Replace internal CA certs for external Private registry used in Tanzu Kubernetes Clusters
search cancel

Replace internal CA certs for external Private registry used in Tanzu Kubernetes Clusters

book

Article ID: 313096

calendar_today

Updated On:

Products

VMware vCenter Server VMware vCenter Server 8.0

Issue/Introduction

New CA cert is not applied automatically on existing TKC clusters.

 

Environment

VMware vSphere 7.0 with Tanzu

Resolution

Follow below step to add new cert of external private registry used in TKC.

1) Update "TKGServiceConfiguration" in Supervisor cluster, by adding or replacing new cert under "additionalTrustedCAs". 

 

apiVersion: run.tanzu.vmware.com/v1alpha1

kind: TkgServiceConfiguration

metadata:

name: tkg-service-configuration

spec:

defaultCNI: antrea

trust:

additionalTrustedCAs:

- name: first-cert-name

data: base64-encoded string of a PEM encoded public cert 1

- name: second-cert-name

data: base64-encoded string of a PEM encoded public cert 2

 

2) Trigger a rolling update of existing clusters by running the below command on each cluster to apply this change.

kubectl patch tkc <CLUSTER_NAME> -n <NAMESPACE> --type merge -p "{\"spec\":{\"settings\":{\"network\":{\"trust\": null}}}}"

 

After running this command, it will start rolling update of particular TKC.

 

Powered by Wolken Software