TCA 3.x - CSI Storage plugin does not trust vCenter
Article ID: 381989
Updated On:
Products
Issue/Introduction
vsphere-config-secret is removing this insecure flag after creating new workload cluster.
"Error at vsphere-csi-controller- tls: failed to verify certificate: x509: certificate signed by unknown authority"
Environment
3.1
Cause
The insecure flag in vsphere-config-secret should be set according to the config/secret on mgmt cluster. In the standard legacy/classy cluster this issue is observed in the self signed certificates.
TCA always considers the vCenter certificate/thumbprint should be trusted the tca-kubecluster-operator pod will change this config and set the thumbprint into vspherecsiconfig. For example, change vCenter password from TCA , upgrade mgmt cluster on on the new workload cluster.
Resolution
We recommend using Certificate Authority (CA) signed certificates, as self-signed certificates are not automatically trusted by other systems and require manual configuration to establish trust.
Workaround :
- For testing environments where CertificateAuthority is not necessary, ensure VSphereCSIConfig CR on mgmt cluster(Remove thumbprint and set insecureFlag:true)
Example:
NOTE: Any changes to management cluster, workload cluster or changes to vcenter certs would need the workaround to be applied.
Feedback
