Rotating a Cluster Certificate of a User

This API is used to rotate the certificate of a cluster.

Only clusters of v1.19 or later are supported.

After the operation completes, the certificate for the cluster component is renewed with a new five-year validity period.

For details, see Calling APIs.

Each account has all the permissions required to call all APIs, but IAM users must be assigned the required permissions.

If you are using role/policy-based authorization, see Permissions Policies and Supported Actions for details on the required permissions.

If you are using identity policy-based authorization, the following identity policy-based permissions are required.

Action	Access Level	Resource Type (*: required)	Condition Key	Alias	Dependencies
cce:cluster:rotateCredentials	Write	cluster *	g:EnterpriseProjectId g:ResourceTag/<tag-key>	-	-

POST /api/v3/projects/{project_id}/clusters/{cluster_id}/rotatecredentials

**Table 1** Path Parameters
Parameter	Mandatory	Type	Description
project_id	Yes	String	Details: Project ID. For details about how to obtain the value, see How to Obtain Parameters in the API URI. Constraints: None Options: Project IDs of the account Default value: N/A
cluster_id	Yes	String	Details: Cluster ID. For details about how to obtain the value, see How to Obtain Parameters in the API URI. Constraints: None Options: Cluster IDs Default value: N/A

**Table 2** Request header parameters
Parameter	Mandatory	Type	Description
Content-Type	Yes	String	Definition Type (or format) of the request body. The default value is application/json. Other values of this field will be provided for specific APIs, if any. Constraints GET requests are not validated. Default Value N/A
X-Auth-Token	Yes	String	Details: Requests for calling an API can be authenticated using either a token or AK/SK. If token-based authentication is used, this parameter is mandatory and must be set to a user token. For details, see Obtaining a User Token. Constraints: None Options: N/A Default value: N/A

**Table 3** Request body parameters
Parameter	Mandatory	Type	Description
component	Yes	String	Definition Name of a component to be rotated Constraints N/A Range all: The CCE cluster certificate is rotated. service-account-controller: The ServiceAccount-token signing certificate is rotated. custom: The custom certificate is rotated. If this parameter is specified, the certContent parameter must also be specified. Default Value N/A
certificateExpirationTime	No	Integer	Definition The length of time the old ServiceAccount-token signing certificate remains valid after the certificate is rotated. To ensure that the old ServiceAccount-token signing certificate continue to pass signature verification after rotation, CCE retains the old certificate for a period of time. The rules are as follows: For the first rotation, CCE retains the certificate generated during cluster creation. For the second rotation and subsequent rotations, CCE retains the old certificate for a period of time (24 hours by default). You can configure the retention period using this parameter. Constraints N/A Range 0–8784 (hours) Default Value 24 (hours)
certContent	No	AuthenticatingProxy object	Definition Certificate details Constraints This parameter is mandatory when component is set to custom.

**Table 4** AuthenticatingProxy
Parameter	Mandatory	Type	Description
ca	No	String	Details: X509 CA certificate (Base64-encoded) configured in authenticating_proxy mode Constraints: This field is mandatory when the cluster authentication mode is authenticating_proxy. Options: Maximum size: 1 MB Default value: N/A
cert	No	String	Details: Client certificate issued by the X509 CA certificate configured in authenticating_proxy mode, which is used for authentication from kube-apiserver to the extended API server. (The value must be Base64-encoded.) Constraints: This field is mandatory when the cluster authentication mode is authenticating_proxy. Options: Maximum size: 1 MB Default value: N/A
privateKey	No	String	Details: Private key of the client certificate issued by the X509 CA certificate configured in authenticating_proxy mode, which is used for authentication from kube-apiserver to the extended API server. The private key used by the Kubernetes cluster does not support password encryption. Use an unencrypted private key. (The value must be Base64-encoded.) Constraints: This field is mandatory when the cluster authentication mode is authenticating_proxy. Options: Maximum size: 1 MB Default value: N/A

Status code: 200

**Table 5** Response body parameters
Parameter	Type	Description
jobid	String	Definition ID returned after a job is submitted. This ID can be used to query the execution of the job. Constraints N/A Range N/A Default Value N/A

POST /api/v3/projects/{project_id}/clusters/{cluster_id}/rotatecredentials

{
  "component" : "service-account-controller"
}

Status code: 200

The certificate rotation task has been delivered in the cluster.

{
  "jobid" : "2ec9b78d-9368-46f3-8f29-d1a95622a568"
}

Status Code	Description
200	The certificate rotation task has been delivered in the cluster.

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

For any further questions, feel free to contact us through the chatbot.