WorkloadCertificateConfig
security.cloud.google.com / v1alpha1
apiVersion: security.cloud.google.com/v1alpha1
kind: WorkloadCertificateConfig
metadata:
name: example
spec object required
certificateAuthorityConfig object required
Controls which CA workload certificates are issued against.
One and only one sub-object should be specified.
certificateAuthorityServiceConfig object
Issue certificates from a GCP Certificate Authority Service CA Pool.
endpointURI
string
GCP Certificate Authority Service CA Pool URI of the form
//privateca.googleapis.com/projects/{project}/locations/{location}/caPools/{pool_name}
meshCAConfig
object
keyAlgorithm object
The key algorithm to use when generating key-pairs for workload certificates.
ecdsa object
curve
string required
The name of the ECDSA curve to use.
The certificate issuance machinery in the cluster is only guaranteed to
accept the values "P256" and "P384".
rsa object
modulusSize
integer required
The number of bits to use in the workload's RSA key modulus.
The certificate issuance machinery in the cluster may enforce a range of
allowed values.
rotationWindowPercentage
integer
Start trying to renew certificates when this much percentage of certificate validity duration
is remaining.
Certificate issuers default to 50 percent (12 hours) if this value is not specified.
Must be between 0 and 100. Certificate issuance implementations may enforce a narrower range.
trustDomain
string required
validityDurationSeconds
integer
Length of time (in seconds) that issued certificates should be valid for.
Certificate issuers default to 86400 (24 hours) if this value is not specified.
Certificate issuance implementations may enforce minimum and maximum bounds on
this value.
status object
conditions []object
lastTransitionTime
string
The time at which this condition last changed status, in the format "2021-01-29T01:13:35Z".
message
string
Human-readable description of the condition's last transition.
observedGeneration
integer
If set, this represents the .metadata.generation that the condition was set
based upon.
For instance, if .metadata.generation is currently 12, but the
.status.condition[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
reason
string
Machine-readable description of the condition's last transition.
status
string
Is the condition true or false?
One of "True", "False", or "Unknown".
type
string
Known values:
* "Ready": The certificate issuance machinery has validated and rendered
this WorkloadCertificateConfig; if the Ready condition is set to
status=True with an observedGeneration equal to the current
.metadata.generation of the WorkloadCertificateConfig, it can be used for
issuing certificates.
If the Ready condition is set to status=False, check the reason and
message fields for an explanation of why the controller rejected your
configuration.
No matches. Try .spec.certificateAuthorityConfig for an exact path