CertificateManagerCertificate
| Property | Value |
|---|---|
| Google Cloud Service Name | Certificate Manager |
| Google Cloud Service Documentation | /certificate-manager/docs/ |
| Google Cloud REST Resource Name | v1.projects.locations.certificates |
| Google Cloud REST Resource Documentation | /certificate-manager/docs/reference/certificate-manager/rest/v1/projects.locations.certificates |
| Config Connector Resource Short Names | gcpcertificatemanagercertificate gcpcertificatemanagercertificates certificatemanagercertificate |
| Config Connector Service Name | certificatemanager.googleapis.com |
| Config Connector Resource Fully Qualified Name | certificatemanagercertificates.certificatemanager.cnrm.cloud.google.com |
| Can Be Referenced by IAMPolicy/IAMPolicyMember | No |
| Config Connector Default Average Reconcile Interval In Seconds | 600 |
Custom Resource Definition Properties
Spec
Schema
description: string location: string managed: authorizationAttemptInfo: - details: string domain: string failureReason: string state: string dnsAuthorizationsRefs: - external: string name: string namespace: string domains: - string issuanceConfigRef: external: string name: string namespace: string provisioningIssue: - details: string reason: string state: string projectRef: external: string name: string namespace: string resourceID: string scope: string selfManaged: certificatePem: value: string valueFrom: secretKeyRef: key: string name: string pemCertificate: string pemPrivateKey: value: string valueFrom: secretKeyRef: key: string name: string privateKeyPem: value: string valueFrom: secretKeyRef: key: string name: string | Fields | |
|---|---|
|
Optional |
A human-readable description of the resource. |
|
Required |
Immutable. The Certificate Manager location. If not specified, "global" is used. |
|
Optional |
Immutable. Configuration and state of a Managed Certificate. Certificate Manager provisions and renews Managed Certificates automatically, for as long as it's authorized to do so. |
|
Optional |
Detailed state of the latest authorization attempt for each domain specified for this Managed Certificate. |
|
Optional |
|
|
Optional |
Human readable explanation for reaching the state. Provided to help address the configuration issues. Not guaranteed to be stable. For programmatic access use 'failure_reason' field. |
|
Optional |
Domain name of the authorization attempt. |
|
Optional |
Reason for failure of the authorization attempt for the domain. |
|
Optional |
State of the domain for managed certificate issuance. |
|
Optional |
|
|
Optional |
Authorizations that will be used for performing domain authorization. Either issuanceConfig or dnsAuthorizations should be specified, but not both. |
|
Optional |
Allowed value: string of the format `projects/{{project}}/locations/global/dnsAuthorizations/{{value}}`, where {{value}} is the `name` field of a `CertificateManagerDNSAuthorization` resource. |
|
Optional |
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names |
|
Optional |
Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ |
|
Optional |
Immutable. The domains for which a managed SSL certificate will be generated. Wildcard domains are only supported with DNS challenge resolution. |
|
Optional |
|
|
Optional |
Only the `external` field is supported to configure the reference. Immutable. The resource name for a CertificateIssuanceConfig used to configure private PKI certificates in the format projects/*/locations/*/certificateIssuanceConfigs/*. If this field is not set, the certificates will instead be publicly signed as documented at https://cloud.google.com/load-balancing/docs/ssl-certificates/google-managed-certs#caa. Either issuanceConfig or dnsAuthorizations should be specified, but not both. |
|
Optional |
Allowed value: string of the format `projects/{{project}}/locations/{{location}}/certificateIssuanceConfigs/{{name}}`, where {{value}} is the `name` field of a `CertificateManagerCertificateIssuanceConfig` resource. |
|
Optional |
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names |
|
Optional |
Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ |
|
Optional |
Information about issues with provisioning this Managed Certificate. |
|
Optional |
|
|
Optional |
Human readable explanation about the issue. Provided to help address the configuration issues. Not guaranteed to be stable. For programmatic access use 'reason' field. |
|
Optional |
Reason for provisioning failures. |
|
Optional |
A state of this Managed Certificate. |
|
Required |
The project that this resource belongs to. |
|
Optional |
Allowed value: The `name` field of a `Project` resource. |
|
Optional |
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names |
|
Optional |
Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ |
|
Optional |
Immutable. Optional. The name of the resource. Used for creation and acquisition. When unset, the value of `metadata.name` is used as the default. |
|
Optional |
Immutable. The scope of the certificate. DEFAULT: Certificates with default scope are served from core Google data centers. If unsure, choose this option. EDGE_CACHE: Certificates with scope EDGE_CACHE are special-purposed certificates, served from non-core Google data centers. ALL_REGIONS: Certificates with ALL_REGIONS scope are served from all GCP regions (You can only use ALL_REGIONS with global certs). see https://cloud.google.com/compute/docs/regions-zones. |
|
Optional |
Immutable. Certificate data for a SelfManaged Certificate. SelfManaged Certificates are uploaded by the user. Updating such certificates before they expire remains the user's responsibility. |
|
Optional |
DEPRECATED. `certificate_pem` is deprecated. Use `pem_certificate` instead. Immutable. The certificate chain in PEM-encoded form. Leaf certificate comes first, followed by intermediate ones if any. |
|
Optional |
Value of the field. Cannot be used if 'valueFrom' is specified. |
|
Optional |
Source for the field's value. Cannot be used if 'value' is specified. |
|
Optional |
Reference to a value with the given key in the given Secret in the resource's namespace. |
|
Required* |
Key that identifies the value to be extracted. |
|
Required* |
Name of the Secret to extract a value from. |
|
Optional |
Immutable. The certificate chain in PEM-encoded form. Leaf certificate comes first, followed by intermediate ones if any. |
|
Optional |
Immutable. The private key of the leaf certificate in PEM-encoded form. |
|
Optional |
Value of the field. Cannot be used if 'valueFrom' is specified. |
|
Optional |
Source for the field's value. Cannot be used if 'value' is specified. |
|
Optional |
Reference to a value with the given key in the given Secret in the resource's namespace. |
|
Required* |
Key that identifies the value to be extracted. |
|
Required* |
Name of the Secret to extract a value from. |
|
Optional |
DEPRECATED. `private_key_pem` is deprecated. Use `pem_private_key` instead. Immutable. The private key of the leaf certificate in PEM-encoded form. |
|
Optional |
Value of the field. Cannot be used if 'valueFrom' is specified. |
|
Optional |
Source for the field's value. Cannot be used if 'value' is specified. |
|
Optional |
Reference to a value with the given key in the given Secret in the resource's namespace. |
|
Required* |
Key that identifies the value to be extracted. |
|
Required* |
Name of the Secret to extract a value from. |
* Field is required when parent field is specified
Status
Schema
conditions: - lastTransitionTime: string message: string reason: string status: string type: string observedGeneration: integer | Fields | |
|---|---|
conditions |
Conditions represent the latest available observation of the resource's current state. |
conditions[] |
|
conditions[].lastTransitionTime |
Last time the condition transitioned from one status to another. |
conditions[].message |
Human-readable message indicating details about last transition. |
conditions[].reason |
Unique, one-word, CamelCase reason for the condition's last transition. |
conditions[].status |
Status is the status of the condition. Can be True, False, Unknown. |
conditions[].type |
Type is the type of the condition. |
observedGeneration |
ObservedGeneration is the generation of the resource that was most recently observed by the Config Connector controller. If this is equal to metadata.generation, then that means that the current reported status reflects the most recent desired state of the resource. |
Sample YAML(s)
Managed DNS Certificate
# Copyright 2023 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: certificatemanager.cnrm.cloud.google.com/v1beta1 kind: CertificateManagerCertificate metadata: labels: label-one: "value-one" name: certificatemanagercertificate-sample-manageddnscertificate spec: location : global projectRef: # Replace ${PROJECT_ID?} with your project ID. external: ${PROJECT_ID?} description: sample managed certificate for kcc scope: EDGE_CACHE managed: domains: - subdomain1.hashicorptest.com - subdomain2.hashicorptest.com dnsAuthorizationsRefs: - name: certificatemanagercertificate-dep1-manageddnscertificate - name: certificatemanagercertificate-dep2-manageddnscertificate --- apiVersion: certificatemanager.cnrm.cloud.google.com/v1beta1 kind: CertificateManagerDNSAuthorization metadata: name: certificatemanagercertificate-dep1-manageddnscertificate spec: domain: subdomain1.hashicorptest.com projectRef: # Replace ${PROJECT_ID?} with your project ID. external: ${PROJECT_ID?} --- apiVersion: certificatemanager.cnrm.cloud.google.com/v1beta1 kind: CertificateManagerDNSAuthorization metadata: name: certificatemanagercertificate-dep2-manageddnscertificate spec: domain: subdomain2.hashicorptest.com projectRef: # Replace ${PROJECT_ID?} with your project ID. external: ${PROJECT_ID?} Self Managed Certificate
# Copyright 2023 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. apiVersion: certificatemanager.cnrm.cloud.google.com/v1beta1 kind: CertificateManagerCertificate metadata: labels: label-one: "value-one" name: certificatemanagercertificate-sample-selfmanagedcertificate spec: location : europe-west1 projectRef: # Replace ${PROJECT_ID?} with your project ID. external: ${PROJECT_ID?} description: Regional self-managed certificate selfManaged: pemCertificate: |- -----BEGIN CERTIFICATE----- MIIDDzCCAfegAwIBAgIUDOiCLH9QNMMYnjPZVf4VwO9blsEwDQYJKoZIhvcNAQEL BQAwFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wIBcNMjIwODI0MDg0MDUxWhgPMzAy MTEyMjUwODQwNTFaMBYxFDASBgNVBAMMC2V4YW1wbGUuY29tMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvOT925GG4lKV9HvAHsbecMhGPAqjhVRC26iZ UJC8oSWOu95lWJSX5ZhbiF6Nz192wDGV/VAh3Lxj8RYtcn75eDxQKTcKouDld+To CGIStPFWbR6rbysLuZqFVEXVOTvp2QIegInfrvnGC4j7Qpic7zrFB9HzJx+0HpeE yO4gkdzJfEK/gMmolUgJrKX59o+0+Rj+Jq3EtcQxL1fVBVJSx0NvpoR1eYpnHMr/ rJKZkUUZ2xE86hrtpiP6OEYQTi00rmf4GnZF5QfGGD0xuoQXtR7Tu+XhKibXIhxc D4RzPLX1QS040PXvmMPLDb4YlUQ6V3Rs42JDvkkDwIMXZvn8awIDAQABo1MwUTAd BgNVHQ4EFgQURuo1CCZZAUv7xi02f2nC5tRbf18wHwYDVR0jBBgwFoAURuo1CCZZ AUv7xi02f2nC5tRbf18wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC AQEAqx3tDxurnYr9EUPhF5/LlDPYM+VI7EgrKdRnuIqUlZI0tm3vOGME0te6dBTC YLNaHLW3m/4Tm4M2eg0Kpz6CxJfn3109G31dCi0xwzSDHf5TPUWvqIVhq5WRgMIf n8KYBlQSmqdJBRztUIQH/UPFnSbxymlS4s5qwDgTH5ag9EEBcnWsQ2LZjKi0eqve MaqAvvB+j8RGZzYY4re94bSJI42zIZ6nMWPtXwRuDc30xl/u+E0jWIgWbPwSd6Km 3wnJnGiU2ezPGq3zEU+Rc39VVIFKQpciNeYuF3neHPJvYOf58qW2Z8s0VH0MR1x3 3DoO/e30FIr9j+PRD+s5BPKF2A== -----END CERTIFICATE----- pemPrivateKey: valueFrom: secretKeyRef: name: certificatemanagercertificate-dep-selfmanagedcertificate key: privateKey --- apiVersion: v1 kind: Secret metadata: name: certificatemanagercertificate-dep-selfmanagedcertificate stringData: privateKey: | -----BEGIN PRIVATE KEY----- MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC85P3bkYbiUpX0 e8Aext5wyEY8CqOFVELbqJlQkLyhJY673mVYlJflmFuIXo3PX3bAMZX9UCHcvGPx Fi1yfvl4PFApNwqi4OV35OgIYhK08VZtHqtvKwu5moVURdU5O+nZAh6Aid+u+cYL iPtCmJzvOsUH0fMnH7Qel4TI7iCR3Ml8Qr+AyaiVSAmspfn2j7T5GP4mrcS1xDEv V9UFUlLHQ2+mhHV5imccyv+skpmRRRnbETzqGu2mI/o4RhBOLTSuZ/gadkXlB8YY PTG6hBe1HtO75eEqJtciHFwPhHM8tfVBLTjQ9e+Yw8sNvhiVRDpXdGzjYkO+SQPA gxdm+fxrAgMBAAECggEAV4/A24TQpV4KFBw/WSTvnRFBeXinB1mhamhztWR6hCrA SPcVPKQY632eRI8sJmpGxl3V/Ogl4khT/cA9jfstEl7G++v/WrRsupCaPLSVnlnX KdsTNgOauk1WK9P5PMA4rPcuA4Cl91riQpubeWn8KWsxRWg90i+Ak8PB8lBsOaB1 QzjigWlrRWSpodaw0MBIMZFDL2BYK8HEr+wyATYIyGvDQc9zCnMQIQIZyEPYepLO 04Dw17YcjgnoJ5gLAFiTvDrCpTMewud1RQzvW5TAvG2piw34sf3QMGPM7aXNrfuZ 4ZPC/MwVQgq9Nc+jeDsjApQmJKJ+3a8OdIPU89ArTQKBgQDCpHHQe1RzpHmIx47/ 9N5r+NPBhh8flDYmvgi6zPeBfrAaLWhidS8c7Voa6HwvMxbhryDEvc0YqI3vllfy xnRF+DfSryozW0gjrkXDGoOzqOJ3EuQwLSJnyX6La2lmufqsRFazwYJ5sxcjoGHK /sbwZkIUj1ejuH44ve+ZJQFfpwKBgQD4cLJrJhqImUDhHZRx9jBvxyeHy/RjmHK6 70xQVDi9ZqeExHwtoSbolhXKLB1RtBnw+t5Csy7IDNBDsbUg9fXU8KyCTIdmsyws bDb5hdKsUF76rkKzlpttiXMRVWGS3CMKWahBpnL3lFB3tdtmskemkBTXVn4VgKAH xk9XnZ11nQKBgDbQSJ0FnkrSzscOK984/ko50Kh3NNyXyIgwjBTPFASLwNweXX8c sR/cV7usLQy9vnvf7cJ6EQAYt5/5Httnt+bceBwE6EV+N1qVAWBoXx6BOQV/dHN8 wmun+tMYdJ5RUZ6hwCjvHedX3/RQfjnEdhHNOl6/31Zj5mfkVU0zdqeRAoGAcvIh erXMfPr7K6y16+xOCMmKHqhc0F/OZXMmSdxNzEPcqe8GzU3MZLxcJIg4oH7FqdtI Tm/86w4Spd9owHFMZlNcXYTu+LNZcsw2u0gRayxcZXuO3OyHySxZEuIAHSTBCZ7l 3EoY0zfJ6zk249MEl6n+GouoFmbGpBI6z3zbR3kCgYEAlCNZVH4uJrP5beTOZTTR VJRk7BXvEC6HsM140YtIN7NHy2GtzrgmmY/ZAFB/hX8Ft4ex2MxbIp3hvxroTqGn bfu7uv97NoPQqbjtc3Mz8h2IaXTVDUnWYY5gDu6rM2w+Z75/sWIGiTWrsdYX4ohb ujngzJ7Ew7GgKSboj6mtlVM= -----END PRIVATE KEY-----