CertificateAuthority
933 will be permanently purged, if it is in the DELETED state.
934 format: date-time
935 type: string
936 observedGeneration:
937 description: ObservedGeneration is the generation of the resource
938 that was most recently observed by the Config Connector controller.
939 If this is equal to metadata.generation, then that means that the
940 current reported status reflects the most recent desired state of
941 the resource.
942 type: integer
943 pemCaCertificates:
944 description: Output only. This CertificateAuthority's certificate
945 chain, including the current CertificateAuthority's certificate.
946 Ordered such that the root issuer is the final element (consistent
947 with RFC 5246). For a self-signed CA, this will only list the current
948 CertificateAuthority's certificate.
949 items:
950 type: string
951 type: array
952 state:
953 description: 'Output only. The State for this CertificateAuthority.
954 Possible values: ENABLED, DISABLED, STAGED, AWAITING_USER_ACTIVATION,
955 DELETED'
956 type: string
957 subordinateConfig:
958 description: Optional. If this is a subordinate CertificateAuthority,
959 this field will be set with the subordinate configuration, which
960 describes its issuers. This may be updated, but this CertificateAuthority
961 must continue to validate.
962 properties:
963 certificateAuthority:
964 description: Required. This can refer to a CertificateAuthority
965 in the same project that was used to create a subordinate CertificateAuthority.
966 This field is used for information and usability purposes only.
967 The resource name is in the format `projects/*/locations/*/caPools/*/certificateAuthorities/*`.
968 type: string
969 pemIssuerChain:
970 description: Required. Contains the PEM certificate chain for
971 the issuers of this CertificateAuthority, but not pem certificate
972 for this CA itself.
973 properties:
974 pemCertificates:
975 description: Required. Expected to be in leaf-to-root order
976 according to RFC 5246.
977 items:
978 type: string
979 type: array
980 type: object
981 type: object
982 tier:
983 description: 'Output only. The CaPool.Tier of the CaPool that includes
984 this CertificateAuthority. Possible values: ENTERPRISE, DEVOPS'
985 type: string
986 updateTime:
987 description: Output only. The time at which this CertificateAuthority
988 was last updated.
989 format: date-time
990 type: string
991 type: object
992 required:
993 - spec
994 type: object
995 served: true
996 storage: true
997 subresources:
998 status: {}
999status:
1000 acceptedNames:
1001 kind: ""
1002 plural: ""
1003 conditions: []
1004 storedVersions: []
View as plain text