1# Copyright 2020 Google LLC
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14
15apiVersion: apiextensions.k8s.io/v1
16kind: CustomResourceDefinition
17metadata:
18 annotations:
19 cnrm.cloud.google.com/version: 1.106.0
20 creationTimestamp: null
21 labels:
22 cnrm.cloud.google.com/dcl2crd: "true"
23 cnrm.cloud.google.com/managed-by-kcc: "true"
24 cnrm.cloud.google.com/stability-level: stable
25 cnrm.cloud.google.com/system: "true"
26 name: privatecacertificateauthorities.privateca.cnrm.cloud.google.com
27spec:
28 group: privateca.cnrm.cloud.google.com
29 names:
30 categories:
31 - gcp
32 kind: PrivateCACertificateAuthority
33 plural: privatecacertificateauthorities
34 shortNames:
35 - gcpprivatecacertificateauthority
36 - gcpprivatecacertificateauthorities
37 singular: privatecacertificateauthority
38 scope: Namespaced
39 versions:
40 - additionalPrinterColumns:
41 - jsonPath: .metadata.creationTimestamp
42 name: Age
43 type: date
44 - description: When 'True', the most recent reconcile of the resource succeeded
45 jsonPath: .status.conditions[?(@.type=='Ready')].status
46 name: Ready
47 type: string
48 - description: The reason for the value in 'Ready'
49 jsonPath: .status.conditions[?(@.type=='Ready')].reason
50 name: Status
51 type: string
52 - description: The last transition time for the value in 'Status'
53 jsonPath: .status.conditions[?(@.type=='Ready')].lastTransitionTime
54 name: Status Age
55 type: date
56 name: v1beta1
57 schema:
58 openAPIV3Schema:
59 properties:
60 apiVersion:
61 description: 'apiVersion defines the versioned schema of this representation
62 of an object. Servers should convert recognized schemas to the latest
63 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
64 type: string
65 kind:
66 description: 'kind is a string value representing the REST resource this
67 object represents. Servers may infer this from the endpoint the client
68 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
69 type: string
70 metadata:
71 type: object
72 spec:
73 properties:
74 caPoolRef:
75 description: Immutable.
76 oneOf:
77 - not:
78 required:
79 - external
80 required:
81 - name
82 - not:
83 anyOf:
84 - required:
85 - name
86 - required:
87 - namespace
88 required:
89 - external
90 properties:
91 external:
92 description: |-
93 The caPool for the resource
94
95 Allowed value: The Google Cloud resource name of a `PrivateCACAPool` resource (format: `projects/{{project}}/locations/{{location}}/caPools/{{name}}`).
96 type: string
97 name:
98 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
99 type: string
100 namespace:
101 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
102 type: string
103 type: object
104 config:
105 description: Immutable. Required. Immutable. The config used to create
106 a self-signed X.509 certificate or CSR.
107 properties:
108 subjectConfig:
109 description: Immutable. Required. Specifies some of the values
110 in a certificate that are related to the subject.
111 properties:
112 subject:
113 description: Immutable. Required. Contains distinguished name
114 fields such as the common name, location and organization.
115 properties:
116 commonName:
117 description: Immutable. The "common name" of the subject.
118 type: string
119 countryCode:
120 description: Immutable. The country code of the subject.
121 type: string
122 locality:
123 description: Immutable. The locality or city of the subject.
124 type: string
125 organization:
126 description: Immutable. The organization of the subject.
127 type: string
128 organizationalUnit:
129 description: Immutable. The organizational_unit of the
130 subject.
131 type: string
132 postalCode:
133 description: Immutable. The postal code of the subject.
134 type: string
135 province:
136 description: Immutable. The province, territory, or regional
137 state of the subject.
138 type: string
139 streetAddress:
140 description: Immutable. The street address of the subject.
141 type: string
142 type: object
143 subjectAltName:
144 description: Immutable. Optional. The subject alternative
145 name fields.
146 properties:
147 customSans:
148 description: Immutable. Contains additional subject alternative
149 name values.
150 items:
151 properties:
152 critical:
153 description: Immutable. Optional. Indicates whether
154 or not this extension is critical (i.e., if the
155 client does not know how to handle this extension,
156 the client should consider this to be an error).
157 type: boolean
158 objectId:
159 description: Immutable. Required. The OID for this
160 X.509 extension.
161 properties:
162 objectIdPath:
163 description: Immutable. Required. The parts
164 of an OID path. The most significant parts
165 of the path come first.
166 items:
167 format: int64
168 type: integer
169 type: array
170 required:
171 - objectIdPath
172 type: object
173 value:
174 description: Immutable. Required. The value of this
175 X.509 extension.
176 type: string
177 required:
178 - objectId
179 - value
180 type: object
181 type: array
182 dnsNames:
183 description: Immutable. Contains only valid, fully-qualified
184 host names.
185 items:
186 type: string
187 type: array
188 emailAddresses:
189 description: Immutable. Contains only valid RFC 2822 E-mail
190 addresses.
191 items:
192 type: string
193 type: array
194 ipAddresses:
195 description: Immutable. Contains only valid 32-bit IPv4
196 addresses or RFC 4291 IPv6 addresses.
197 items:
198 type: string
199 type: array
200 uris:
201 description: Immutable. Contains only valid RFC 3986 URIs.
202 items:
203 type: string
204 type: array
205 type: object
206 required:
207 - subject
208 type: object
209 x509Config:
210 description: Immutable. Required. Describes how some of the technical
211 X.509 fields in a certificate should be populated.
212 properties:
213 additionalExtensions:
214 description: Immutable. Optional. Describes custom X.509 extensions.
215 items:
216 properties:
217 critical:
218 description: Immutable. Optional. Indicates whether
219 or not this extension is critical (i.e., if the client
220 does not know how to handle this extension, the client
221 should consider this to be an error).
222 type: boolean
223 objectId:
224 description: Immutable. Required. The OID for this X.509
225 extension.
226 properties:
227 objectIdPath:
228 description: Immutable. Required. The parts of an
229 OID path. The most significant parts of the path
230 come first.
231 items:
232 format: int64
233 type: integer
234 type: array
235 required:
236 - objectIdPath
237 type: object
238 value:
239 description: Immutable. Required. The value of this
240 X.509 extension.
241 type: string
242 required:
243 - objectId
244 - value
245 type: object
246 type: array
247 caOptions:
248 description: Immutable. Optional. Describes options in this
249 X509Parameters that are relevant in a CA certificate.
250 properties:
251 isCa:
252 description: Immutable. Optional. Refers to the "CA" X.509
253 extension, which is a boolean value. When this value
254 is missing, the extension will be omitted from the CA
255 certificate.
256 type: boolean
257 maxIssuerPathLength:
258 description: Immutable. Optional. Refers to the path length
259 restriction X.509 extension. For a CA certificate, this
260 value describes the depth of subordinate CA certificates
261 that are allowed. If this value is less than 0, the
262 request will fail. If this value is missing, the max
263 path length will be omitted from the CA certificate.
264 format: int64
265 type: integer
266 zeroMaxIssuerPathLength:
267 description: Immutable. Optional. When true, the "path
268 length constraint" in Basic Constraints extension will
269 be set to 0. if both max_issuer_path_length and zero_max_issuer_path_length
270 are unset, the max path length will be omitted from
271 the CA certificate.
272 type: boolean
273 type: object
274 keyUsage:
275 description: Immutable. Optional. Indicates the intended use
276 for keys that correspond to a certificate.
277 properties:
278 baseKeyUsage:
279 description: Immutable. Describes high-level ways in which
280 a key may be used.
281 properties:
282 certSign:
283 description: Immutable. The key may be used to sign
284 certificates.
285 type: boolean
286 contentCommitment:
287 description: Immutable. The key may be used for cryptographic
288 commitments. Note that this may also be referred
289 to as "non-repudiation".
290 type: boolean
291 crlSign:
292 description: Immutable. The key may be used sign certificate
293 revocation lists.
294 type: boolean
295 dataEncipherment:
296 description: Immutable. The key may be used to encipher
297 data.
298 type: boolean
299 decipherOnly:
300 description: Immutable. The key may be used to decipher
301 only.
302 type: boolean
303 digitalSignature:
304 description: Immutable. The key may be used for digital
305 signatures.
306 type: boolean
307 encipherOnly:
308 description: Immutable. The key may be used to encipher
309 only.
310 type: boolean
311 keyAgreement:
312 description: Immutable. The key may be used in a key
313 agreement protocol.
314 type: boolean
315 keyEncipherment:
316 description: Immutable. The key may be used to encipher
317 other keys.
318 type: boolean
319 type: object
320 extendedKeyUsage:
321 description: Immutable. Detailed scenarios in which a
322 key may be used.
323 properties:
324 clientAuth:
325 description: Immutable. Corresponds to OID 1.3.6.1.5.5.7.3.2.
326 Officially described as "TLS WWW client authentication",
327 though regularly used for non-WWW TLS.
328 type: boolean
329 codeSigning:
330 description: Immutable. Corresponds to OID 1.3.6.1.5.5.7.3.3.
331 Officially described as "Signing of downloadable
332 executable code client authentication".
333 type: boolean
334 emailProtection:
335 description: Immutable. Corresponds to OID 1.3.6.1.5.5.7.3.4.
336 Officially described as "Email protection".
337 type: boolean
338 ocspSigning:
339 description: Immutable. Corresponds to OID 1.3.6.1.5.5.7.3.9.
340 Officially described as "Signing OCSP responses".
341 type: boolean
342 serverAuth:
343 description: Immutable. Corresponds to OID 1.3.6.1.5.5.7.3.1.
344 Officially described as "TLS WWW server authentication",
345 though regularly used for non-WWW TLS.
346 type: boolean
347 timeStamping:
348 description: Immutable. Corresponds to OID 1.3.6.1.5.5.7.3.8.
349 Officially described as "Binding the hash of an
350 object to a time".
351 type: boolean
352 type: object
353 unknownExtendedKeyUsages:
354 description: Immutable. Used to describe extended key
355 usages that are not listed in the KeyUsage.ExtendedKeyUsageOptions
356 message.
357 items:
358 properties:
359 objectIdPath:
360 description: Immutable. Required. The parts of an
361 OID path. The most significant parts of the path
362 come first.
363 items:
364 format: int64
365 type: integer
366 type: array
367 required:
368 - objectIdPath
369 type: object
370 type: array
371 type: object
372 policyIds:
373 description: Immutable. Optional. Describes the X.509 certificate
374 policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4.
375 items:
376 properties:
377 objectIdPath:
378 description: Immutable. Required. The parts of an OID
379 path. The most significant parts of the path come
380 first.
381 items:
382 format: int64
383 type: integer
384 type: array
385 required:
386 - objectIdPath
387 type: object
388 type: array
389 type: object
390 required:
391 - subjectConfig
392 - x509Config
393 type: object
394 gcsBucketRef:
395 description: Immutable.
396 oneOf:
397 - not:
398 required:
399 - external
400 required:
401 - name
402 - not:
403 anyOf:
404 - required:
405 - name
406 - required:
407 - namespace
408 required:
409 - external
410 properties:
411 external:
412 description: |-
413 Immutable. The name of a Cloud Storage bucket where this CertificateAuthority will publish content, such as the CA certificate and CRLs. This must be a bucket name, without any prefixes (such as `gs://`) or suffixes (such as `.googleapis.com`). For example, to use a bucket named `my-bucket`, you would simply specify `my-bucket`. If not specified, a managed bucket will be created.
414
415 Allowed value: The Google Cloud resource name of a `StorageBucket` resource (format: `{{name}}`).
416 type: string
417 name:
418 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
419 type: string
420 namespace:
421 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
422 type: string
423 type: object
424 keySpec:
425 description: Immutable. Required. Immutable. Used when issuing certificates
426 for this CertificateAuthority. If this CertificateAuthority is a
427 self-signed CertificateAuthority, this key is also used to sign
428 the self-signed CA certificate. Otherwise, it is used to sign a
429 CSR.
430 properties:
431 algorithm:
432 description: 'Immutable. The algorithm to use for creating a managed
433 Cloud KMS key for a for a simplified experience. All managed
434 keys will be have their ProtectionLevel as `HSM`. Possible values:
435 RSA_PSS_2048_SHA256, RSA_PSS_3072_SHA256, RSA_PSS_4096_SHA256,
436 RSA_PKCS1_2048_SHA256, RSA_PKCS1_3072_SHA256, RSA_PKCS1_4096_SHA256,
437 EC_P256_SHA256, EC_P384_SHA384'
438 type: string
439 cloudKmsKeyVersionRef:
440 description: Immutable.
441 oneOf:
442 - not:
443 required:
444 - external
445 required:
446 - name
447 - not:
448 anyOf:
449 - required:
450 - name
451 - required:
452 - namespace
453 required:
454 - external
455 properties:
456 external:
457 description: The resource name for an existing Cloud KMS CryptoKeyVersion
458 in the format `projects/*/locations/*/keyRings/*/cryptoKeys/*/cryptoKeyVersions/*`.
459 This option enables full flexibility in the key's capabilities
460 and properties.
461 type: string
462 name:
463 description: |-
464 [WARNING] KMSCryptoKeyVersion not yet supported in Config Connector, use 'external' field to reference existing resources.
465 Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
466 type: string
467 namespace:
468 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
469 type: string
470 type: object
471 type: object
472 lifetime:
473 description: Immutable. Required. The desired lifetime of the CA certificate.
474 Used to create the "not_before_time" and "not_after_time" fields
475 inside an X.509 certificate.
476 type: string
477 location:
478 description: Immutable. The location for the resource
479 type: string
480 projectRef:
481 description: Immutable. The Project that this resource belongs to.
482 oneOf:
483 - not:
484 required:
485 - external
486 required:
487 - name
488 - not:
489 anyOf:
490 - required:
491 - name
492 - required:
493 - namespace
494 required:
495 - external
496 properties:
497 external:
498 description: |-
499 The project for the resource
500
501 Allowed value: The Google Cloud resource name of a `Project` resource (format: `projects/{{name}}`).
502 type: string
503 name:
504 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
505 type: string
506 namespace:
507 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
508 type: string
509 type: object
510 resourceID:
511 description: Immutable. Optional. The name of the resource. Used for
512 creation and acquisition. When unset, the value of `metadata.name`
513 is used as the default.
514 type: string
515 type:
516 description: 'Immutable. Required. Immutable. The Type of this CertificateAuthority.
517 Possible values: SELF_SIGNED, SUBORDINATE'
518 type: string
519 required:
520 - caPoolRef
521 - config
522 - keySpec
523 - lifetime
524 - location
525 - projectRef
526 - type
527 type: object
528 status:
529 properties:
530 accessUrls:
531 description: Output only. URLs for accessing content published by
532 this CA, such as the CA certificate and CRLs.
533 properties:
534 caCertificateAccessUrl:
535 description: The URL where this CertificateAuthority's CA certificate
536 is published. This will only be set for CAs that have been activated.
537 type: string
538 crlAccessUrls:
539 description: The URLs where this CertificateAuthority's CRLs are
540 published. This will only be set for CAs that have been activated.
541 items:
542 type: string
543 type: array
544 type: object
545 caCertificateDescriptions:
546 description: Output only. A structured description of this CertificateAuthority's
547 CA certificate and its issuers. Ordered as self-to-root.
548 items:
549 properties:
550 aiaIssuingCertificateUrls:
551 description: Describes lists of issuer CA certificate URLs that
552 appear in the "Authority Information Access" extension in
553 the certificate.
554 items:
555 type: string
556 type: array
557 authorityKeyId:
558 description: Identifies the subject_key_id of the parent certificate,
559 per https://tools.ietf.org/html/rfc5280#section-4.2.1.1
560 properties:
561 keyId:
562 description: Optional. The value of this KeyId encoded in
563 lowercase hexadecimal. This is most likely the 160 bit
564 SHA-1 hash of the public key.
565 type: string
566 type: object
567 certFingerprint:
568 description: The hash of the x.509 certificate.
569 properties:
570 sha256Hash:
571 description: The SHA 256 hash, encoded in hexadecimal, of
572 the DER x509 certificate.
573 type: string
574 type: object
575 crlDistributionPoints:
576 description: Describes a list of locations to obtain CRL information,
577 i.e. the DistributionPoint.fullName described by https://tools.ietf.org/html/rfc5280#section-4.2.1.13
578 items:
579 type: string
580 type: array
581 publicKey:
582 description: The public key that corresponds to an issued certificate.
583 properties:
584 format:
585 description: 'Required. The format of the public key. Possible
586 values: PEM'
587 type: string
588 key:
589 description: Required. A public key. The padding and encoding
590 must match with the `KeyFormat` value specified for the
591 `format` field.
592 type: string
593 type: object
594 subjectDescription:
595 description: Describes some of the values in a certificate that
596 are related to the subject and lifetime.
597 properties:
598 hexSerialNumber:
599 description: The serial number encoded in lowercase hexadecimal.
600 type: string
601 lifetime:
602 description: For convenience, the actual lifetime of an
603 issued certificate.
604 type: string
605 notAfterTime:
606 description: The time after which the certificate is expired.
607 Per RFC 5280, the validity period for a certificate is
608 the period of time from not_before_time through not_after_time,
609 inclusive. Corresponds to 'not_before_time' + 'lifetime'
610 - 1 second.
611 format: date-time
612 type: string
613 notBeforeTime:
614 description: The time at which the certificate becomes valid.
615 format: date-time
616 type: string
617 subject:
618 description: Contains distinguished name fields such as
619 the common name, location and organization.
620 properties:
621 commonName:
622 description: The "common name" of the subject.
623 type: string
624 countryCode:
625 description: The country code of the subject.
626 type: string
627 locality:
628 description: The locality or city of the subject.
629 type: string
630 organization:
631 description: The organization of the subject.
632 type: string
633 organizationalUnit:
634 description: The organizational_unit of the subject.
635 type: string
636 postalCode:
637 description: The postal code of the subject.
638 type: string
639 province:
640 description: The province, territory, or regional state
641 of the subject.
642 type: string
643 streetAddress:
644 description: The street address of the subject.
645 type: string
646 type: object
647 subjectAltName:
648 description: The subject alternative name fields.
649 properties:
650 customSans:
651 description: Contains additional subject alternative
652 name values.
653 items:
654 properties:
655 critical:
656 description: Optional. Indicates whether or not
657 this extension is critical (i.e., if the client
658 does not know how to handle this extension,
659 the client should consider this to be an error).
660 type: boolean
661 objectId:
662 description: Required. The OID for this X.509
663 extension.
664 properties:
665 objectIdPath:
666 description: Required. The parts of an OID
667 path. The most significant parts of the
668 path come first.
669 items:
670 format: int64
671 type: integer
672 type: array
673 type: object
674 value:
675 description: Required. The value of this X.509
676 extension.
677 type: string
678 type: object
679 type: array
680 dnsNames:
681 description: Contains only valid, fully-qualified host
682 names.
683 items:
684 type: string
685 type: array
686 emailAddresses:
687 description: Contains only valid RFC 2822 E-mail addresses.
688 items:
689 type: string
690 type: array
691 ipAddresses:
692 description: Contains only valid 32-bit IPv4 addresses
693 or RFC 4291 IPv6 addresses.
694 items:
695 type: string
696 type: array
697 uris:
698 description: Contains only valid RFC 3986 URIs.
699 items:
700 type: string
701 type: array
702 type: object
703 type: object
704 subjectKeyId:
705 description: Provides a means of identifiying certificates that
706 contain a particular public key, per https://tools.ietf.org/html/rfc5280#section-4.2.1.2.
707 properties:
708 keyId:
709 description: Optional. The value of this KeyId encoded in
710 lowercase hexadecimal. This is most likely the 160 bit
711 SHA-1 hash of the public key.
712 type: string
713 type: object
714 x509Description:
715 description: Describes some of the technical X.509 fields in
716 a certificate.
717 properties:
718 additionalExtensions:
719 description: Optional. Describes custom X.509 extensions.
720 items:
721 properties:
722 critical:
723 description: Optional. Indicates whether or not this
724 extension is critical (i.e., if the client does
725 not know how to handle this extension, the client
726 should consider this to be an error).
727 type: boolean
728 objectId:
729 description: Required. The OID for this X.509 extension.
730 properties:
731 objectIdPath:
732 description: Required. The parts of an OID path.
733 The most significant parts of the path come
734 first.
735 items:
736 format: int64
737 type: integer
738 type: array
739 type: object
740 value:
741 description: Required. The value of this X.509 extension.
742 type: string
743 type: object
744 type: array
745 aiaOcspServers:
746 description: Optional. Describes Online Certificate Status
747 Protocol (OCSP) endpoint addresses that appear in the
748 "Authority Information Access" extension in the certificate.
749 items:
750 type: string
751 type: array
752 caOptions:
753 description: Optional. Describes options in this X509Parameters
754 that are relevant in a CA certificate.
755 properties:
756 isCa:
757 description: Optional. Refers to the "CA" X.509 extension,
758 which is a boolean value. When this value is missing,
759 the extension will be omitted from the CA certificate.
760 type: boolean
761 maxIssuerPathLength:
762 description: Optional. Refers to the path length restriction
763 X.509 extension. For a CA certificate, this value
764 describes the depth of subordinate CA certificates
765 that are allowed. If this value is less than 0, the
766 request will fail. If this value is missing, the max
767 path length will be omitted from the CA certificate.
768 format: int64
769 type: integer
770 type: object
771 keyUsage:
772 description: Optional. Indicates the intended use for keys
773 that correspond to a certificate.
774 properties:
775 baseKeyUsage:
776 description: Describes high-level ways in which a key
777 may be used.
778 properties:
779 certSign:
780 description: The key may be used to sign certificates.
781 type: boolean
782 contentCommitment:
783 description: The key may be used for cryptographic
784 commitments. Note that this may also be referred
785 to as "non-repudiation".
786 type: boolean
787 crlSign:
788 description: The key may be used sign certificate
789 revocation lists.
790 type: boolean
791 dataEncipherment:
792 description: The key may be used to encipher data.
793 type: boolean
794 decipherOnly:
795 description: The key may be used to decipher only.
796 type: boolean
797 digitalSignature:
798 description: The key may be used for digital signatures.
799 type: boolean
800 encipherOnly:
801 description: The key may be used to encipher only.
802 type: boolean
803 keyAgreement:
804 description: The key may be used in a key agreement
805 protocol.
806 type: boolean
807 keyEncipherment:
808 description: The key may be used to encipher other
809 keys.
810 type: boolean
811 type: object
812 extendedKeyUsage:
813 description: Detailed scenarios in which a key may be
814 used.
815 properties:
816 clientAuth:
817 description: Corresponds to OID 1.3.6.1.5.5.7.3.2.
818 Officially described as "TLS WWW client authentication",
819 though regularly used for non-WWW TLS.
820 type: boolean
821 codeSigning:
822 description: Corresponds to OID 1.3.6.1.5.5.7.3.3.
823 Officially described as "Signing of downloadable
824 executable code client authentication".
825 type: boolean
826 emailProtection:
827 description: Corresponds to OID 1.3.6.1.5.5.7.3.4.
828 Officially described as "Email protection".
829 type: boolean
830 ocspSigning:
831 description: Corresponds to OID 1.3.6.1.5.5.7.3.9.
832 Officially described as "Signing OCSP responses".
833 type: boolean
834 serverAuth:
835 description: Corresponds to OID 1.3.6.1.5.5.7.3.1.
836 Officially described as "TLS WWW server authentication",
837 though regularly used for non-WWW TLS.
838 type: boolean
839 timeStamping:
840 description: Corresponds to OID 1.3.6.1.5.5.7.3.8.
841 Officially described as "Binding the hash of an
842 object to a time".
843 type: boolean
844 type: object
845 unknownExtendedKeyUsages:
846 description: Used to describe extended key usages that
847 are not listed in the KeyUsage.ExtendedKeyUsageOptions
848 message.
849 items:
850 properties:
851 objectIdPath:
852 description: Required. The parts of an OID path.
853 The most significant parts of the path come
854 first.
855 items:
856 format: int64
857 type: integer
858 type: array
859 type: object
860 type: array
861 type: object
862 policyIds:
863 description: Optional. Describes the X.509 certificate policy
864 object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4.
865 items:
866 properties:
867 objectIdPath:
868 description: Required. The parts of an OID path. The
869 most significant parts of the path come first.
870 items:
871 format: int64
872 type: integer
873 type: array
874 type: object
875 type: array
876 type: object
877 type: object
878 type: array
879 conditions:
880 description: Conditions represent the latest available observation
881 of the resource's current state.
882 items:
883 properties:
884 lastTransitionTime:
885 description: Last time the condition transitioned from one status
886 to another.
887 type: string
888 message:
889 description: Human-readable message indicating details about
890 last transition.
891 type: string
892 reason:
893 description: Unique, one-word, CamelCase reason for the condition's
894 last transition.
895 type: string
896 status:
897 description: Status is the status of the condition. Can be True,
898 False, Unknown.
899 type: string
900 type:
901 description: Type is the type of the condition.
902 type: string
903 type: object
904 type: array
905 config:
906 properties:
907 publicKey:
908 description: Optional. The public key that corresponds to this
909 config. This is, for example, used when issuing Certificates,
910 but not when creating a self-signed CertificateAuthority or
911 CertificateAuthority CSR.
912 properties:
913 format:
914 description: 'Required. The format of the public key. Possible
915 values: PEM'
916 type: string
917 key:
918 description: Required. A public key. The padding and encoding
919 must match with the `KeyFormat` value specified for the
920 `format` field.
921 type: string
922 type: object
923 x509Config:
924 properties:
925 aiaOcspServers:
926 description: Optional. Describes Online Certificate Status
927 Protocol (OCSP) endpoint addresses that appear in the "Authority
928 Information Access" extension in the certificate.
929 items:
930 type: string
931 type: array
932 type: object
933 type: object
934 createTime:
935 description: Output only. The time at which this CertificateAuthority
936 was created.
937 format: date-time
938 type: string
939 deleteTime:
940 description: Output only. The time at which this CertificateAuthority
941 was soft deleted, if it is in the DELETED state.
942 format: date-time
943 type: string
944 expireTime:
945 description: Output only. The time at which this CertificateAuthority
946 will be permanently purged, if it is in the DELETED state.
947 format: date-time
948 type: string
949 observedGeneration:
950 description: ObservedGeneration is the generation of the resource
951 that was most recently observed by the Config Connector controller.
952 If this is equal to metadata.generation, then that means that the
953 current reported status reflects the most recent desired state of
954 the resource.
955 type: integer
956 pemCaCertificates:
957 description: Output only. This CertificateAuthority's certificate
958 chain, including the current CertificateAuthority's certificate.
959 Ordered such that the root issuer is the final element (consistent
960 with RFC 5246). For a self-signed CA, this will only list the current
961 CertificateAuthority's certificate.
962 items:
963 type: string
964 type: array
965 state:
966 description: 'Output only. The State for this CertificateAuthority.
967 Possible values: ENABLED, DISABLED, STAGED, AWAITING_USER_ACTIVATION,
968 DELETED'
969 type: string
970 subordinateConfig:
971 description: Optional. If this is a subordinate CertificateAuthority,
972 this field will be set with the subordinate configuration, which
973 describes its issuers. This may be updated, but this CertificateAuthority
974 must continue to validate.
975 properties:
976 certificateAuthority:
977 description: Required. This can refer to a CertificateAuthority
978 in the same project that was used to create a subordinate CertificateAuthority.
979 This field is used for information and usability purposes only.
980 The resource name is in the format `projects/*/locations/*/caPools/*/certificateAuthorities/*`.
981 type: string
982 pemIssuerChain:
983 description: Required. Contains the PEM certificate chain for
984 the issuers of this CertificateAuthority, but not pem certificate
985 for this CA itself.
986 properties:
987 pemCertificates:
988 description: Required. Expected to be in leaf-to-root order
989 according to RFC 5246.
990 items:
991 type: string
992 type: array
993 type: object
994 type: object
995 tier:
996 description: 'Output only. The CaPool.Tier of the CaPool that includes
997 this CertificateAuthority. Possible values: ENTERPRISE, DEVOPS'
998 type: string
999 updateTime:
1000 description: Output only. The time at which this CertificateAuthority
1001 was last updated.
1002 format: date-time
1003 type: string
1004 type: object
1005 required:
1006 - spec
1007 type: object
1008 served: true
1009 storage: true
1010 subresources:
1011 status: {}
1012status:
1013 acceptedNames:
1014 kind: ""
1015 plural: ""
1016 conditions: []
1017 storedVersions: []
View as plain text