Wrongly kicked "maestro regenerate ca/leaf --all" in TKGi
search cancel

Wrongly kicked "maestro regenerate ca/leaf --all" in TKGi

book

Article ID: 380235

calendar_today

Updated On:

Products

VMware Tanzu Kubernetes Grid Integrated Edition

Issue/Introduction

TKGi official document said

  • Never use maestro regenerate ca --all
  • Never use maestro regenerate leaf --all

Scenario: TKGi administrator wrongly followed Rotate all CAs and leaf certificates.

  • Step 1,2,3,4 will be successful without error
  • Step 5: Redeploy: "APPLY CHANGE" or "APPLY CHANGE(Uncheck "Upgrade all clusters errand") + tkgi upgrade-cluster" will be failed with the error
bosh task ####
#> L Error: Action Failed get_task: Task 5bc40f88-839b-41c1-72a7-4e90bda2dcf8 result: 1 of 8 pre-start scripts failed. Failed Jobs: pks-nsx-t-prepare-master-vm. Successful Jobs: etcd, kube-apiserver, bpm, bosh-dns, ncp, pks-nsx-t-ncp, syslog_forwarder.
  • As a result, master/0 will be "stopped" state
  • This KB expects that TAS components are not running. Only TKGi basic components (BOSH, TKGi, Harbor) are running

Environment

  • Tanzu Kubernetes Grid Integrated Edition
  • Tanzu Ops Manager v3.X

Cause

After kicking maestro regenerate ca/leaf --all, all of the credhub managed certs will be rotated correctly, excluding both tls-nsx-lb and tls-nsx-t certs.

Resolution

Follow TKGi official document to rotate tls-nsx-lb and tls-nsx-t certs.

tkgi rotate-certs ${CLUSTER_NAME} --only-nsx

After that, the target k8s cluster status will be back to "running" by "tkgi clusters"

Please resume from "Step 5. Redeploy" and ensure completion through "Step 6" and "Step 7" in Rotate all CAs and leaf certificates.