Modify the Avi Controller Certificates

In Tanzu Kubernetes Grid (TKG), the Avi Kubernetes Operator (AKO) component manages the Avi Controller certificate that clusters use to access Avi Load Balancer. The Avi Controller certificate periodically expires and must be rotated. After the Avi Controller certificate has been rotated in Avi itself, update the certificate in AKO so that clusters can continue accessing Avi Load Balancer:

1. Ensure that a current certificate exists in Avi Controller.

2. Re-encode the Avi Controller certificate data into a base64-encoded string.
   cat avi-certificate.crt | base64 -w 0


3. Patch the certificate secret with the new string:
   kubectl patch secret/avi-controller-ca -n tkg-system-networking -p '{"data": {"certificateAuthorityData": "<base64 encoded string>"}}'

If the new CA is not reflected in the AVI components, and the ako and ako-operator show that they can't connect to the AVI Controller due to an unknown certificate authority. 

1. AVI Controller Certificate not updated after updating avi-controller-ca secret in TKG

2. Modify the Avi Controller Certificates