Operations like cluster creation, node pool creation and node customizations will fail.
To check if the TKG cluster currently has an expired certificate, SSH into the TKG management cluster master node as the capv user, and download the diagnostic script :
ssh capv@[TkgMgmtIP]
curl -kfsSL 'https://vmwaresaas.jfrog.io/artifactory/generic-registry/run-diagnosis' -o run-diagnosis.sh
Set the correct permissions on the script after necessary verification of the downloaded script
chmod +x run-diagnosis.sh
Execute the script from node:
./run-diagnosis.sh
Check the HTML test reports for detailed results and tests information.
In addition, the bootstrap logs will indicate an expired certificate:
Sep 2 18:07:29 apiserverd[7521] : [Err-controller] : Failed to handle plugins by NodeConfig CR in cluster 180f5152-064b-49f2-b207-4dfa09c8a9e1, err: Error from server (InternalError): error when creating "/opt/vmware/k8s-bootstrapper/180f5152-064b-49f2-b207-4dfa09c8a9e1/np_addon-nodeprofile-mgmt-cl1.yaml" Internal error occurred: failed calling webhook "validator.nodeconfig.acm.vmware.com": Post "https://nodeconfigvalidator.tca-system.svc:443/validate-nodeconfig?timeout=5s": x509: certificate has expired or is not yet valid: current time 2021-09-02T18:07:18Z is after 2021-09-02T07:37:00Z