TrustConfig
security.cloud.google.com / v1
apiVersion: security.cloud.google.com/v1
kind: TrustConfig
metadata:
name: example
spec object required
trustStores []object
Configuration for trusting identities from a given SPIFFE trust domain.
If there are multiple entries for a given SPIFFE trust domain, the certificate
issuance machinery in the cluster will reject the overall config as invalid.
trustAnchors []object
certificateAuthorityServiceURI
string
Retrieve and trust the root certificates of this GCP Certificate Authority
Service CA Pool. A resource URI of the form
//privateca.googleapis.com/projects/{project}/locations/{location}/caPools/{pool_name}
pemCertificate
string
Additional CA certificates to trust.
Each entry is a PEM-encoded certificate to use as a trust anchor. Each
entry should contain only one certificate; configurations with multiple
certificates per entry will be rejected as invalid.
spiffeTrustBundleEndpoint
string
An HTTPS endpoint that returns a list of trusted CA certificates in SPIFFE
trust bundle format [1].
[1] https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#4-spiffe-bundle-format
trustDomain
string required
The SPIFFE trust domain to which this trust anchor applies.
status object
conditions []object
lastTransitionTime
string
The time at which this condition last changed status, in the format "2021-01-29T01:13:35Z".
message
string
Human-readable description of the condition's last transition.
observedGeneration
integer
If set, this represents the .metadata.generation that the condition was set
based upon.
For instance, if .metadata.generation is currently 12, but the
.status.condition[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
reason
string
Machine-readable description of the condition's last transition.
status
string
Is the condition true or false?
One of "True", "False", or "Unknown".
type
string
Known values:
* "Ready": The certificate issuance machinery has validated and rendered
this TrustConfig; if the Ready condition is set to status=True with an
observedGeneration equal to the current .metadata.generation of the
TrustConfig, the rendered trust anchors will be published to pods.
If the Ready condition is set to status=False, check the reason and
message fields for an explanation of why the controller rejected your
configuration.
renderedTrustStores []object
Holds the actual set of trust anchor certificates for each trust domain.
Updated by the controller based on .spec.trustStores --- the node agent does not
necessarily have the connectivity or access necessary to retrieve certificates
from external systems.
trustAnchors []object
pemCertificates
[]string
trustDomain
string required
No matches. Try .spec.trustStores for an exact path