This article exists to guide users through the manual steps required for updating registry certificate in an air-gapped Tanzu environment (a.k.a internet-restricted environment) when creating custom ClusterClass based clusters on TKGm 2.5.x
VMware Tanzu Kubernetes Grid
kubectl config use-context <management-cluster-context>
spec:
patches:
- name: windows-cacert
enabledIf: '{{ not (empty .caCertChain) }}'
definitions:
- selector:
apiVersion: bootstrap.cluster.x-k8s.io/v1beta1
kind: KubeadmConfigTemplate
matchResources:
machineDeploymentClass:
names:
- tkg-worker-windows
jsonPatches:
- op: add
path: /spec/template/spec/files/-
valueFrom:
template: |
path: 'C:\k\rootca.pem'
content: |
{{ .caCertChain | indent 2 }}
- op: add
path: /spec/template/spec/files/-
value:
path: 'C:\k\addcert.ps1'
content: |
Import-Certificate -FilePath "c:\k\rootca.pem" -CertStoreLocation cert:\LocalMachine\Root
- op: add
path: /spec/template/spec/preKubeadmCommands/-
value: powershell c:/k/addcert.ps1 -ExecutionPolicy Bypass
variables:
- name: caCertChain
required: false
schema:
openAPIV3Schema:
type: string
NOTE - Below configuration is only validated and tested on TKGm 2.5.x.
kubectl edit cluster <workload-cluster-name>
For example -
- name: caCertChain
value: |
-----BEGIN CERTIFICATE-----
MIIF xxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxP5s=
-----END CERTIFICATE-----
Reference link for overlays - https://github.com/jaimegag/tkg-zone/tree/main/windows