Rotating a Cluster Certificate of a User

project_id

Yes

String

Details:

Project ID. For details about how to obtain the value, see How to Obtain Parameters in the API URI.

Constraints:

None

Options:

Project IDs of the account

Default value:

N/A

cluster_id

Yes

String

Details:

Cluster ID. For details about how to obtain the value, see How to Obtain Parameters in the API URI.

Constraints:

None

Options:

Cluster IDs

Default value:

N/A

Content-Type

Yes

String

Definition

Type (or format) of the request body. The default value is application/json. Other values of this field will be provided for specific APIs, if any.

Constraints

GET requests are not validated.

Default Value

N/A

X-Auth-Token

Yes

String

Details:

Requests for calling an API can be authenticated using either a token or AK/SK. If token-based authentication is used, this parameter is mandatory and must be set to a user token. For details, see Obtaining a User Token.

Constraints:

None

Options:

N/A

Default value:

N/A

component

Yes

String

Definition

Name of a component to be rotated

Constraints

N/A

Range

• all: The CCE cluster certificate is rotated.

• service-account-controller: The ServiceAccount-token signing certificate is rotated.

• custom: The custom certificate is rotated. If this parameter is specified, the certContent parameter must also be specified.

Default Value

N/A

certificateExpirationTime

No

Integer

Definition

The length of time the old ServiceAccount-token signing certificate remains valid after the certificate is rotated.

To ensure that the old ServiceAccount-token signing certificate continue to pass signature verification after rotation, CCE retains the old certificate for a period of time. The rules are as follows:

• For the first rotation, CCE retains the certificate generated during cluster creation.

• For the second rotation and subsequent rotations, CCE retains the old certificate for a period of time (24 hours by default). You can configure the retention period using this parameter.

Constraints

N/A

Range

0–8784 (hours)

Default Value

24 (hours)

certContent

No

AuthenticatingProxy object

Definition

Certificate details

Constraints

This parameter is mandatory when component is set to custom.

ca

No

String

Details:

X509 CA certificate (Base64-encoded) configured in authenticating_proxy mode

Constraints:

This field is mandatory when the cluster authentication mode is authenticating_proxy.

Options:

Maximum size: 1 MB

Default value:

N/A

cert

No

String

Details:

Client certificate issued by the X509 CA certificate configured in authenticating_proxy mode, which is used for authentication from kube-apiserver to the extended API server. (The value must be Base64-encoded.)

Constraints:

This field is mandatory when the cluster authentication mode is authenticating_proxy.

Options:

Maximum size: 1 MB

Default value:

N/A

privateKey

No

String

Details:

Private key of the client certificate issued by the X509 CA certificate configured in authenticating_proxy mode, which is used for authentication from kube-apiserver to the extended API server. The private key used by the Kubernetes cluster does not support password encryption. Use an unencrypted private key. (The value must be Base64-encoded.)

Constraints:

This field is mandatory when the cluster authentication mode is authenticating_proxy.

Options:

Maximum size: 1 MB

Default value:

N/A

jobid

String

Definition

ID returned after a job is submitted. This ID can be used to query the execution of the job.

Constraints

N/A

Range

N/A

Default Value

N/A

200

The certificate rotation task has been delivered in the cluster.