1apiVersion: apiextensions.k8s.io/v1
2kind: CustomResourceDefinition
3metadata:
4 annotations:
5 cnrm.cloud.google.com/version: 0.0.0-dev
6 creationTimestamp: null
7 labels:
8 cnrm.cloud.google.com/dcl2crd: "true"
9 cnrm.cloud.google.com/managed-by-kcc: "true"
10 cnrm.cloud.google.com/stability-level: stable
11 cnrm.cloud.google.com/system: "true"
12 name: privatecacertificatetemplates.privateca.cnrm.cloud.google.com
13spec:
14 group: privateca.cnrm.cloud.google.com
15 names:
16 categories:
17 - gcp
18 kind: PrivateCACertificateTemplate
19 plural: privatecacertificatetemplates
20 shortNames:
21 - gcpprivatecacertificatetemplate
22 - gcpprivatecacertificatetemplates
23 singular: privatecacertificatetemplate
24 preserveUnknownFields: false
25 scope: Namespaced
26 versions:
27 - additionalPrinterColumns:
28 - jsonPath: .metadata.creationTimestamp
29 name: Age
30 type: date
31 - description: When 'True', the most recent reconcile of the resource succeeded
32 jsonPath: .status.conditions[?(@.type=='Ready')].status
33 name: Ready
34 type: string
35 - description: The reason for the value in 'Ready'
36 jsonPath: .status.conditions[?(@.type=='Ready')].reason
37 name: Status
38 type: string
39 - description: The last transition time for the value in 'Status'
40 jsonPath: .status.conditions[?(@.type=='Ready')].lastTransitionTime
41 name: Status Age
42 type: date
43 name: v1beta1
44 schema:
45 openAPIV3Schema:
46 properties:
47 apiVersion:
48 description: 'apiVersion defines the versioned schema of this representation
49 of an object. Servers should convert recognized schemas to the latest
50 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
51 type: string
52 kind:
53 description: 'kind is a string value representing the REST resource this
54 object represents. Servers may infer this from the endpoint the client
55 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
56 type: string
57 metadata:
58 type: object
59 spec:
60 properties:
61 description:
62 description: Optional. A human-readable description of scenarios this
63 template is intended for.
64 type: string
65 identityConstraints:
66 description: Optional. Describes constraints on identities that may
67 be appear in Certificates issued using this template. If this is
68 omitted, then this template will not add restrictions on a certificate's
69 identity.
70 properties:
71 allowSubjectAltNamesPassthrough:
72 description: Required. If this is true, the SubjectAltNames extension
73 may be copied from a certificate request into the signed certificate.
74 Otherwise, the requested SubjectAltNames will be discarded.
75 type: boolean
76 allowSubjectPassthrough:
77 description: Required. If this is true, the Subject field may
78 be copied from a certificate request into the signed certificate.
79 Otherwise, the requested Subject will be discarded.
80 type: boolean
81 celExpression:
82 description: Optional. A CEL expression that may be used to validate
83 the resolved X.509 Subject and/or Subject Alternative Name before
84 a certificate is signed. To see the full allowed syntax and
85 some examples, see https://cloud.google.com/certificate-authority-service/docs/using-cel
86 properties:
87 description:
88 description: Optional. Description of the expression. This
89 is a longer text which describes the expression, e.g. when
90 hovered over it in a UI.
91 type: string
92 expression:
93 description: Textual representation of an expression in Common
94 Expression Language syntax.
95 type: string
96 location:
97 description: Optional. String indicating the location of the
98 expression for error reporting, e.g. a file name and a position
99 in the file.
100 type: string
101 title:
102 description: Optional. Title for the expression, i.e. a short
103 string describing its purpose. This can be used e.g. in
104 UIs which allow to enter the expression.
105 type: string
106 type: object
107 required:
108 - allowSubjectAltNamesPassthrough
109 - allowSubjectPassthrough
110 type: object
111 location:
112 description: Immutable. The location for the resource
113 type: string
114 passthroughExtensions:
115 description: Optional. Describes the set of X.509 extensions that
116 may appear in a Certificate issued using this CertificateTemplate.
117 If a certificate request sets extensions that don't appear in the
118 passthrough_extensions, those extensions will be dropped. If the
119 issuing CaPool's IssuancePolicy defines baseline_values that don't
120 appear here, the certificate issuance request will fail. If this
121 is omitted, then this template will not add restrictions on a certificate's
122 X.509 extensions. These constraints do not apply to X.509 extensions
123 set in this CertificateTemplate's predefined_values.
124 properties:
125 additionalExtensions:
126 description: Optional. A set of ObjectIds identifying custom X.509
127 extensions. Will be combined with known_extensions to determine
128 the full set of X.509 extensions.
129 items:
130 properties:
131 objectIdPath:
132 description: Required. The parts of an OID path. The most
133 significant parts of the path come first.
134 items:
135 format: int64
136 type: integer
137 type: array
138 required:
139 - objectIdPath
140 type: object
141 type: array
142 knownExtensions:
143 description: Optional. A set of named X.509 extensions. Will be
144 combined with additional_extensions to determine the full set
145 of X.509 extensions.
146 items:
147 type: string
148 type: array
149 type: object
150 predefinedValues:
151 description: Optional. A set of X.509 values that will be applied
152 to all issued certificates that use this template. If the certificate
153 request includes conflicting values for the same properties, they
154 will be overwritten by the values defined here. If the issuing CaPool's
155 IssuancePolicy defines conflicting baseline_values for the same
156 properties, the certificate issuance request will fail.
157 properties:
158 additionalExtensions:
159 description: Optional. Describes custom X.509 extensions.
160 items:
161 properties:
162 critical:
163 description: Optional. Indicates whether or not this extension
164 is critical (i.e., if the client does not know how to
165 handle this extension, the client should consider this
166 to be an error).
167 type: boolean
168 objectId:
169 description: Required. The OID for this X.509 extension.
170 properties:
171 objectIdPath:
172 description: Required. The parts of an OID path. The
173 most significant parts of the path come first.
174 items:
175 format: int64
176 type: integer
177 type: array
178 required:
179 - objectIdPath
180 type: object
181 value:
182 description: Required. The value of this X.509 extension.
183 type: string
184 required:
185 - objectId
186 - value
187 type: object
188 type: array
189 aiaOcspServers:
190 description: Optional. Describes Online Certificate Status Protocol
191 (OCSP) endpoint addresses that appear in the "Authority Information
192 Access" extension in the certificate.
193 items:
194 type: string
195 type: array
196 caOptions:
197 description: Optional. Describes options in this X509Parameters
198 that are relevant in a CA certificate.
199 properties:
200 isCa:
201 description: Optional. Refers to the "CA" X.509 extension,
202 which is a boolean value. When this value is missing, the
203 extension will be omitted from the CA certificate.
204 type: boolean
205 maxIssuerPathLength:
206 description: Optional. Refers to the path length restriction
207 X.509 extension. For a CA certificate, this value describes
208 the depth of subordinate CA certificates that are allowed.
209 If this value is less than 0, the request will fail. If
210 this value is missing, the max path length will be omitted
211 from the CA certificate.
212 format: int64
213 type: integer
214 type: object
215 keyUsage:
216 description: Optional. Indicates the intended use for keys that
217 correspond to a certificate.
218 properties:
219 baseKeyUsage:
220 description: Describes high-level ways in which a key may
221 be used.
222 properties:
223 certSign:
224 description: The key may be used to sign certificates.
225 type: boolean
226 contentCommitment:
227 description: The key may be used for cryptographic commitments.
228 Note that this may also be referred to as "non-repudiation".
229 type: boolean
230 crlSign:
231 description: The key may be used sign certificate revocation
232 lists.
233 type: boolean
234 dataEncipherment:
235 description: The key may be used to encipher data.
236 type: boolean
237 decipherOnly:
238 description: The key may be used to decipher only.
239 type: boolean
240 digitalSignature:
241 description: The key may be used for digital signatures.
242 type: boolean
243 encipherOnly:
244 description: The key may be used to encipher only.
245 type: boolean
246 keyAgreement:
247 description: The key may be used in a key agreement protocol.
248 type: boolean
249 keyEncipherment:
250 description: The key may be used to encipher other keys.
251 type: boolean
252 type: object
253 extendedKeyUsage:
254 description: Detailed scenarios in which a key may be used.
255 properties:
256 clientAuth:
257 description: Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially
258 described as "TLS WWW client authentication", though
259 regularly used for non-WWW TLS.
260 type: boolean
261 codeSigning:
262 description: Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially
263 described as "Signing of downloadable executable code
264 client authentication".
265 type: boolean
266 emailProtection:
267 description: Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially
268 described as "Email protection".
269 type: boolean
270 ocspSigning:
271 description: Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially
272 described as "Signing OCSP responses".
273 type: boolean
274 serverAuth:
275 description: Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially
276 described as "TLS WWW server authentication", though
277 regularly used for non-WWW TLS.
278 type: boolean
279 timeStamping:
280 description: Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially
281 described as "Binding the hash of an object to a time".
282 type: boolean
283 type: object
284 unknownExtendedKeyUsages:
285 description: Used to describe extended key usages that are
286 not listed in the KeyUsage.ExtendedKeyUsageOptions message.
287 items:
288 properties:
289 objectIdPath:
290 description: Required. The parts of an OID path. The
291 most significant parts of the path come first.
292 items:
293 format: int64
294 type: integer
295 type: array
296 required:
297 - objectIdPath
298 type: object
299 type: array
300 type: object
301 policyIds:
302 description: Optional. Describes the X.509 certificate policy
303 object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4.
304 items:
305 properties:
306 objectIdPath:
307 description: Required. The parts of an OID path. The most
308 significant parts of the path come first.
309 items:
310 format: int64
311 type: integer
312 type: array
313 required:
314 - objectIdPath
315 type: object
316 type: array
317 type: object
318 projectRef:
319 description: Immutable. The Project that this resource belongs to.
320 oneOf:
321 - not:
322 required:
323 - external
324 required:
325 - name
326 - not:
327 anyOf:
328 - required:
329 - name
330 - required:
331 - namespace
332 required:
333 - external
334 properties:
335 external:
336 description: |-
337 The project for the resource
338
339 Allowed value: The Google Cloud resource name of a `Project` resource (format: `projects/{{name}}`).
340 type: string
341 name:
342 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
343 type: string
344 namespace:
345 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
346 type: string
347 type: object
348 resourceID:
349 description: Immutable. Optional. The name of the resource. Used for
350 creation and acquisition. When unset, the value of `metadata.name`
351 is used as the default.
352 type: string
353 required:
354 - location
355 - projectRef
356 type: object
357 status:
358 properties:
359 conditions:
360 description: Conditions represent the latest available observation
361 of the resource's current state.
362 items:
363 properties:
364 lastTransitionTime:
365 description: Last time the condition transitioned from one status
366 to another.
367 type: string
368 message:
369 description: Human-readable message indicating details about
370 last transition.
371 type: string
372 reason:
373 description: Unique, one-word, CamelCase reason for the condition's
374 last transition.
375 type: string
376 status:
377 description: Status is the status of the condition. Can be True,
378 False, Unknown.
379 type: string
380 type:
381 description: Type is the type of the condition.
382 type: string
383 type: object
384 type: array
385 createTime:
386 description: Output only. The time at which this CertificateTemplate
387 was created.
388 format: date-time
389 type: string
390 observedGeneration:
391 description: ObservedGeneration is the generation of the resource
392 that was most recently observed by the Config Connector controller.
393 If this is equal to metadata.generation, then that means that the
394 current reported status reflects the most recent desired state of
395 the resource.
396 type: integer
397 updateTime:
398 description: Output only. The time at which this CertificateTemplate
399 was updated.
400 format: date-time
401 type: string
402 type: object
403 required:
404 - spec
405 type: object
406 served: true
407 storage: true
408 subresources:
409 status: {}
410status:
411 acceptedNames:
412 kind: ""
413 plural: ""
414 conditions: []
415 storedVersions: []
View as plain text