CertificateTemplate is the Schema for the CertificateTemplates API. Certificate Authority Service provides reusable and parameterized templates that you can use for common certificate issuance scenarios. A certificate template represents a relatively static and well-defined certificate issuance schema within an organization. A certificate template can essentially become a full-fledged vertical certificate issuance framework.
Type
CRD
Group
privateca.gcp.upbound.io
Version
v1beta1
apiVersion: privateca.gcp.upbound.io/v1beta1
kind: CertificateTemplate
CertificateTemplateSpec defines the desired state of CertificateTemplate
No description provided.
Optional. Describes constraints on identities that may be appear in Certificates issued using this template. If this is omitted, then this template will not add restrictions on a certificate's identity.
Optional. A CEL expression that may be used to validate the resolved X.509 Subject and/or Subject Alternative Name before a certificate is signed. To see the full allowed syntax and some examples, see https://cloud.google.com/certificate-authority-service/docs/using-cel
Optional. Describes the set of X.509 extensions that may appear in a Certificate issued using this CertificateTemplate. If a certificate request sets extensions that don't appear in the passthrough_extensions, those extensions will be dropped. If the issuing CaPool's IssuancePolicy defines baseline_values that don't appear here, the certificate issuance request will fail. If this is omitted, then this template will not add restrictions on a certificate's X.509 extensions. These constraints do not apply to X.509 extensions set in this CertificateTemplate's predefined_values.
Optional. A set of ObjectIds identifying custom X.509 extensions. Will be combined with known_extensions to determine the full set of X.509 extensions.
Required. The parts of an OID path. The most significant parts of the path come first.
Optional. A set of named X.509 extensions. Will be combined with additional_extensions to determine the full set of X.509 extensions.
Optional. A set of X.509 values that will be applied to all issued certificates that use this template. If the certificate request includes conflicting values for the same properties, they will be overwritten by the values defined here. If the issuing CaPool's IssuancePolicy defines conflicting baseline_values for the same properties, the certificate issuance request will fail.
Optional. Describes custom X.509 extensions.
Required. The OID for this X.509 extension.
Required. The parts of an OID path. The most significant parts of the path come first.
Optional. Describes Online Certificate Status Protocol (OCSP) endpoint addresses that appear in the "Authority Information Access" extension in the certificate.
Optional. Describes options in this X509Parameters that are relevant in a CA certificate.
Optional. Indicates the intended use for keys that correspond to a certificate.
Describes high-level ways in which a key may be used.
Detailed scenarios in which a key may be used.
Used to describe extended key usages that are not listed in the KeyUsage.ExtendedKeyUsageOptions message.
Required. The parts of an OID path. The most significant parts of the path come first.
Optional. Describes the X.509 certificate policy object identifiers, per https://tools.ietf.org/html/rfc5280#section-4.2.1.4.
Required. The parts of an OID path. The most significant parts of the path come first.
ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured.
Policies for referencing.
ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. providerConfigRef
Policies for referencing.
PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource.
WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other.
CertificateTemplateStatus defines the observed state of CertificateTemplate.
No description provided.
Conditions of the resource.
certificate-template-${Rand.RFC1123Subdomain}
apiVersion: privateca.gcp.upbound.io/v1beta1
kind: CertificateTemplate
metadata:
annotations:
meta.upbound.io/example-id: privateca/v1beta1/certificatetemplate
labels:
testing.upbound.io/example-name: certificate-template
name: certificate-template-${Rand.RFC1123Subdomain}
spec:
forProvider:
description: An updated sample certificate template
identityConstraints:
- allowSubjectAltNamesPassthrough: true
allowSubjectPassthrough: true
celExpression:
- description: Always true
expression: "true"
location: any.file.anywhere
title: Sample expression
labels:
foo: bar
location: us-central1
passthroughExtensions:
- additionalExtensions:
- objectIdPath:
- 1
- 6
knownExtensions:
- EXTENDED_KEY_USAGE
predefinedValues:
- additionalExtensions:
- critical: true
objectId:
- objectIdPath:
- 1
- 6
value: c3RyaW5nCg==
aiaOcspServers:
- string
caOptions:
- isCa: false
maxIssuerPathLength: 6
keyUsage:
- baseKeyUsage:
- certSign: false
contentCommitment: true
crlSign: false
dataEncipherment: true
decipherOnly: true
digitalSignature: true
encipherOnly: true
keyAgreement: true
keyEncipherment: true
extendedKeyUsage:
- clientAuth: true
codeSigning: true
emailProtection: true
ocspSigning: true
serverAuth: true
timeStamping: true
unknownExtendedKeyUsages:
- objectIdPath:
- 1
- 6
policyIds:
- objectIdPath:
- 1
- 6
certificate-template-iam-member-${Rand.RFC1123Subdomain}
apiVersion: privateca.gcp.upbound.io/v1beta1
kind: CertificateTemplate
metadata:
annotations:
meta.upbound.io/example-id: privateca/v1beta1/certificatetemplateiammember
labels:
testing.upbound.io/example-name: certificate-template-iam-member
name: certificate-template-iam-member-${Rand.RFC1123Subdomain}
spec:
forProvider:
description: An updated sample certificate template
identityConstraints:
- allowSubjectAltNamesPassthrough: true
allowSubjectPassthrough: true
celExpression:
- description: Always true
expression: "true"
location: any.file.anywhere
title: Sample expression
labels:
foo: bar
location: us-central1
passthroughExtensions:
- additionalExtensions:
- objectIdPath:
- 1
- 6
knownExtensions:
- EXTENDED_KEY_USAGE
predefinedValues:
- additionalExtensions:
- critical: true
objectId:
- objectIdPath:
- 1
- 6
value: c3RyaW5nCg==
aiaOcspServers:
- string
caOptions:
- isCa: false
maxIssuerPathLength: 6
keyUsage:
- baseKeyUsage:
- certSign: false
contentCommitment: true
crlSign: false
dataEncipherment: true
decipherOnly: true
digitalSignature: true
encipherOnly: true
keyAgreement: true
keyEncipherment: true
extendedKeyUsage:
- clientAuth: true
codeSigning: true
emailProtection: true
ocspSigning: true
serverAuth: true
timeStamping: true
unknownExtendedKeyUsages:
- objectIdPath:
- 1
- 6
policyIds:
- objectIdPath:
- 1
- 6
© 2022 Upbound, Inc.
Discover the building blocksfor your internal cloud platform.