NetworkSecurityServerTLSPolicy

Property Value
Google Cloud Service Name Network Security
Google Cloud Service Documentation /traffic-director/docs/
Google Cloud REST Resource Name v1beta1/projects.locations.clientTlsPolicies
Google Cloud REST Resource Documentation /traffic-director/docs/reference/network-security/rest/v1beta1/projects.locations.serverTlsPolicies
Config Connector Resource Short Names gcpnetworksecurityservertlspolicy
gcpnetworksecurityservertlspolicies
networksecurityservertlspolicy
Config Connector Service Name networksecurity.googleapis.com
Config Connector Resource Fully Qualified Name networksecurityservertlspolicies.networksecurity.cnrm.cloud.google.com
Can Be Referenced by IAMPolicy/IAMPolicyMember Yes
IAMPolicy/IAMPartialPolicy Supports Conditions Yes
IAMPolicyMember Supports Conditions No
Supports IAM Audit Configs No
IAM External Reference Format

projects/{{project}}/locations/{{location}}/serverTlsPolicies/{{name}}
Config Connector Default Average Reconcile Interval In Seconds 600

Custom Resource Definition Properties

Spec

Schema

allowOpen: boolean
description: string
location: string
mtlsPolicy:
  clientValidationCa:
  - certificateProviderInstance:
      pluginInstance: string
    grpcEndpoint:
      targetUri: string
projectRef:
  external: string
  name: string
  namespace: string
resourceID: string
serverCertificate:
  certificateProviderInstance:
    pluginInstance: string
  grpcEndpoint:
    targetUri: string
Fields

allowOpen

Optional

boolean

Optional. Determines if server allows plaintext connections. If set to true, server allows plain text connections. By default, it is set to false. This setting is not exclusive of other encryption modes. For example, if allow_open and mtls_policy are set, server allows both plain text and mTLS connections. See documentation of other encryption modes to confirm compatibility.

description

Optional

string

Optional. Free-text description of the resource.

location

Required

string

Immutable. The location for the resource

mtlsPolicy

Optional

object

Optional. Defines a mechanism to provision peer validation certificates for peer to peer authentication (Mutual TLS - mTLS). If not specified, client certificate will not be requested. The connection is treated as TLS and not mTLS. If allow_open and mtls_policy are set, server allows both plain text and mTLS connections.

mtlsPolicy.clientValidationCa

Required*

list (object)

Required. Defines the mechanism to obtain the Certificate Authority certificate to validate the client certificate.

mtlsPolicy.clientValidationCa[]

Required*

object

mtlsPolicy.clientValidationCa[].certificateProviderInstance

Optional

object

The certificate provider instance specification that will be passed to the data plane, which will be used to load necessary credential information.

mtlsPolicy.clientValidationCa[].certificateProviderInstance.pluginInstance

Required*

string

Required. Plugin instance name, used to locate and load CertificateProvider instance configuration. Set to "google_cloud_private_spiffe" to use Certificate Authority Service certificate provider instance.

mtlsPolicy.clientValidationCa[].grpcEndpoint

Optional

object

gRPC specific configuration to access the gRPC server to obtain the CA certificate.

mtlsPolicy.clientValidationCa[].grpcEndpoint.targetUri

Required*

string

Required. The target URI of the gRPC endpoint. Only UDS path is supported, and should start with “unix:”.

projectRef

Optional

object

Immutable. The Project that this resource belongs to.

projectRef.external

Optional

string

The project for the resource Allowed value: The Google Cloud resource name of a `Project` resource (format: `projects/{{name}}`).

projectRef.name

Optional

string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

projectRef.namespace

Optional

string

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

resourceID

Optional

string

Immutable. Optional. The name of the resource. Used for creation and acquisition. When unset, the value of `metadata.name` is used as the default.

serverCertificate

Optional

object

Optional. Defines a mechanism to provision server identity (public and private keys). Cannot be combined with allow_open as a permissive mode that allows both plain text and TLS is not supported.

serverCertificate.certificateProviderInstance

Optional

object

The certificate provider instance specification that will be passed to the data plane, which will be used to load necessary credential information.

serverCertificate.certificateProviderInstance.pluginInstance

Required*

string

Required. Plugin instance name, used to locate and load CertificateProvider instance configuration. Set to "google_cloud_private_spiffe" to use Certificate Authority Service certificate provider instance.

serverCertificate.grpcEndpoint

Optional

object

gRPC specific configuration to access the gRPC server to obtain the cert and private key.

serverCertificate.grpcEndpoint.targetUri

Required*

string

Required. The target URI of the gRPC endpoint. Only UDS path is supported, and should start with “unix:”.

* Field is required when parent field is specified

Status

Schema

conditions:
- lastTransitionTime: string
  message: string
  reason: string
  status: string
  type: string
createTime: string
observedGeneration: integer
updateTime: string
Fields
conditions

list (object)

Conditions represent the latest available observation of the resource's current state.
conditions[]

object
conditions[].lastTransitionTime

string

Last time the condition transitioned from one status to another.
conditions[].message

string

Human-readable message indicating details about last transition.
conditions[].reason

string

Unique, one-word, CamelCase reason for the condition's last transition.
conditions[].status

string

Status is the status of the condition. Can be True, False, Unknown.
conditions[].type

string

Type is the type of the condition.
createTime

string

Output only. The timestamp when the resource was created.
observedGeneration

integer

ObservedGeneration is the generation of the resource that was most recently observed by the Config Connector controller. If this is equal to metadata.generation, then that means that the current reported status reflects the most recent desired state of the resource.
updateTime

string

Output only. The timestamp when the resource was updated.

Sample YAML(s)

Typical Use Case

# Copyright 2021 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

apiVersion: networksecurity.cnrm.cloud.google.com/v1beta1
kind: NetworkSecurityServerTLSPolicy
metadata:
  name: networksecurityservertlspolicy-sample
  labels:
    label-one: "value-one"
spec:
  description: Sample global server TLS policy
  location: global
  allowOpen: true
  serverCertificate:
    certificateProviderInstance:
      pluginInstance: google_cloud_private_spiffe
  mtlsPolicy:
    clientValidationCa:
      - certificateProviderInstance:
          pluginInstance: google_cloud_private_spiffe