The TKG plugin should help configuring some options from the vCenter UI under Hosts and Clusters > Cluster > Configure > TKG Service, such as setting the Default Tanzu Kubernetes cluster CNI plugin and register clusters in Tanzu Mission Control. It communicates with tkgs-plugin-server pod in the backend through a masterproxy-tkgs-plugin pod, which acts as a reverse proxy to ensure that calls from that TKG interface in the vSphere client are properly routed to the tkgs-plugin-server.
When the TLS certificate in tkgs-plugin-tls-secret expires, this communication fails with status code 502 Bad Gateway. The masterproxy-tkgs-plugin logs should report this error:
2023-03-01T11:45:30.846010245Z stderr F 2023/02/08 11:45:30 [error] 8#0: *5167 upstream SSL certificate verify error: (10:certificate has expired) while SSL handshaking to upstream, client: 127.0.0.1, server: localhost, request: "GET /plugin.json HTTP/1.0", upstream: "https://10.96.0.77:8099/plugin.json", host: "127.0.0.1:9900"The tkgs-plugin-tls-secret should contain an expired TLS certificate:
1- Follow
KB 90194 to access the supervisor cluster via ssh.
2- Check the expiry date of the TLS certificate for TKG plugin:
# kubectl get secret -n vmware-system-tkg tkgs-plugin-tls-secret -o jsonpath='{.data.tls\.crt}' |base64 -d |openssl x509 -noout -text |grep After
Not After : Dec 20 11:12:12 2022 GMT <---- expired