AVI Controller Certificate not updated after updating avi-controller-ca secret in TKG

search cancel

AVI Controller Certificate not updated after updating avi-controller-ca secret in TKG

book

Article ID: 386945

calendar_today

Updated On: 07-07-2025

Products

Tanzu Kubernetes Runtime

Issue/Introduction

The AVI Controller CA has been updating by patching the avi-controller-ca as per the docs on how to modify the Avi Controller Certificates

However, the new CA is not reflected in the AVI components, and the ako and ako-operator show that they can't connect to the AVI Controller due to an unknown certificate authority.

avisession.go:666] Client error for URI: login. Error: Post "https://<AVI Controller>/login": tls: failed to verify certificate: x509: certificate signed by unknown authority

Environment

TKGm 2.5

Resolution

Update the tkg-pkg-tkg-system-addon secret with the new certificate
kubectl get secret -n tkg-system tkg-pkg-tkg-system-addon -o jsonpath='{.data.tkgpackagevalues\.yaml}' | base64 -d > tkgpackagevalues.yaml
Update CA in tkgpackagevalues.yaml
Encode the updated tkgpackagevalues.yaml
cat tkgpackagevalues.yaml | base64 -w 0
Update tkg-pkg-tkg-system-addon secret with encoded contents of tkgpackagevalues.yaml
kubectl edit secret -n tkg-system tkg-pkg-tkg-system-addon

Feedback

Was this article helpful?

thumb_up Yes

thumb_down No