• Managing a vSphere With Tanzu cluster workload cluster using a  Proxy Configuration Object with custom root/CA certificate is faling with error:

"This proxy has a custom root/CA certificate. This is only supported for Tanzu Kubernetes Grid Clusters and Attached Clusters are not supported for Tanzu Kubernetes Grid Service (TKGS) Clusters."

• The workload cluster was created using a TanzuKubernetesCluster (TKC) base cluster with on of the following Provisioning API :

VMware Tanzu Mission Control.

vSphere With Tanzu.

• Managing/Creating a vSphere With Tanzu workload cluster using a  Tanzu Mission Control Proxy Configuration Object that include a Custom CA certificates is not supported, if the workload cluster was created using a TanzuKubernetesCluster (TKC) base cluster  

Option 1:

• Set your Proxy Server to not use SSL inspection.
• Create the Tanzu Mission Control Proxy Configuration Object without  Custom root/CA certificate.
• Manage/Create the vSphere With Tanzu  TanzuKubernetesCluster (TKC) base cluster using the Proxy Configuration Object.

Option 2:

• Create a new vSphere With Tanzu  workload cluster with ClusterClass manifest with v1beta1 API
• Supported in vCenter 8+.
• Create the Tanzu Mission Control Proxy Configuration Object with Custom root/CA certificate.
• Manage/Create the vSphere With Tanzu workload cluster.

Note: Other operations where  Tanzu Mission Control Proxy Configuration Object with CA certificates are not supported:

• Registering a Supervisor in TMC for vSphere with Tanzu versions prior to vSphere 7.0.3.
• Lifecycle management of Tanzu Kubernetes Grid Service clusters running in vSphere with Tanzu versions prior to vSphere 8.

See Create a Proxy Configuration Object Doc