certificate_request.proto

Package : certificates.mesh.gloo.solo.io

Top

certificate_request.proto

Table of Contents

CertificateRequestSpec

CertificateRequests are generated by the Gloo Mesh agent installed on managed clusters. They are used to request a signed certificate from the certificate issuer (the Gloo Mesh server) based on a private key generated by the agent (which never leaves the managed cluster).
When Gloo Mesh creates an IssuedCertificate on a managed cluster, the local Gloo Mesh Agent will generate a CertificateRequest corresponding to it.
Gloo Mesh will then process the certificate signing request contained in the CertificateRequestSpec and write the signed SSL certificate back as a Kubernetes secret in the managed cluster, and update the CertificateRequestStatus to point to that secret.

Field Type Label Description
certificateSigningRequest bytes Base64-encoded data for the PKCS#10 Certificate Signing Request issued by the Gloo Mesh agent deployed in the managed cluster, corresponding to the IssuedRequest received by the Gloo Mesh agent.

CertificateRequestStatus

Field Type Label Description
observedGeneration int64 The most recent generation observed in the the CertificateRequest metadata. If the observedGeneration does not match metadata.generation, the issuer has not processed the most recent version of this request.
error string Any error observed which prevented the CertificateRequest from being processed. If the error is empty, the request has been processed successfully
state certificates.mesh.gloo.solo.io.CertificateRequestStatus.State The current state of the CertificateRequest workflow reported by the issuer.
signedCertificate bytes The signed intermediate certificate issued by the CA.
signingRootCa bytes The root CA used by the issuer to sign the certificate.
certChain bytes The cert chain of signing CA.

CertificateRequestStatus.State

Possible states in which a CertificateRequest can exist.

Name Number Description
PENDING 0 The CertificateRequest has yet to be picked up by the issuer.
FINISHED 1 The issuer has replied to the request and the signedCertificate and signingRootCa status fields will be populated.
FAILED 2 Processing the certificate workflow failed.