Updating private image repository CA certificate for an existing class-based clusters in TKGM 2.5x
search cancel

Updating private image repository CA certificate for an existing class-based clusters in TKGM 2.5x

book

Article ID: 412025

calendar_today

Updated On:

Products

VMware vSphere Kubernetes Service

Issue/Introduction

Customers running Class-Based clusters in TKGm 2.5x need to update the  private image repository CA certificate.

Currently, there is a KB for Updating private image repository CA certificate to existing Legacy clusters.

However, the steps to update private image repository CA certificate for an existing class-based  clusters  in TKGM 2.5x are not well documented in the knowledge base.

Environment

Class-Based  clusters on TKGm 2.5x  using kubernetes version 1.28 and above

Cause

Class-base clusters use a different mechanism than Legacy clusters to update private image repository CA certificate.

Instead of manually editing multiple cluster related objects. Objects such as   KubeadmConfigTemplate, KubeadmControlPlane  and machinedeployment are all owned by the cluster and are reconciled after editing the cluster  .

 

Resolution

Using the management cluster context.

1. Backup the yaml  workload cluster definition 

kubectl get cluster <cluster name> -n <cluster namespace> -o yaml > <cluster name>-backup.yaml

2.  Convert the newly generated certificate to a base64 encoded string


cat <certificate-file-name>  | base64 -w0


3. Edit the cluster yaml replacing the existing additionalTrustedCAs data value with the base64 encoded string from step 1.


kubectl edit cluster <cluster name> -n <cluster namespace>


    - name: trust
      value:
        additionalTrustedCAs:
        - data: < replace with base64 encoded cert  >
          name: imageRepository

4. On the workload cluster , check that the nodes have rotated and that pods are running correctly and using the image repository.

Powered by Wolken Software