Table of Contents
CertificateRequests are generated by the Gloo Mesh agent installed on workload clusters. They are used to request a signed certificate from the certificate issuer (the Gloo Mesh server) based on a private key generated by the agent (which never leaves the workload cluster).
When Gloo Mesh server creates an IssuedCertificate on a workload cluster, the local Gloo Mesh agent will generate a CertificateRequest corresponding to it.
Gloo Mesh will then process the certificate signing request contained in the
CertificateRequestSpec and write the signed SSL certificate back as a Kubernetes secret in the workload cluster, and update the
CertificateRequestStatus to point to that secret.
The certificate requested here is for Gloo Mesh agents on workload clusters to securely establish communication with Gloo Mesh server. This is not related to certificates for services running in the mesh.
|certificateSigningRequest||bytes||Base64-encoded data for the PKCS#10 Certificate Signing Request issued by the Gloo Mesh agent deployed in the workload cluster, corresponding to the IssuedRequest received by the Gloo Mesh agent.|
|observedGeneration||int64||The most recent generation observed in the the CertificateRequest metadata. If the
|error||string||Any error observed which prevented the CertificateRequest from being processed. If the error is empty, the request has been processed successfully|
|state||internal.gloo.solo.io.CertificateRequestStatus.State||The current state of the CertificateRequest workflow reported by the issuer.|
|signedCertificate||bytes||The signed intermediate certificate issued by the CA.|
|signingRootCa||bytes||The root CA used by the issuer to sign the certificate.|
|certChain||bytes||The cert chain of signing CA.|
Possible states in which a CertificateRequest can exist.
|PENDING||0||The CertificateRequest has yet to be picked up by the issuer.|
|FINISHED||1||The issuer has replied to the request and the
|FAILED||2||Processing the certificate workflow failed.|