How to update Windows worker nodes with the Harbor Registry Certificate in an air-gapped Tanzu environment.
search cancel

How to update Windows worker nodes with the Harbor Registry Certificate in an air-gapped Tanzu environment.

book

Article ID: 372483

calendar_today

Updated On:

Products

Tanzu Kubernetes Grid VMware Tanzu Kubernetes Grid VMware Tanzu Kubernetes Grid Plus

Issue/Introduction

This article exists to guide users through the manual steps required for updating registry certificate in an air-gapped Tanzu environment (a.k.a internet-restricted environment) when creating custom ClusterClass based clusters on TKGm 2.5.x 

 

Environment

VMware Tanzu Kubernetes Grid 

Resolution

  • Change the current context to management cluster.

         kubectl config use-context <management-cluster-context>

  • Patch the "cc-win-cacert-overlay.yaml" with required parameters as shown below : 
spec:
  patches:
    - name: windows-cacert
      enabledIf: '{{ not (empty .caCertChain) }}'
      definitions:
      - selector:
          apiVersion: bootstrap.cluster.x-k8s.io/v1beta1
          kind: KubeadmConfigTemplate
          matchResources:
            machineDeploymentClass:
              names:
              - tkg-worker-windows
        jsonPatches:
        - op: add
          path: /spec/template/spec/files/-
          valueFrom:
            template: |
              path: 'C:\k\rootca.pem'
              content: |
              {{ .caCertChain | indent 2 }}
        - op: add
          path: /spec/template/spec/files/-
          value:
            path: 'C:\k\addcert.ps1'
            content: |
              Import-Certificate -FilePath "c:\k\rootca.pem" -CertStoreLocation cert:\LocalMachine\Root
        - op: add
          path: /spec/template/spec/preKubeadmCommands/-
          value: powershell c:/k/addcert.ps1 -ExecutionPolicy Bypass
  variables:
    - name: caCertChain
      required: false
      schema:
        openAPIV3Schema:
          type: string
  • Update the cluster definition with the Registry certificate under "variables" section and save the file . This change will rollout your cluster nodes after a successful edit.  

NOTE - Below configuration is only validated and tested on TKGm 2.5.x. 

         kubectl edit cluster <workload-cluster-name>

For example -

- name: caCertChain
   value: |
          -----BEGIN CERTIFICATE-----
          MIIF xxxxxxxxxxxxxxxxx
          xxxxxxxxxxxxxxxxxxxxx
          xxxxxxxxxxxxxxxxxxxxx
          xxxxxxxxxxxxxxxxxxxxx
          xxxxxxxxxxxxxxxxxxxxx
          xxxxxxxxxxxxxxxxxxxxx
          xxxxxxxxxxxxxxxxxxxxx
          xxxxxxxxxxxxxxxxxP5s=
          -----END CERTIFICATE-----

Additional Information

Reference link for overlays - https://github.com/jaimegag/tkg-zone/tree/main/windows