1# Copyright 2020 Google LLC
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14
15apiVersion: apiextensions.k8s.io/v1
16kind: CustomResourceDefinition
17metadata:
18 annotations:
19 cnrm.cloud.google.com/version: 1.106.0
20 creationTimestamp: null
21 labels:
22 cnrm.cloud.google.com/dcl2crd: "true"
23 cnrm.cloud.google.com/managed-by-kcc: "true"
24 cnrm.cloud.google.com/stability-level: stable
25 cnrm.cloud.google.com/system: "true"
26 name: privatecacertificatetemplates.privateca.cnrm.cloud.google.com
27spec:
28 group: privateca.cnrm.cloud.google.com
29 names:
30 categories:
31 - gcp
32 kind: PrivateCACertificateTemplate
33 plural: privatecacertificatetemplates
34 shortNames:
35 - gcpprivatecacertificatetemplate
36 - gcpprivatecacertificatetemplates
37 singular: privatecacertificatetemplate
38 scope: Namespaced
39 versions:
40 - additionalPrinterColumns:
41 - jsonPath: .metadata.creationTimestamp
42 name: Age
43 type: date
44 - description: When 'True', the most recent reconcile of the resource succeeded
45 jsonPath: .status.conditions[?(@.type=='Ready')].status
46 name: Ready
47 type: string
48 - description: The reason for the value in 'Ready'
49 jsonPath: .status.conditions[?(@.type=='Ready')].reason
50 name: Status
51 type: string
52 - description: The last transition time for the value in 'Status'
53 jsonPath: .status.conditions[?(@.type=='Ready')].lastTransitionTime
54 name: Status Age
55 type: date
56 name: v1beta1
57 schema:
58 openAPIV3Schema:
59 properties:
60 apiVersion:
61 description: 'apiVersion defines the versioned schema of this representation
62 of an object. Servers should convert recognized schemas to the latest
63 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
64 type: string
65 kind:
66 description: 'kind is a string value representing the REST resource this
67 object represents. Servers may infer this from the endpoint the client
68 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
69 type: string
70 metadata:
71 type: object
72 spec:
73 properties:
74 description:
75 description: Optional. A human-readable description of scenarios this
76 template is intended for.
77 type: string
78 identityConstraints:
79 description: Optional. Describes constraints on identities that may
80 be appear in Certificates issued using this template. If this is
81 omitted, then this template will not add restrictions on a certificate's
82 identity.
83 properties:
84 allowSubjectAltNamesPassthrough:
85 description: Required. If this is true, the SubjectAltNames extension
86 may be copied from a certificate request into the signed certificate.
87 Otherwise, the requested SubjectAltNames will be discarded.
88 type: boolean
89 allowSubjectPassthrough:
90 description: Required. If this is true, the Subject field may
91 be copied from a certificate request into the signed certificate.
92 Otherwise, the requested Subject will be discarded.
93 type: boolean
94 celExpression:
95 description: Optional. A CEL expression that may be used to validate
96 the resolved X.509 Subject and/or Subject Alternative Name before
97 a certificate is signed. To see the full allowed syntax and
98 some examples, see https://cloud.google.com/certificate-authority-service/docs/using-cel
99 properties:
100 description:
101 description: Optional. Description of the expression. This
102 is a longer text which describes the expression, e.g. when
103 hovered over it in a UI.
104 type: string
105 expression:
106 description: Textual representation of an expression in Common
107 Expression Language syntax.
108 type: string
109 location:
110 description: Optional. String indicating the location of the
111 expression for error reporting, e.g. a file name and a position
112 in the file.
113 type: string
114 title:
115 description: Optional. Title for the expression, i.e. a short
116 string describing its purpose. This can be used e.g. in
117 UIs which allow to enter the expression.
118 type: string
119 type: object
120 required:
121 - allowSubjectAltNamesPassthrough
122 - allowSubjectPassthrough
123 type: object
124 location:
125 description: Immutable. The location for the resource
126 type: string
127 passthroughExtensions:
128 description: Optional. Describes the set of X.509 extensions that
129 may appear in a Certificate issued using this CertificateTemplate.
130 If a certificate request sets extensions that don't appear in the
131 passthrough_extensions, those extensions will be dropped. If the
132 issuing CaPool's IssuancePolicy defines baseline_values that don't
133 appear here, the certificate issuance request will fail. If this
134 is omitted, then this template will not add restrictions on a certificate's
135 X.509 extensions. These constraints do not apply to X.509 extensions
136 set in this CertificateTemplate's predefined_values.
137 properties:
138 additionalExtensions:
139 description: Optional. A set of ObjectIds identifying custom X.509
140 extensions. Will be combined with known_extensions to determine
141 the full set of X.509 extensions.
142 items:
143 properties:
144 objectIdPath:
145 description: Required. The parts of an OID path. The most
146 significant parts of the path come first.
147 items:
148 format: int64
149 type: integer
150 type: array
151 required:
152 - objectIdPath
153 type: object
154 type: array
155 knownExtensions:
156 description: Optional. A set of named X.509 extensions. Will be
157 combined with additional_extensions to determine the full set
158 of X.509 extensions.
159 items:
160 type: string
161 type: array
162 type: object
163 predefinedValues:
164 description: Optional. A set of X.509 values that will be applied
165 to all issued certificates that use this template. If the certificate
166 request includes conflicting values for the same properties, they
167 will be overwritten by the values defined here. If the issuing CaPool's
168 IssuancePolicy defines conflicting baseline_values for the same
169 properties, the certificate issuance request will fail.
170 properties:
171 additionalExtensions:
172 description: Optional. Describes custom X.509 extensions.
173 items:
174 properties:
175 critical:
176 description: Optional. Indicates whether or not this extension
177 is critical (i.e., if the client does not know how to
178 handle this extension, the client should consider this
179 to be an error).
180 type: boolean
181 objectId:
182 description: Required. The OID for this X.509 extension.
183 properties:
184 objectIdPath:
185 description: Required. The parts of an OID path. The
186 most significant parts of the path come first.
187 items:
188 format: int64
189 type: integer
190 type: array
191 required:
192 - objectIdPath
193 type: object
194 value:
195 description: Required. The value of this X.509 extension.
196 type: string
197 required:
198 - objectId
199 - value
200 type: object
201 type: array
202 aiaOcspServers:
203 description: Optional. Describes Online Certificate Status Protocol
204 (OCSP) endpoint addresses that appear in the "Authority Information
205 Access" extension in the certificate.
206 items:
207 type: string
208 type: array
209 caOptions:
210 description: Optional. Describes options in this X509Parameters
211 that are relevant in a CA certificate.
212 properties:
213 isCa:
214 description: Optional. Refers to the "CA" X.509 extension,
215 which is a boolean value. When this value is missing, the
216 extension will be omitted from the CA certificate.
217 type: boolean
218 maxIssuerPathLength:
219 description: Optional. Refers to the path length restriction
220 X.509 extension. For a CA certificate, this value describes
221 the depth of subordinate CA certificates that are allowed.
222 If this value is less than 0, the request will fail. If
223 this value is missing, the max path length will be omitted
224 from the CA certificate.
225 format: int64
226 type: integer
227 type: object
228 keyUsage:
229 description: Optional. Indicates the intended use for keys that
230 correspond to a certificate.
231 properties:
232 baseKeyUsage:
233 description: Describes high-level ways in which a key may
234 be used.
235 properties:
236 certSign:
237 description: The key may be used to sign certificates.
238 type: boolean
239 contentCommitment:
240 description: The key may be used for cryptographic commitments.
241 Note that this may also be referred to as "non-repudiation".
242 type: boolean
243 crlSign:
244 description: The key may be used sign certificate revocation
245 lists.
246 type: boolean
247 dataEncipherment:
248 description: The key may be used to encipher data.
249 type: boolean
250 decipherOnly:
251 description: The key may be used to decipher only.
252 type: boolean
253 digitalSignature:
254 description: The key may be used for digital signatures.
255 type: boolean
256 encipherOnly:
257 description: The key may be used to encipher only.
258 type: boolean
259 keyAgreement:
260 description: The key may be used in a key agreement protocol.
261 type: boolean
262 keyEncipherment:
263 description: The key may be used to encipher other keys.
264 type: boolean
265 type: object
266 extendedKeyUsage:
267 description: Detailed scenarios in which a key may be used.
268 properties:
269 clientAuth:
270 description: Corresponds to OID 1.3.6.1.5.5.7.3.2. Officially
271 described as "TLS WWW client authentication", though
272 regularly used for non-WWW TLS.
273 type: boolean
274 codeSigning:
275 description: Corresponds to OID 1.3.6.1.5.5.7.3.3. Officially
276 described as "Signing of downloadable executable code
277 client authentication".
278 type: boolean
279 emailProtection:
280 description: Corresponds to OID 1.3.6.1.5.5.7.3.4. Officially
281 described as "Email protection".
282 type: boolean
283 ocspSigning:
284 description: Corresponds to OID 1.3.6.1.5.5.7.3.9. Officially
285 described as "Signing OCSP responses".
286 type: boolean
287 serverAuth:
288 description: Corresponds to OID 1.3.6.1.5.5.7.3.1. Officially
289 described as "TLS WWW server authentication", though
290 regularly used for non-WWW TLS.
291 type: boolean
292 timeStamping:
293 description: Corresponds to OID 1.3.6.1.5.5.7.3.8. Officially
294 described as "Binding the hash of an object to a time".
295 type: boolean
296 type: object
297 unknownExtendedKeyUsages:
298 description: Used to describe extended key usages that are
299 not listed in the KeyUsage.ExtendedKeyUsageOptions message.
300 items:
301 properties:
302 objectIdPath:
303 description: Required. The parts of an OID path. The
304 most significant parts of the path come first.
305 items:
306 format: int64
307 type: integer
308 type: array
309 required:
310 - objectIdPath
311 type: object
312 type: array
313 type: object
314 policyIds:
315 description: Optional. Describes the X.509 certificate policy
316 object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4.
317 items:
318 properties:
319 objectIdPath:
320 description: Required. The parts of an OID path. The most
321 significant parts of the path come first.
322 items:
323 format: int64
324 type: integer
325 type: array
326 required:
327 - objectIdPath
328 type: object
329 type: array
330 type: object
331 projectRef:
332 description: Immutable. The Project that this resource belongs to.
333 oneOf:
334 - not:
335 required:
336 - external
337 required:
338 - name
339 - not:
340 anyOf:
341 - required:
342 - name
343 - required:
344 - namespace
345 required:
346 - external
347 properties:
348 external:
349 description: |-
350 The project for the resource
351
352 Allowed value: The Google Cloud resource name of a `Project` resource (format: `projects/{{name}}`).
353 type: string
354 name:
355 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
356 type: string
357 namespace:
358 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
359 type: string
360 type: object
361 resourceID:
362 description: Immutable. Optional. The name of the resource. Used for
363 creation and acquisition. When unset, the value of `metadata.name`
364 is used as the default.
365 type: string
366 required:
367 - location
368 - projectRef
369 type: object
370 status:
371 properties:
372 conditions:
373 description: Conditions represent the latest available observation
374 of the resource's current state.
375 items:
376 properties:
377 lastTransitionTime:
378 description: Last time the condition transitioned from one status
379 to another.
380 type: string
381 message:
382 description: Human-readable message indicating details about
383 last transition.
384 type: string
385 reason:
386 description: Unique, one-word, CamelCase reason for the condition's
387 last transition.
388 type: string
389 status:
390 description: Status is the status of the condition. Can be True,
391 False, Unknown.
392 type: string
393 type:
394 description: Type is the type of the condition.
395 type: string
396 type: object
397 type: array
398 createTime:
399 description: Output only. The time at which this CertificateTemplate
400 was created.
401 format: date-time
402 type: string
403 observedGeneration:
404 description: ObservedGeneration is the generation of the resource
405 that was most recently observed by the Config Connector controller.
406 If this is equal to metadata.generation, then that means that the
407 current reported status reflects the most recent desired state of
408 the resource.
409 type: integer
410 updateTime:
411 description: Output only. The time at which this CertificateTemplate
412 was updated.
413 format: date-time
414 type: string
415 type: object
416 required:
417 - spec
418 type: object
419 served: true
420 storage: true
421 subresources:
422 status: {}
423status:
424 acceptedNames:
425 kind: ""
426 plural: ""
427 conditions: []
428 storedVersions: []
View as plain text