When attempting to upgrade NAPP to 4.1.2 using a private Harbor registry with a private CA, the upgrade process fails due to an inability to verify the self-signed private Harbor CA certificate.

NAPP 4.1.1

The private CA does not have first-class support in versions earlier than 4.2.0. The Harbor CA certificate added in NSX is not propagated to all components of NAPP. Consequently, this certificate is not available on the upgrade-coordinator pod.

Additionally, the upgrade-coordinator pod does not load the host certificates, meaning certificates added on Kubernetes cluster are also unavailable during the upgrade. This leads to the upgrade failing to verify the Helm certificate, as it is seen as being signed by an unknown authority.

To work around this issue, you need to manually add the certificate location to the upgrade-coordinator deployment YAML file.

1. Execute the following command on the manager:
napp-k edit deployment upgrade-coordinator

2. Add the following to the volumes section in the upgrade-coordinator deployment:
volumes:
  - hostPath:
      path: /etc/ssl/certs
      type: ""
    name: host-ssl-certs

3. Add the following to the volumeMounts section in the upgrade-coordinator deployment:
volumeMounts:
  - mountPath: /etc/ssl/certs
    name: host-ssl-certs

4. Wait for the upgrade-coordinator to restart, then proceed with the upgrade.

(2) If NSX has not been upgraded to version 4.2.0, continue using the workaround until the NSX upgrade is completed.