Enroll Certificate to K8s Secret
This API is used to create certificate yaml which will be deployed in cluster.
Request Structure
| Endpoint: | /execute-hook |
| Type: | POST |
| Sample URL: | https://<IP/HostName/TenantName>:<GWPORT>/avxapi/execute-hook?gwsource=externalTo understand the elements of the sample URL, click here. |
| Headers: | |
| Content-Type: | application/json |
| Name | Description |
|---|---|
| Token
|
(Mandatory) A unique token assigned to a user. Required if
session ID is not provided. Type: String |
| sessionId
|
(Mandatory) A unique identifier assigned to a
user's session upon successful authentication. The session ID
remains valid until it expires, and it can contain alphanumeric
characters. Type: String Constraints: The session ID is used when username and password are not provided. Example:
|
| gwsource
|
(Mandatory) Source from which the request is
triggered. Type: String Example:
|
| payload
|
(Mandatory) Input data for request body in application/json format. For payload details. |
Payload
| Name | Description |
|---|---|
| hook
|
Contains all the hook params. See Table 3 for more details. |
| input
|
Contains all the input params. See Table 4 for more details. |
| Name | Description |
|---|---|
| name
|
(Mandatory) Name of the hook. |
| Name | Description |
|---|---|
| action
|
(Mandatory) Specific action to be performed. |
| payload
|
Contains all the payload params. |
| Name | Description |
|---|---|
| enrollCertTo
|
Endpoint where the cert is to be deployed. Possible Values: Secret, Pod |
| objectFormat
|
Required if enrollCertTo is Pod. Possible Values: pem, jks, pfs, p12 |
| objectEncoding
|
Required if enrollCertTo is Pod. Possible Values: utf-8, hex, base64 |
| clusterName
|
(Mandatory) Name of the Cluster. |
| caSettingType
|
Type of CA settings. Possible Values: CA Setting, CA Setting Cluster |
| caSettingName
|
Unique name to identify the KUBE CA setting configuration. |
| namespace
|
Kubernetes namespace for the certificate. |
| certName
|
Name of the certificate. |
| secretName
|
Name of the secret to store the certificate. |
| autoRenew
|
Auto-renewal is enabled or disabled. Possible Values: True, False |
| renewalPolicy
|
Required if autoRenew is True. Possible Values: Regenerate New Key, Renew with Existing Key |
| issueWaitPeriod
|
Waiting period for issuing a new certificate. Example: 24h |
| csrGenerationSource
|
Location where CSR is generated from. Possible Values: K8s Secret, AppViewX |
| commonName
|
Common name for the certificate. |
| sanName
|
SAN type. |
| keyType
|
Type of key used. Possible Values: RSA, ECDSA |
| bitLength
|
Bit length for the key. If keyType is RSA, the possible
values: 2048, 3072, 4096, 7680, 8192. If keyType is ECDSA, possible values: 256, 384, 521. |
| source | Source from which the enrollment request is
made. Possible Value: api |
Response Structure
- Status Code: 200 OK
- Message: Successful
- Headers:
- Content-Type: application/json
| Name | Description |
|---|---|
| response
|
Cluster onboarded successfully |
| message
|
Success message or failure description in case of error. |
| appStatusCode
|
Application specific status code for the response. Will be non-null for failure response. |
| tags | More info in case of failure response. |
Status Codes
| HTTP Status code | appStatusCode | Message and Possible remediation |
|---|---|---|
| 200 OK | NA | Success |
| 400 Bad Request | AVX-VLDTN-001 | Mandatory field is missing or invalid values
specified - <<field name>> Possible remediation: Check and ensure that valid value is provided for <<field name>> field in the request. |
| 401 Unauthorized | AVX_GW_003 | Authentication failed, reason - Invalid
Credentials Possible remediation: Ensure that valid username and password or valid sessionId is provided as the header param. |
Sample Request/Response
https://<IP/HostName/TenantName>:<GWPORT>/avxapi/execute-hook?gwsource=external
POST Content type: application/json Username: <> Password: <>
{
"payload": {
"hook": {
"name": "Kube Enroll Cert"
},
"input": {
"action": "string",
"payload": {
"enrollCertTo": "Secret",
"objectFormat": "pem",
"objectEncoding": "utf-8",
"clusterName": "n3-poc-n10",
"caSettingType": "CA Setting Cluster",
"caSettingName": "copilot-demo-3",
"namespace": "avx",
"certName": "copilot-demo",
"secretName": "copilot-demo",
"autoRenew": "False",
"renewalPolicy": "Regenerate New Key",
"issueWaitPeriod": "24h",
"csrGenerationSource": "K8s Secret",
"commonName": "testing",
"sanName": "DNS",
"keyType": "RSA",
"bitLength": 2048,
"source": "api"
}
}
}
}{
"response": {
"status": "Success",
"output": {
"status": "Success",
"response": "Certificate added successfully"
}
}
}Reference
- IP/HostName/TenantName: Replace with the actual IP address, hostname,
or tenant name based on the specific configuration in AppViewX.
- IP: A unique identifier assigned to each device connected to
a computer network that uses the Internet Protocol for communication
The IP address will be included in the endpoint URL for an on-prem deployment.
- HostName: A human-readable label assigned to a device (host)
on a network
The hostname will be included in the endpoint URL for an on-prem deployment.
- TenantName: An identifier label for a tenant given to
indicate which tenant's data the API request will
access/modify
The tenant name will be included in the endpoint URL for a SaaS deployment.
- IP: A unique identifier assigned to each device connected to
a computer network that uses the Internet Protocol for communication
- GWPORT: AppViewX gateway port
A gateway port refers to a network port through which data is sent and received to communicate with a gateway in an on-prem deployment.
Example: 31443
- avxapi: Path parameter value (static) that is part of the endpoint's URL
- Endpoint: Endpoint of the API, for example: execute-hook
- gwsource: Source or origin of a gateway, for example: external.
