Generated Cluster Onboarding Command Using Service Account

This API is used to generate the cluster onboarding command using the provided service account and configuration details.

Request Structure

Endpoint: /kube-cluster-onboard-oauth
Type: POST
Sample URL: https://<IP/HostName/TenantName>:<GWPORT>/avxapi/kube-cluster-onboard-oauth?gwsource=external

To understand the elements of the sample URL, click here.
Headers:
Content-Type: application/json
Table 1. Input Parameter
Name Description
sessionId

Header

 (Mandatory) A unique identifier assigned to a user's session upon successful authentication. The session ID remains valid until it expires, and it can contain alphanumeric characters.

Type: String

Constraints: The session ID is used when username and password are not provided.

Example: A1B2c3d4E5F6
gwsource

Query

 (Mandatory) Source from which the request is triggered.

Type: String

Example: DataCenterA
payload

Body

 (Mandatory) Input data for request body in application/json format. For payload details, see Payload section.

Payload

Table 2. Input Parameter
Name Description
clusterName

String

 (Mandatory) Unique name to identify the cluster and the cluster vendor. It can contain alphanumeric characters. (-) and (.) are allowed as special characters. Maximum length allowed is 60.

Example: appviewx-cluster
vendor

String

 (Mandatory) Name of the vendor where the cert orchestrator needs to run. It can contain alphanumeric characters.

Possible Values: GKE, AKS, EKS, and Self-Managed.
connectivityURL

String

 (Mandatory) Type of the URL that can be either AppViewX URL or cloud connector machine URL. It can contain alphanumeric characters.

Example: https://one.appviewx.com
serviceAccountName

String

 (Mandatory) Type of the URL that can be either AppViewX URL or cloud connector machine URL. It can contain alphanumeric characters.

Example: https://one.appviewx.com
clusterNamespace

String

 (Mandatory) Installation namespace. The values must not be blank.
clusterServices

List

 (Mandatory) Features to be enabled in the cert-orchestrator deployed in the cluster.
Possible Values:
  • Provision Certificates to K8s Secrets
  • Discover Certificates
  • Provision Certificates to Ephemeral Volumes
  • Discover K8's Infra Certificates
  • Enable mTLS Certificates for Service Mesh
privatekeyDiscovery

Boolean

 (Optional) Enables private key discovery. The values can be:
  • true
  • false

Response Structure

  • Status Code: 200 OK
  • Message: Successful
  • Headers:
    • Content-Type: application/json
Name Description
response

String

 Generated Helm commands for onboarding.
message

String

 Success message or failure description in case of error.
appStatusCode

String

 Application specific status code for the response. Will be non-null for failure response.
tags More info in case of failure response.

Status Codes

Table 3. Status Codes and Description
HTTP Status code appStatusCode Message and Possible remediation
200 OK NA Success
400 Bad Request ACCT_SA_001 Mandatory field is missing or invalid values specified - <<field name>>

Possible remediation: Check and ensure that valid value is provided for <<field name>> field in the request.
401 Unauthorized AVX_GW_003 Authentication failed, reason - Invalid Credentials

Possible remediation: Ensure that valid username and password or valid sessionId is provided as the header param.

Sample Request/Response

Use case: Onboard a cluster using service account
Request URL

https://<IP/HostName/TenantName>:<GWPORT>/avxapi/kube-cluster-onboard-oauth?gwsource=external

Sample Request 
POST Content type: application/json Username: <> Password: <>
{
  "payload": {
    "clusterName": "kubeplus",
    "vendor": "Self-Managed",
    "connectivityURL": "https://appviewx-fqdn/",
    "serviceAccountName": "admin",
    "clusterNamespace": "crypto-mesh",
    "clusterServices": [
      "Provision Certificates to K8s Secrets",
      "Provision Certificates to Ephemeral Volumes",
      "Discover Certificates",
      "Discover K8s Infra Certificates",
      "Enable mTLS Certificates for Service Mesh"
    ],
    "privatekeyDiscovery": true
  }
}
Sample Response 
{
  "response": "#Create Namespace for Cert-Orchestrator plugin\n\nkubectl create ns crypto-mesh\n\n#Add Helm Repo\n\nhelm repo add kube-plus-repo https://charts.appviewx.com\n\n#Create credentials to integrate Cert-Orchestrator with AppViewX.\n\nkubectl create secret generic appviewx-auth -n crypto-mesh --from-literal=APPVIEWX_ENV_USER_NAME=admin --from-literal=APPVIEWX_ENV_PASSWORD=[password] --from-literal=APPVIEWX_ENV_URL=https://appviewx-fqdn/\n\n\n#Install Cert-Orchestrator Plugin\n\nhelm install crypto-mesh kube-plus-repo/crypto-mesh \\\n--namespace crypto-mesh \\\n--version v1.3.3 \\\n--set certOrchestrator.global.clusterName=kubeplus \\\n--set certOrchestrator.global.k8sVendor=Self-Managed \\\n--set certOrchestrator.namespace=crypto-mesh \\\n--set certOrchestrator.discovery.credentialSecretName=appviewx-auth \\\n--set certOrchestrator.discovery.credentialSecretNamespace=crypto-mesh \\\n--set appviewxInfraOrchestrator.enabled=True \\\n--set appviewxSigner.enabled=True \\\n--set appviewxCSIProvider.enabled=True \\\n--set certOrchestrator.discovery.enabled=True \\\n--set certOrchestrator.discovery.isGroupAutoGenerate=True \\\n--set certOrchestrator.discovery.isPrivateKeyDiscovery=True",
  "message": "Constructed install command of cert-orchestrator for advanceOnboarding",
  "appStatusCode": "success"
}

Reference

Understanding the sample URL: This section provides an explanation of each component of the sample URL structure used in API requests. For quick reference, this section is referenced in all the API topics as Reference in this guide.
  • IP/HostName/TenantName: Replace with the actual IP address, hostname, or tenant name based on the specific configuration in AppViewX.
    • IP: A unique identifier assigned to each device connected to a computer network that uses the Internet Protocol for communication

      The IP address will be included in the endpoint URL for an on-prem deployment.

    • HostName: A human-readable label assigned to a device (host) on a network

      The hostname will be included in the endpoint URL for an on-prem deployment.

    • TenantName: An identifier label for a tenant given to indicate which tenant's data the API request will access/modify

      The tenant name will be included in the endpoint URL for a SaaS deployment.

  • GWPORT: AppViewX gateway port

    A gateway port refers to a network port through which data is sent and received to communicate with a gateway in an on-prem deployment.

    Example: 31443

  • avxapi: Path parameter value (static) that is part of the endpoint's URL
  • Endpoint: Endpoint of the API, for example: execute-hook
  • gwsource: Source or origin of a gateway, for example: external.

What's Next