Using the documentation from TKGi 1.20 and 1.21 there is a new feature https://techdocs.broadcom.com/us/en/vmware-tanzu/standalone-components/tanzu-kubernetes-grid-integrated-edition/1-21/tkgi/docker-custom-ca-certs.html

Use the tkgi CLI to Configure Registry Access
The easiest way to configure private registry access for a new or existing TKGI cluster is by passing a registry configuration file to the --private-registries option of the tkgi create-cluster or tkgi update-cluster command.

However it was discovered that after first successful update using the above method, any further modifications of the mirrors configured are not reflected on the cluster. The update-cluster command completes without error, but worker nodes are not updated.

TKGi 1.20

TKGI 1.21

An issue have been discovered in the process where during processing the changes the manifest is not populated with the updated settings 

A fix of the problem is in progress, in case you have already applied private registry to your cluster and you need to modify please contact support for assistance.

https://techdocs.broadcom.com/us/en/vmware-tanzu/standalone-components/tanzu-kubernetes-grid-integrated-edition/1-21/tkgi/docker-custom-ca-certs.html