Running tkgi get-kubeconfig <cluster> against one of your TKGI clusters will generate an entry for the cluster in ~/.kube/config.

When you look at this entry, it will contain a section "idp-certificate-authority-data". This certificate should match your TKGI API Certificate. If there is a mismatch, this can cause kubectl commands to fail with:

tls: failed to verify certificate: x509: certificate signed by unknown authority

TKGI

This is caused by a mismatch between the certificate that is retrieved when you run tkgi get-kubeconfig, and the certificate configured in the TKGI API section of the tile config.

To validate that the two are different:

1. Take note of the certificate in TKGI tile -> TKGI API -> Certificate to secure the TKGI API
2. In the location where you ran tkgi get-kubeconfig, open the file ~/.kube/config 
3. Retrieve the encrypted certificate in idp-certificate-authority-data
4. Decode this with echo "<entry>" | base64 --decode

This should show a mismatch between the two certificates.

As there is a mismatch in the certs, the cluster needs to be updated with the new certificate. This can be accomplished by:

1. Run an Apply Changes against the TKGI tile.
2. Run tkgi upgrade ckuster <cluster> against the cluster.
3. Re-run tkgi get-kubeconfig <cluster>