Skip to search

TrustConfig

security.cloud.google.com / v1

apiVersion: security.cloud.google.com/v1 kind: TrustConfig metadata: name: example
View raw schema
spec object required
trustStores []object
Configuration for trusting identities from a given SPIFFE trust domain. If there are multiple entries for a given SPIFFE trust domain, the certificate issuance machinery in the cluster will reject the overall config as invalid.
trustAnchors []object
certificateAuthorityServiceURI string
Retrieve and trust the root certificates of this GCP Certificate Authority Service CA Pool. A resource URI of the form //privateca.googleapis.com/projects/{project}/locations/{location}/caPools/{pool_name}
pemCertificate string
Additional CA certificates to trust. Each entry is a PEM-encoded certificate to use as a trust anchor. Each entry should contain only one certificate; configurations with multiple certificates per entry will be rejected as invalid.
spiffeTrustBundleEndpoint string
An HTTPS endpoint that returns a list of trusted CA certificates in SPIFFE trust bundle format [1]. [1] https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#4-spiffe-bundle-format
trustDomain string required
The SPIFFE trust domain to which this trust anchor applies.
status object
conditions []object
lastTransitionTime string
The time at which this condition last changed status, in the format "2021-01-29T01:13:35Z".
message string
Human-readable description of the condition's last transition.
observedGeneration integer
If set, this represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.condition[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
reason string
Machine-readable description of the condition's last transition.
status string
Is the condition true or false? One of "True", "False", or "Unknown".
type string
Known values: * "Ready": The certificate issuance machinery has validated and rendered this TrustConfig; if the Ready condition is set to status=True with an observedGeneration equal to the current .metadata.generation of the TrustConfig, the rendered trust anchors will be published to pods. If the Ready condition is set to status=False, check the reason and message fields for an explanation of why the controller rejected your configuration.
renderedTrustStores []object
Holds the actual set of trust anchor certificates for each trust domain. Updated by the controller based on .spec.trustStores --- the node agent does not necessarily have the connectivity or access necessary to retrieve certificates from external systems.
trustAnchors []object
pemCertificates []string
trustDomain string required

No matches. Try .spec.trustStores for an exact path