The default kubeconfig file in a VMware vSphere with Tanzu Guest Kubernetes Cluster contains a token which expires after ten hours by default and results in a warning message. To avoid the warning, work with your Kubernetes infrastructure administrator to generate a valid Tanzu Kubernetes Cluster configuration file with a non-expiring token that you can use during the NSX Application Platform deployment.

When the token in the default kubeconfig file expires, you see the following warning message in the NSX Manager UI for the NSX Application Platform.

Unable to connect, system has encountered a connectivity issue due to the expiry of Kubernetes Configuration. Update the Kubernetes Configuration to resolve.

The warning does not have an impact on the functionality of the NSX Application Platform nor any of the NSX security features currently activated. However, if you do not replace the default token ten hours after an NSX Application Platform deployment on the Tanzu Guest Kubernetes Cluster, you must generate a valid (not expired) token every time you perform the following operations:
  • Deploy the NSX Application Platform
  • Upgrade the NSX Application Platform
  • Delete the NSX Application Platform

To generate a Tanzu Kubernetes Cluster configuration file with a non-expiring token that you can use during the NSX Application Platform deployment, work with your Kubernetes infrastructure administrator using the following procedure.

Procedure

  1. Log in the vSphere with Tanzu Guest Kubernetes cluster using the following command. 
    kubectl vsphere login --server <supervisor-cluster_ip> -u <user> --tanzu-kubernetes-cluster-name <tk-cluster-name> --tanzu-kubernetes-cluster-namespace <namespace>
    The parameters are as follows:
    • <supervisor-cluster_ip> is the Control Plane Node Address which can be found in the vSphere Client by selecting Workload Management > Supervisor Cluster.
    • <user> is the account that has administrator access to the Tanzu Kubernetes cluster.
    • <tk-cluster-name> is the name of the Tanzu Kubernetes cluster.
    • <namespace> is the vSphere namespace where this cluster resides.
    For example, 
    kubectl vsphere login --server 192.111.33.22 -u administrator@vsphere.local --tanzu-kubernetes-cluster-name napp-tkg-cluster --tanzu-kubernetes-cluster-namespace napp
  2. Run each of the following commands separately to generate an administrator service account and create a cluster role binding. 
    kubectl create serviceaccount napp-admin -n kube-system

kubectl create clusterrolebinding napp-admin --serviceaccount=kube-system:napp-admin --clusterrole=cluster-admin
  3. To obtain the authentication token for the administrator service account and the cluster certificate authority, run the following commands separately. 
    SECRET=$(kubectl get serviceaccount napp-admin -n kube-system -ojsonpath='{.secrets[].name}')

TOKEN=$(kubectl get secret $SECRET -n kube-system -ojsonpath='{.data.token}' | base64 -d)

kubectl get secrets $SECRET -n kube-system -o jsonpath='{.data.ca\.crt}' | base64 -d > ./ca.crt
  4. Get the Tanzu Kubernetes Cluster URL. Run the following commands separately at the command prompt. 
    CONTEXT=$(kubectl config view -o jsonpath='{.current-context}')

CLUSTER=$(kubectl config view -o jsonpath='{.contexts[?(@.name == "'"$CONTEXT"'")].context.cluster}')

URL=$(kubectl config view -o jsonpath='{.clusters[?(@.name == "'"$CLUSTER"'")].cluster.server}')
  5. Generate a configuration file, with a non-expiring token, for the Tanzu Kubernetes Cluster. 
    TO_BE_CREATED_KUBECONFIG_FILE="<file-name>"

    The parameter <file-name> is the name of kubeconfig file you are trying to create.

    kubectl config --kubeconfig=$TO_BE_CREATED_KUBECONFIG_FILE set-cluster $CLUSTER --server=$URL --certificate-authority=./ca.crt --embed-certs=true

kubectl config --kubeconfig=$TO_BE_CREATED_KUBECONFIG_FILE set-credentials napp-admin --token=$TOKEN 

kubectl config --kubeconfig=$TO_BE_CREATED_KUBECONFIG_FILE set-context $CONTEXT --cluster=$CLUSTER --user=napp-admin

kubectl config --kubeconfig=$TO_BE_CREATED_KUBECONFIG_FILE use-context $CONTEXT
  6. (Optional) Delete the ca.crt, which is a temporary file created during the generation of the new kubeconfig file.
  7. Use the newly generated kubeconfig file during the NSX Application Platform deployment.