CA Cluster IssuerReconcileFailed due to missing ytt variables
search cancel

CA Cluster IssuerReconcileFailed due to missing ytt variables

book

Article ID: 416664

calendar_today

Updated On:

Products

VMware vSphere Kubernetes Service

Issue/Introduction

During the installation or configuration of the CA Cluster Issuer Supervisor Service, the deployment fails with a ReconcileFailed status. The Config Status modal reports the following error:

Reason: ReconcileFailed. Message: ytt: Error: - struct has no .tls_crt field or method in <toplevel> ca-clusterissuer-config.yml:8 | tls.crt: #@ data.values.tls_crt

Cause

This issue is a standard ytt (YAML Templating Tool) validation error. The Supervisor Service uses ytt to render Kubernetes manifests based on user-provided inputs.

As seen in similar Tanzu ecosystem failures (e.g., Tanzu CLI management cluster creation), if a parameter referenced in an overlay or configuration template in this case, tls_crt is missing from the input YAML, the data.values struct fails to initialize that field. The CA Cluster Issuer requires these fields to be explicitly defined to generate the underlying Secret and ClusterIssuer resources.

Resolution

To resolve this, you must manually inject the missing parameters into the Service's configuration using base64-encoded strings.

1. Prepare the Base64 Strings: Run the following commands to convert your certificate and key into the required one-line format on the supervisor CPVM or vCenter server.

  1. Certificate: cat CA_certificate_example.pem | base64 -w0

  2. Private Key: cat CA_certificate_key.pem | base64 -w0

2. Update Service Configuration

  1. Navigate to Supervisor Services > CA Cluster Issuer > Configure.

  2. Select Manage to open the configuration wizard.

  3. In the Optional Values section, add the following keys using the strings generated above:

tls_crt: "<BASE64_CERTIFICATE_STRING>"
tls_key: "<BASE64_KEY_STRING>"

  1. Click Finish

Powered by Wolken Software