Scenario: TKGi administrator wrongly followed Rotate all CAs and leaf certificates.
bosh task ####
#> L Error: Action Failed get_task: Task 5bc40f88-839b-41c1-72a7-4e90bda2dcf8 result: 1 of 8 pre-start scripts failed. Failed Jobs: pks-nsx-t-prepare-master-vm. Successful Jobs: etcd, kube-apiserver, bpm, bosh-dns, ncp, pks-nsx-t-ncp, syslog_forwarder.
After kicking maestro regenerate ca/leaf --all, all of the credhub managed certs will be rotated correctly, excluding both tls-nsx-lb and tls-nsx-t certs.
Follow TKGi official document to rotate tls-nsx-lb and tls-nsx-t certs.
tkgi rotate-certs ${CLUSTER_NAME} --only-nsx
After that, the target k8s cluster status will be back to "running" by "tkgi clusters"
Please resume from "Step 5. Redeploy" and ensure completion through "Step 6" and "Step 7" in Rotate all CAs and leaf certificates.