Add custom certificate to TKG class based clusters
search cancel

Add custom certificate to TKG class based clusters

book

Article ID: 373288

calendar_today

Updated On:

Products

VMware Tanzu Kubernetes Grid Management

Issue/Introduction

Tanzu Kubernetes Grid cluster provisioning failed due to image pull error in proxied environment when using proxy server. 

Environment

TKG Version: 2.x
This will be applicable in Class based clusters. 

Cause

The proxy server will not allow you to  download the images from projects.registry.vmware.com and cluster creation will fail. Even for the existing clusters the scaling/provisioning of new nodes will not happen and it will eventually fail. 

Resolution

While provisioning the new clusters set your proxy server if it uses a self-signed certificate. Provide the CA certificate in base64 encoded format, for example TKG_PROXY_CA_CERT: “LS0t[…]tLS0tLQ==”” in the cluster configuration file.

Example:

VSPHERE_WORKER_NUM_CPUS: "8"
TKG_PROXY_CA_CERT: "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS.........."


For the existing clusters we can edit the cluster object and add the custom certificate under spec.topology.variables. We need to create a new array named "trust" and under value we can add the certificate under "additionalTrustedCAs:"

Example:

  topology:
    class: tkg-vsphere-default-v1.1.1
    controlPlane:
      metadata:
        annotations:
          run.tanzu.vmware.com/resolve-os-image: image-type=ova,os-name=ubuntu
      replicas: 1
    variables:
    - name: trust
      value:
        additionalTrustedCAs:
        - data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tL..........       
          name: proxy
    - name: cni
      value: antrea
Powered by Wolken Software