How to update Windows worker nodes with the Harbor Registry Certificate in an air-gapped Tanzu environment.
Article ID: 372483
Updated On:
Products
Tanzu Kubernetes Grid
VMware Tanzu Kubernetes Grid
VMware Tanzu Kubernetes Grid Plus
Issue/Introduction
- manual steps required for updating registry certificate in an air-gapped Tanzu environment (a.k.a internet-restricted environment) when creating custom ClusterClass-based clusters on TKGm 2.5.x
Environment
TKGm: 2.5.4
Cause
expired harbor certificate
Resolution
- Change the current context to the management cluster
kubectl config use-context <management-cluster-context> - Patch the "cc-win-cacert-overlay.yaml" with required parameters as shown below
spec: patches: - name: windows-cacert enabledIf: '{{ not (empty .caCertChain) }}' definitions: - selector: apiVersion: bootstrap.cluster.x-k8s.io/v1beta1 kind: KubeadmConfigTemplate matchResources: machineDeploymentClass: names: - tkg-worker-windows jsonPatches: - op: add path: /spec/template/spec/files/- valueFrom: template: | path: 'C:\k\rootca.pem' content: | {{ .caCertChain | indent 2 }} - op: add path: /spec/template/spec/files/- value: path: 'C:\k\addcert.ps1' content: | Import-Certificate -FilePath "c:\k\rootca.pem" -CertStoreLocation cert:\LocalMachine\Root - op: add path: /spec/template/spec/preKubeadmCommands/- value: powershell c:/k/addcert.ps1 -ExecutionPolicy Bypass variables: - name: caCertChain required: false schema: openAPIV3Schema: type: string - Update the cluster definition in the "variables" section to include the Registry certificate, then save the file. This change will roll out your cluster nodes after a successful edit. NOTE - The below configuration is only validated and tested on TKGm 2.5.x.
kubectl edit cluster <workload-cluster-name>
For example -
- name: caCertChain
value: |
-----BEGIN CERTIFICATE-----
MIIF ##############
##############
##############
##############xxP5s=
-----END CERTIFICATE-----Additional Information
Feedback
Yes
No
Powered by
