Create Cert CRD Instance in Cluster

The API is used to create and enroll a certificate in a cluster by adding a certificate CRD.

Request Structure

Endpoint: /kube-add-cert-crd-instance
Type: POST
Sample URL: https://<IP/HostName/TenantName>:<GWPORT>/avxapi/kube-add-cert-crd-instance?gwsource=kube

To understand the elements of the sample URL, click here.
Headers:
Content-Type: application/json
Table 1. Input Parameter
Name Description
sessionId

Header

 (Mandatory) A unique identifier assigned to a user's session upon successful authentication. The session ID remains valid until it expires, and it can contain alphanumeric characters.

Type: String

Constraints: The session ID is used when username and password are not provided.

Example: A1B2c3d4E5F6
gwsource

Query

 (Mandatory) Source from which the request is triggered.

Type: String

Example: DataCenterA
payload

Body

 (Mandatory) Input data for request body in application/json format. For payload details, see Payload section.

Payload

Table 2. Input Parameter
Name Description
policyName

String

Name of the cluster policy.
enrollCertTo

String

Target resource where the certificate will be enrolled.
clusterName

String

Name of the cluster where the certificate will be enrolled.
caSettingType

String

Type of CA setting.

Possible Values: CA Setting Cluster, ClusterPolicy.
caSettingName

String

Name of the CA setting to use for certificate issuance.
namespace

String

 Namespace where the certificate resource or secret will be created.
certName

String

 Name assigned to the certificate CRD instance.
autoRenew

String

 Specifies whether auto-renewal of the certificate is enabled.

Possible Values: True, False

.
commonName

String

 Common Name for the certificate subject.
overwrite

Boolean

 Whether to overwrite any existing certificate CRD instance with the same name.
bitLength

String

 Key length of the certificate.

For example: 2048.
renewalPolicy

String

 Specifies the renewal policy.

For example: Regenerate New Key.
issueWaitPeriod

String

 Maximum time to wait for certificate issuance.

For sexample: 24h
certificateAuthority

String

 Name of the issuing Certificate Authority
secretName

String

 Name of the Kubernetes secret where the certificate will be stored.
deployTrustStore

String

 Indicates whether to deploy the trust store.

Possible values: Yes, No.
isAdvancedOptions

String

 Whether advanced options are enabled.

Possible values: True, False
customSecret

String

 Indicates if a custom secret should be used.

Possible values: Yes, No.
csrGenerationSource

String

 Source for CSR generation.

For example: K8s Secret, AppViewX.
isCaRequired

String

 Whether the CA certificate is required as part of the enrollment.
keyType

String

 Key algorithm type.

For example: RSA.
isOverwriteValidCertificate

String

 Specifies if a valid existing certificate should be overwritten.
certificateCategory

String

 Specifies the certificate category.

For example: Server.

Response Structure

Name Description
response

String

 Cert added successfully
message

String

 Success message or failure description in case of error.
appStatusCode

String

 Application specific status code for the response. Will be non-null for failure response.
tags More info in case of failure response.

Status Codes

Table 3. Status Codes and Description
HTTP Status code appStatusCode Message and Possible remediation
200 OK NA Success
200 FAILURE KUBEPLUS_0024 Selected Issuer CA is in a state where action cannot be performed. Please check its state
400 Bad Request AVX-VLDTN-001 Mandatory field is missing or invalid values specified - <<field name>>

Possible remediation: Check and ensure that valid value is provided for <<field name>> field in the request.
401 Unauthorized AVX_GW_003 Authentication failed, reason - Invalid Credentials

Possible remediation: Ensure that valid username and password or valid sessionId is provided as the header param.

Sample Request/Response

Use case 1: Create Cert CRD instance in cluster using Amazon Private CA.
Request URL

https://<IP/HostName/TenantName>:<GWPORT>/avxapi/kube-add-cert-crd-instance?gwsource=kube

Sample Request 
POST Content type: application/json Username: <> Password: <>
{
    "payload": {
        "policyName": "cluster-policy",
        "enrollCertTo": "Secret",
        "clusterName": "kubeplus",
        "caSettingType": "CA Setting Cluster",
        "caSettingName": "amazon-private-ca-cluster-wide",
        "namespace": "namespace",
        "certName": "cert-name",
        "autoRenew": "False",
        "commonName": "common-name",
        "overwrite": false,
        "bitLength": "2048",
        "renewalPolicy": "Regenerate New Key",
        "issueWaitPeriod": "24h",
        "certificateAuthority": "Amazon Private CA",
        "secretName": "secret-name",
        "deployTrustStore": "No",
        "isAdvancedOptions": "False",
        "customSecret": "No",
        "csrGenerationSource": "K8s Secret",
        "isCaRequired": "False",
        "keyType": "RSA",
        "isOverwriteValidCertificate": "False",
        "certificateCategory": "Server"
    }
}
Sample Response 
{
    "response": {
        "messageType": "SUCCESS",
        "message": "Cert added successfully"
    },
    "message": "Cert added successfully",
    "appStatusCode": "success",
    "tags": null,
    "headers": null
}
Use case 2: Create Cert CRD instance in cluster using the AppViewX CA-1 template.
Request URL

https://<IP/HostName/TenantName>:<GWPORT>/avxapi/kube-add-cert-crd-instance?gwsource=kube

Sample Request 
POST Content type: application/json Username: <> Password: <>
{
    "payload": {
        "policyName": "api-doc-ns-wide",
        "templateName": "AppViewX CA-1",
        "enrollCertTo": "Secret",
        "clusterName": "keertan",
        "caSettingType": "ClusterPolicy",
        "namespace": "test1",
        "certName": "common-name-policy-centra2",
        "autoRenew": "False",
        "commonName": "common-name",
        "overwrite": false,
        "bitLength": "2048",
        "issueWaitPeriod": "24h",
        "clusterPolicyType": "Policy Central",
        "certificateAuthority": "AppViewX",
        "secretName": "secret-name",
        "deployTrustStore": "No",
        "isAdvancedOptions": "False",
        "hashFunction": "SHA160",
        "customSecret": "No",
        "csrGenerationSource": "AppViewX",
        "isCaRequired": "False",
        "keyType": "RSA"
    }
}
Sample Response 
{
    "response": {
        "messageType": "SUCCESS",
        "message": "Cert added successfully"
    },
    "message": "Cert added successfully",
    "appStatusCode": "success",
    "tags": null,
    "headers": null
}

Reference

Understanding the sample URL: This section provides an explanation of each component of the sample URL structure used in API requests. For quick reference, this section is referenced in all the API topics as Reference in this guide.
  • IP/HostName/TenantName: Replace with the actual IP address, hostname, or tenant name based on the specific configuration in AppViewX.
    • IP: A unique identifier assigned to each device connected to a computer network that uses the Internet Protocol for communication

      The IP address will be included in the endpoint URL for an on-prem deployment.

    • HostName: A human-readable label assigned to a device (host) on a network

      The hostname will be included in the endpoint URL for an on-prem deployment.

    • TenantName: An identifier label for a tenant given to indicate which tenant's data the API request will access/modify

      The tenant name will be included in the endpoint URL for a SaaS deployment.

  • GWPORT: AppViewX gateway port

    A gateway port refers to a network port through which data is sent and received to communicate with a gateway in an on-prem deployment.

    Example: 31443

  • avxapi: Path parameter value (static) that is part of the endpoint's URL
  • Endpoint: Endpoint of the API, for example: execute-hook
  • gwsource: Source or origin of a gateway, for example: external.