Updated on 2025-08-26 GMT+08:00

Obtaining a Cluster Certificate

Function

This API is used to obtain a certificate of a specified cluster.

Constraints

This API is applicable to clusters of v1.13 and later.

Calling Method

For details, see Calling APIs.

URI

POST /api/v3/projects/{project_id}/clusters/{cluster_id}/clustercert

Table 1 Path Parameters

Parameter

Mandatory

Type

Description

project_id

Yes

String

Details:

Project ID. For details about how to obtain the value, see How to Obtain Parameters in the API URI.

Constraints:

None

Options:

Project IDs of the account

Default value:

N/A

cluster_id

Yes

String

Details:

Cluster ID. For details about how to obtain the value, see How to Obtain Parameters in the API URI.

Constraints:

None

Options:

Cluster IDs

Default value:

N/A

Request Parameters

Table 2 Request header parameters

Parameter

Mandatory

Type

Description

Content-Type

Yes

String

Details:

The request body type or format

Constraints:

The GET method is not verified.

Options:

  • application/json

  • application/json;charset=utf-8

  • application/x-pem-file

  • multipart/form-data (used when the FormData parameter is present)

Default value:

N/A

X-Auth-Token

Yes

String

Details:

Requests for calling an API can be authenticated using either a token or AK/SK. If token-based authentication is used, this parameter is mandatory and must be set to a user token. For details, see Obtaining a User Token.

Constraints:

None

Options:

N/A

Default value:

N/A

Table 3 Request body parameters

Parameter

Mandatory

Type

Description

duration

Yes

Integer

Definition

How long a cluster certificate is valid

Constraints

N/A

Range

-1 or 1 to 1827

NOTE:
  • The minimum value is 1 day and the maximum value is 1827 days (5 years). For example, if there is one leap year within the five-year period, the maximum value is 1826 days.

  • If the value is set -1, the maximum value (5 years) will be used.

Default Value

N/A

Response Parameters

Status code: 200

Table 4 Response header parameters

Parameter

Type

Description

Port-ID

String

Definition

Port ID of the cluster control plane node

Constraints

N/A

Range

N/A

Default Value

N/A

Table 5 Response body parameters

Parameter

Type

Description

kind

String

Definition

API type

Constraints

The value cannot be changed.

Range

N/A

Default Value

Config

apiVersion

String

Definition

API version

Constraints

The value cannot be changed.

Range

N/A

Default Value

v1

preferences

Object

Definition

This field is not in use.

Constraints

N/A

Range

N/A

Default Value

Empty

clusters

Array of Clusters objects

Definition

Cluster list

Constraints

N/A

users

Array of Users objects

Definition

Certificate information and client key information of a specified user

Constraints

N/A

contexts

Array of Contexts objects

Definition

Context list

Constraints

N/A

current-context

String

Definition

Current context

Constraints

N/A

Range

  • external: public network access

  • internal: private network access

Default Value

  • If publicIp (a VM's EIP) is present, the value is external.

  • If publicIp is not present, the value is internal.

Table 6 Clusters

Parameter

Type

Description

name

String

Definition

Cluster name

Constraints

N/A

Range

  • internalCluster: a cluster that can be accessed through a private network

  • externalCluster: a cluster that can be accessed through the public network

Default Value

  • If publicIp (a VM's EIP) is not present, there is only one cluster in the cluster list, and the value of this parameter is internalCluster.

  • If publicIp is present, there are more than one cluster in the cluster list, and the value of name of all extended clusters is externalCluster.

cluster

ClusterCert object

Definition

Cluster information

Constraints

N/A

Table 7 ClusterCert

Parameter

Type

Description

server

String

Definition

Server address

Constraints

N/A

Range

N/A

Default Value

N/A

certificate-authority-data

String

Definition

Certificate authorization data

Constraints

N/A

Range

N/A

Default Value

N/A

insecure-skip-tls-verify

Boolean

Definition

Whether to skip server certificate verification

Constraints

N/A

Range

  • true

  • false

Default Value

If the cluster type is externalCluster, the value is true.

Table 8 Users

Parameter

Type

Description

name

String

Definition

Name

Constraints

N/A

Range

N/A

Default Value

user

user

User object

Definition

Certificate information and client key information of a specified user

Constraints

N/A

Table 9 User

Parameter

Type

Description

client-certificate-data

String

Definition

Client certificate

Constraints

N/A

Range

N/A

Default Value

N/A

client-key-data

String

Definition

PEM encoding data from the TLS client key file

Constraints

N/A

Range

N/A

Default Value

N/A

Table 10 Contexts

Parameter

Type

Description

name

String

Definition

Context name

Constraints

N/A

Range

  • internal: private network access

  • external: public network access

Default Value

  • If publicIp (a VM's EIP) is not present, there is only one cluster in the cluster list, and the value of this parameter is internal.

  • If publicIp is present, there are more than one cluster in the cluster list, and the value of name of all extended contexts is external.

context

Context object

Definition

Context

Constraints

N/A

Table 11 Context

Parameter

Type

Description

cluster

String

Definition

Cluster context

Constraints

N/A

Range

N/A

Default Value

N/A

user

String

Definition

User context

Constraints

N/A

Range

N/A

Default Value

N/A

Example Requests

Applying for a cluster access certificate valid for 30 days

{
  "duration" : 30
}

Example Responses

Status code: 200

The certificate of the specified cluster is successfully obtained. For details about the certificate file format, see the Kubernetes v1.Config structure.

{
  "kind" : "Config",
  "apiVersion" : "v1",
  "preferences" : { },
  "clusters" : [ {
    "name" : "internalCluster",
    "cluster" : {
      "server" : "https://192.168.1.7:5443",
      "certificate-authority-data" : "Q2VydGlmaWNhdGU6******FTkQgQ0VSVElGSUNBVEUtLS0tLQo="
    }
  } ],
  "users" : [ {
    "name" : "user",
    "user" : {
      "client-certificate-data" : "LS0tLS1CRUdJTiBDR******QVRFLS0tLS0K",
      "client-key-data" : "LS0tLS1CRUdJTi******BLRVktLS0tLQo="
    }
  } ],
  "contexts" : [ {
    "name" : "internal",
    "context" : {
      "cluster" : "internalCluster",
      "user" : "user"
    }
  } ],
  "current-context" : "internal"
}

SDK Sample Code

The SDK sample code is as follows.

Applying for a cluster access certificate valid for 30 days

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
package com.huaweicloud.sdk.test;

import com.huaweicloud.sdk.core.auth.ICredential;
import com.huaweicloud.sdk.core.auth.BasicCredentials;
import com.huaweicloud.sdk.core.exception.ConnectionException;
import com.huaweicloud.sdk.core.exception.RequestTimeoutException;
import com.huaweicloud.sdk.core.exception.ServiceResponseException;
import com.huaweicloud.sdk.cce.v3.region.CceRegion;
import com.huaweicloud.sdk.cce.v3.*;
import com.huaweicloud.sdk.cce.v3.model.*;


public class CreateKubernetesClusterCertSolution {

    public static void main(String[] args) {
        // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
        // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
        String ak = System.getenv("CLOUD_SDK_AK");
        String sk = System.getenv("CLOUD_SDK_SK");
        String projectId = "{project_id}";

        ICredential auth = new BasicCredentials()
                .withProjectId(projectId)
                .withAk(ak)
                .withSk(sk);

        CceClient client = CceClient.newBuilder()
                .withCredential(auth)
                .withRegion(CceRegion.valueOf("<YOUR REGION>"))
                .build();
        CreateKubernetesClusterCertRequest request = new CreateKubernetesClusterCertRequest();
        request.withClusterId("{cluster_id}");
        CertDuration body = new CertDuration();
        body.withDuration(30);
        request.withBody(body);
        try {
            CreateKubernetesClusterCertResponse response = client.createKubernetesClusterCert(request);
            System.out.println(response.toString());
        } catch (ConnectionException e) {
            e.printStackTrace();
        } catch (RequestTimeoutException e) {
            e.printStackTrace();
        } catch (ServiceResponseException e) {
            e.printStackTrace();
            System.out.println(e.getHttpStatusCode());
            System.out.println(e.getRequestId());
            System.out.println(e.getErrorCode());
            System.out.println(e.getErrorMsg());
        }
    }
}

Applying for a cluster access certificate valid for 30 days

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
# coding: utf-8

import os
from huaweicloudsdkcore.auth.credentials import BasicCredentials
from huaweicloudsdkcce.v3.region.cce_region import CceRegion
from huaweicloudsdkcore.exceptions import exceptions
from huaweicloudsdkcce.v3 import *

if __name__ == "__main__":
    # The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    # In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak = os.environ["CLOUD_SDK_AK"]
    sk = os.environ["CLOUD_SDK_SK"]
    projectId = "{project_id}"

    credentials = BasicCredentials(ak, sk, projectId)

    client = CceClient.new_builder() \
        .with_credentials(credentials) \
        .with_region(CceRegion.value_of("<YOUR REGION>")) \
        .build()

    try:
        request = CreateKubernetesClusterCertRequest()
        request.cluster_id = "{cluster_id}"
        request.body = CertDuration(
            duration=30
        )
        response = client.create_kubernetes_cluster_cert(request)
        print(response)
    except exceptions.ClientRequestException as e:
        print(e.status_code)
        print(e.request_id)
        print(e.error_code)
        print(e.error_msg)

Applying for a cluster access certificate valid for 30 days

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
package main

import (
	"fmt"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/core/auth/basic"
    cce "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/cce/v3"
	"github.com/huaweicloud/huaweicloud-sdk-go-v3/services/cce/v3/model"
    region "github.com/huaweicloud/huaweicloud-sdk-go-v3/services/cce/v3/region"
)

func main() {
    // The AK and SK used for authentication are hard-coded or stored in plaintext, which has great security risks. It is recommended that the AK and SK be stored in ciphertext in configuration files or environment variables and decrypted during use to ensure security.
    // In this example, AK and SK are stored in environment variables for authentication. Before running this example, set environment variables CLOUD_SDK_AK and CLOUD_SDK_SK in the local environment
    ak := os.Getenv("CLOUD_SDK_AK")
    sk := os.Getenv("CLOUD_SDK_SK")
    projectId := "{project_id}"

    auth := basic.NewCredentialsBuilder().
        WithAk(ak).
        WithSk(sk).
        WithProjectId(projectId).
        Build()

    client := cce.NewCceClient(
        cce.CceClientBuilder().
            WithRegion(region.ValueOf("<YOUR REGION>")).
            WithCredential(auth).
            Build())

    request := &model.CreateKubernetesClusterCertRequest{}
	request.ClusterId = "{cluster_id}"
	request.Body = &model.CertDuration{
		Duration: int32(30),
	}
	response, err := client.CreateKubernetesClusterCert(request)
	if err == nil {
        fmt.Printf("%+v\n", response)
    } else {
        fmt.Println(err)
    }
}

For SDK sample code of more programming languages, see the Sample Code tab in API Explorer. SDK sample code can be automatically generated.

Status Codes

Status Code

Description

200

The certificate of the specified cluster is successfully obtained. For details about the certificate file format, see the Kubernetes v1.Config structure.

Error Codes

See Error Codes.