After you deploy NSX Application Platform, you can change your expired proxy certificate or replace an existing proxy certificate with a new one.
Prerequisites
- Verify that you have a NSX Application Platform deployment with a private Harbor certificate. See Run the NSX Application Platform Automation Appliance Deployment Wizard.
- Make sure to add the new proxy server self-signed certificate in NSX for HTTPS proxy. See the Replace Certificates topic in the Certificates section of the NSX Administration Guide, which is delivered with the VMware NSX Documentation set.
- Ensure that the proxy settings are updated with the new certificate. See the Configure Proxy Settings topic in the Operations and Management section of the NSX Administration Guide, which is delivered with the VMware NSX Documentation set.
Procedure
- Verify that the NSX Application Platform proxy server settings are updated.
- Log in to the NSX Manager CLI as a root user.
- Check the proxy server configuration in the secrets file.
napp-k get secrets platform-proxies --template={{.data.proxies}} | base64 --decode Example output - { "hostName": "proxy.nsbucqesystem.net", "port": 3129, "userName": "admin", "password": "<password>", "scheme": "https", "certificate": "-----BEGIN CERTIFICATE-----\nMIIGYTCCBEmgAwIBAgIUTTeT/2aHozy1mO+Djh9xW3DOcuQwDQYJKoZIhvcNAQEL\nBQAwajEgMB4GA1UEAwwXcHJveHkubnNidWNxZXN5c3RlbS5uZXQxCzAJBgNVBAYT\nAklOMQswCQYDVQQIDAJNSDENMAsGA1UEBwwEUHVuZTEPMA0GA1UECgwGVk13YXJl\nMQwwCgYDVQQLDANBTlMwHhcNMjQwMjE0MTAzODQwWhcNMjYwMjEzMTAzODQwWjBq\nMSAwHgYDVQQDDBdwcm94eS5uc2J1Y3Flc3lzdGVtLm5ldDELMAkGA1UEBhMCSU4x\nCzAJBgNVBAgMAk1IMQ0wCwYDVQQHDARQdW5lMQ8wDQYDVQQKDAZWTXdhcmUxDDAK\nBgNVBAsMA0FOUzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKRBi1pn\ndQQVpt/M3IF6XbynK+7/tLoACnLheUHn9H+AD+t5H9uBoJj7B4CDMSERVUQJnwNF\nvjl/rYA8FqWHWZ4FKXkcUiL3Oev0gbkynJPIDgCoY0rNHBkQn4dAqsWIw0tfbEfG\n2OX19XOQDHZIiOxxxyhy0TLlVTUdWSPd3zNxt8tCNM+A/qTHgNIflhn84llhrUtR\nnnQw0phrlIzLmbF464zp4LyIpV6kxXdoKZD6ou7uTHn16zbhtSVqDECMAmbrRKXR\nq2eu/lMdEmHOGYbIiR4GjeV0iDewkgGvdRj4PouIeGO9NHDAEo5O6QVRxv6Oss3V\nSzr4SWbp1Z2P4NLbS0Be3LowP2+dnkouhFjYUNwnM52XIhrFu8fY6rZo/xEdq9Gp\nUX8C60OYUGD0f6xGpdPVacLBijgZLsSJZxqzUVb9QRhL8xQPLu1qzALbZoX1G9Nb\nvZKPEUnUifZGZy2ORVTTpYX4cHHCmB005eo3ywG7NkmWm8q/IJtXCKViIqZ3Wafh\n6z1o3xvswUn79KOW2HZQf+3JqAm+IS13afsExu7uixvSK/uEVF7ClfM/uE+tWFvY\nYEjZpZlgQBf35WIhPShQo88ajZEG3dKNZkSrKgFDpIWpYWKc49oQqol8sz9pYs+J\n0kh1/e7eRlaOqwPGzlP1nrI/WN/LLjwRZQXFAgMBAAGjgf4wgfswgZEGA1UdIwSB\niTCBhqFupGwwajEgMB4GA1UEAwwXcHJveHkubnNidWNxZXN5c3RlbS5uZXQxCzAJ\nBgNVBAYTAklOMQswCQYDVQQIDAJNSDENMAsGA1UEBwwEUHVuZTEPMA0GA1UECgwG\nVk13YXJlMQwwCgYDVQQLDANBTlOCFE03k/9mh6M8tZjvg44fcVtwznLkMAkGA1Ud\nEwQCMAAwCwYDVR0PBAQDAgTwMC4GA1UdEQQnMCWCF3Byb3h5Lm5zYnVjcWVzeXN0\nZW0ubmV0hwQUFAAHhwQKrE7ZMB0GA1UdDgQWBBS3eoRDmK0pJW0APVuAsDg2GMvI\nnTANBgkqhkiG9w0BAQsFAAOCAgEAn5Xz/HU+n9oc6I3A01Y3/XgAgXjQRORg7U3z\nm4nAd/tKQ0Ypo7HqIhJO3uP6U7RQ2NMGYhhdgjY9jHQbmKLqoTLIkiQULd8tZ3Oy\nE3KLhzq7BNtMvKmqhJM8eVdUYB6DuLn01zJo+gDjjNeoC6ZNegqdQgucN91p4IFE\ndZPbYmmKZVsVIqTd25+E6WyhivmG6mnwFV3vkrto82Joc1KMFPeXEUNcFliyrTOn\nD6t1VfodWfqClp0m7XWmD7A2OotfKKFKJQ2f8fV1TQcPAIrA5bVsC1EqowFv0SJT\nhh72ATio8nnltUOukcCDBSVjgNDqqI0Qr7tlTqrngdiCjsyYLIX2vOfMhY/USyud\nlpfwJuBMWlFTapoP8cMRsv/fm7chIFF4oIajH49O8DMkBeH1/uOY74mtiK7OGQpf\nmBvnKuCVqqo9rPaAumyxBRB5mHi7zoWCPTBywCMMnPqhmwMXi2xX+uVxic+GbNof\nGP/UyB0kt/S5bvR0fQSWUGEMg1+4LdKgRpuJx9+YfcCP/expLQaBtpgDVWtzKTQR\nVmi1DdIfomZNVi0UJsU9jsOXNW702nm2sfayLhz2xHzA8ysy5k08/krZuOT2H5bQ\n9tCSeFnmmkTjMTPlWgb6iY2SUF0YAK8lO3Q0OJ7XQTOUhIfi4Ea97aB3prFLk7Aq\npadO6SE\u003d\n-----END CERTIFICATE-----", "opType": "UPDATE" }
- Check the proxy server configuration in the cluster-api pod.
root@nsx-mgr-1:~# napp-k get pods | grep cluster-api cluster-api-868c49c755-8ps7t 2/2 Running 4 (20h ago) 20h Command : napp-k exec -it <cluster-api-pod-name> -c cluster-api cat /config/proxy-config.json Example - napp-k exec -it cluster-api-868c49c755-8ps7t -c cluster-api cat /config/proxy-config.json kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead. {"hostName":"proxy.nsbucqesystem.net","port":3130,"userName":"admin","password":"<password>","scheme":"https","certificate":"-----BEGIN CERTIFICATE-----\nMIIDNTCCAh2gAwIBAgIULG9b6RafAj7qEPOo1j3puz9d1xYwDQYJKoZIhvcNAQEL\nBQAwKDESMBAGA1UEAwwJbWl0bXByb3h5MRIwEAYDVQQKDAltaXRtcHJveHkwHhcN\nMjQwMjEzMDkwNDQ1WhcNMzQwMjEyMDkwNDQ1WjAoMRIwEAYDVQQDDAltaXRtcHJv\neHkxEjAQBgNVBAoMCW1pdG1wcm94eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC\nAQoCggEBAN8OrW/Wn7wPJ6z3pc0XAwA0kRA2rtntOX/BQ7vReqMRxEjP3PJpT6kB\nXtUXyjWNBHcZOADD6IrgvaT0WdIzDAhDdQuILKh7iuBPGb3aVT/B6l8W+AI3nP6u\nEKVqnvxyXoPzg8dM/muhfHw1JMdu61g/T8407WwEx0OrwH5TxKD+rkWC7TDbtB+h\n1RdXAuGvTJ4G6oIqnSNJIF8vM2LQIpumTR9R6xr5ure6xEwZizd/boG2StU5xuQV\nvpWtJKRbii+N8kLOulYQpqAeST8sJTJaW4YeNxnl77IdTX7EGp+b+8IvkmG1jrwp\nM3ucTgnaYK9AyMwEGYRp6UPZNkISe28CAwEAAaNXMFUwDwYDVR0TAQH/BAUwAwEB\n/zATBgNVHSUEDDAKBggrBgEFBQcDATAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYE\nFI7m8W4RR2fFKDTSauqa4keaoXYmMA0GCSqGSIb3DQEBCwUAA4IBAQDLwx3rWCER\nevq5W1lTWzUU3P/6p0DgTCS1gpd4mGvvOi5xmlt3D4VC9KT3ytEMwoRwXASM6WUb\n+lcXGrkExnVOH2AQ/A+2fElFBwxtd4A+EjJAVIBYrgdNbGm8kQ9qEnd0IEA08nYh\n5qOvRlsog4+eiyOtoOz9a4csn0Lpl9UNv9SpGuBjVpmrWD6L0D6qS+vWQtLo0sPX\n2msbRkPy1l5rgp5CNadlB0CGM9B3bdr5y2D89ZO//2YzIaypV6/6eJeURwi5nwmn\npn6i9H62wCdPgyCNJuTiQwxW0WLAnnRWHTV4g58M0Ze644ndLtB06evzX+qe+Znh\nx91Kh6I8Jam6\n-----END CERTIFICATE-----","opType":"UPDATE"}
- Cordon the existing Kubernetes worker nodes to change the private harbor certificate in the Kubernetes guest cluster.
- Log in to the NSX Manager CLI as a root user.
- List the existing Kubernetes worker nodes.
root@nsx-mgr-0:~# napp-k get nodes NAME STATUS ROLES AGE VERSION napp-cluster-default-qrk2r-f8xjc Ready control-plane 19h v1.26.5+vmware.2-fips.1 napp-cluster-default-qrk2r-hgtq8 Ready control-plane 19h v1.26.5+vmware.2-fips.1 napp-cluster-default-qrk2r-kw6kk Ready control-plane 19h v1.26.5+vmware.2-fips.1 napp-cluster-default-workers-qljgg-5758975fcb-btzrw Ready <none> 19h v1.26.5+vmware.2-fips.1 napp-cluster-default-workers-qljgg-5758975fcb-mbpfp Ready <none> 19h v1.26.5+vmware.2-fips.1 napp-cluster-default-workers-qljgg-5758975fcb-md5wp Ready <none> 19h v1.26.5+vmware.2-fips.1 napp-cluster-default-workers-qljgg-5758975fcb-pnnr2 Ready <none> 19h v1.26.5+vmware.2-fips.1 napp-cluster-default-workers-qljgg-5758975fcb-wl6h9 Ready <none> 19h v1.26.5+vmware.2-fips.1
- Cordon the Kubernetes worker nodes.
napp-k cordon <worker-node-1> <worker-node-2> … etc Example - root@nsx-mgr-0:~# napp-k cordon napp-cluster-default-workers-qljgg-5758975fcb-btzrw napp-cluster-default-workers-qljgg-5758975fcb-mbpfp napp-cluster-default-workers-qljgg-5758975fcb-md5wp napp-cluster-default-workers-qljgg-5758975fcb-pnnr2 napp-cluster-default-workers-qljgg-5758975fcb-wl6h9 node/napp-cluster-default-workers-qljgg-5758975fcb-btzrw cordoned node/napp-cluster-default-workers-qljgg-5758975fcb-mbpfp cordoned node/napp-cluster-default-workers-qljgg-5758975fcb-md5wp cordoned node/napp-cluster-default-workers-qljgg-5758975fcb-pnnr2 cordoned node/napp-cluster-default-workers-qljgg-5758975fcb-wl6h9 cordoned
- Verify that the Kubernetes worker nodes are cordoned.
root@nsx-mgr-0:~# napp-k get nodes NAME STATUS ROLES AGE VERSION napp-cluster-default-qrk2r-f8xjc Ready control-plane 19h v1.26.5+vmware.2-fips.1 napp-cluster-default-qrk2r-hgtq8 Ready control-plane 19h v1.26.5+vmware.2-fips.1 napp-cluster-default-qrk2r-kw6kk Ready control-plane 19h v1.26.5+vmware.2-fips.1 napp-cluster-default-workers-qljgg-5758975fcb-btzrw Ready,SchedulingDisabled <none> 19h v1.26.5+vmware.2-fips.1 napp-cluster-default-workers-qljgg-5758975fcb-mbpfp Ready,SchedulingDisabled <none> 19h v1.26.5+vmware.2-fips.1 napp-cluster-default-workers-qljgg-5758975fcb-md5wp Ready,SchedulingDisabled <none> 19h v1.26.5+vmware.2-fips.1 napp-cluster-default-workers-qljgg-5758975fcb-pnnr2 Ready,SchedulingDisabled <none> 19h v1.26.5+vmware.2-fips.1 napp-cluster-default-workers-qljgg-5758975fcb-wl6h9 Ready,SchedulingDisabled <none> 19h v1.26.5+vmware.2-fips.1
- Change the certificate in the Tanzu Kubernetes guest cluster.
- Log in to the Workload Control Plane Supervisor cluster CLI.
- List the Kubernetes guest cluster.
kubectl get tkc -A NAMESPACE NAME CONTROL PLANE WORKER TKR NAME AGE READY TKR COMPATIBLE UPDATES AVAILABLE napp-ns-default napp-cluster-default 3 5 v1.26.5---vmware.2-fips.1-tkg.1 3h36m True True
- List the Kubernetes guest cluster across all namespaces.
kubectl get tkc <tkc-name> -n <namespace> #Example - kubectl get tkc napp-cluster-default -n napp-ns-default NAME CONTROL PLANE WORKER TKR NAME AGE READY TKR COMPATIBLE UPDATES AVAILABLE napp-cluster-default 3 5 v1.26.5---vmware.2-fips.1-tkg.1 3h36m True True
- Replace the old Tanzu Kubernetes guest cluster proxy certificate with the new certificate.
kubectl edit tkc <tkc-name> -n <namespace> spec: distribution: fullVersion: v1.26.5+vmware.2-fips.1-tkg.1 version: "" settings: network: cni: name: antrea pods: cidrBlocks: - 192.168.0.0/16 serviceDomain: cluster.local services: cidrBlocks: - 10.96.0.0/12 proxy: httpProxy: https://admin:<password>@20.20.210.199:3128 ——> Edit proxy username, password, IP or port number if required httpsProxy: https://admin:<password>@20.20.210.199:3128 ——> Edit proxy username, password, IP or port number if required trust: additionalTrustedCAs: - data: <old_certificate_in_base_64_encoded_format> ---> remove old cert if HTTPS proxy is being used name: old-proxy-cert ---> remove old cert name if HTTPS proxy is being used - data: <new_certificate_in_base_64_encoded_format> ---> add new cert in base 64 encoded format if HTTPS proxy is being used name: new-proxy-cert ---> add new cert name if HTTPS proxy is being used Note: Use different certificate name for new proxy certificate in TKC config new_certificate_in_base_64_encoded_format example - LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUdZVENDQkVtZ0F3SUJBZ0lVWlJIVzJ6bDZ2NlVVbmY3a2pQdEVwTnFLWWhvd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2FqRWdNQjRHQTFVRUF3d1hjSEp2ZUhrdWJuTmlkV054WlhONWMzUmxiUzV1WlhReEN6QUpCZ05WQkFZVApBa2xPTVFzd0NRWURWUVFJREFKTlNERU5NQXNHQTFVRUJ3d0VVSFZ1WlRFUE1BMEdBMVVFQ2d3R1ZrMTNZWEpsCk1Rd3dDZ1lEVlFRTERBTkJUbE13SGhjTk1qUXdOekV4TURZeU5qTTRXaGNOTWpZd056RXhNRFl5TmpNNFdqQnEKTVNBd0hnWURWUVFEREJkd2NtOTRlUzV1YzJKMVkzRmxjM2x6ZEdWdExtNWxkREVMTUFrR0ExVUVCaE1DU1U0eApDekFKQmdOVkJBZ01BazFJTVEwd0N3WURWUVFIREFSUWRXNWxNUTh3RFFZRFZRUUtEQVpXVFhkaGNtVXhEREFLCkJnTlZCQXNNQTBGT1V6Q0NBaUl3RFFZSktvWklodmNOQVFFQkJRQURnZ0lQQURDQ0Fnb0NnZ0lCQU1Kd1FBeVoKaDRqdzR2TWpra05LS0dtTE5YWCtqUlJnVjFjRFFlQnpieEhLQVV6azJmdzA3bHlJa3VQWkFob0hoSlphT3R2SAozMkZUZ3lZT0tIcHJKTHBvalZIanIrQndmRlBLcW9GeGxSL3I5QnVvQW9RdU1pSFdHOFVxdW13WlJocHdBQTRjCkZQRjJSVHFEbnBrK09uSlovcUdHK3Z2aXhzcEUzaWxWcVJ2WUJrVEVmMHRBdFFkazM2aEk3VXBMekthUHpGbnkKa1llUVFiKzlqYkEvSVNiUVFtWDlSVWZVVEZEczY5OVF4M3Vob216THFpaThjQUo4SHNUQndJQmRkSldIV1cxRApCUk9sUmhad1kwdDlhSDdYYk5LV2Y4eGJwVVhPZUtzaUZUc25rTHI5dWJwU09XSHErWmtpK3h5VVVES3hDUFNIClFaRlMvbVdsKyt2K29La1MvVDE4NllQNnoxVFhpSzFQNm42R0l5UThrS1VzS3U2RURxS1dLRDR2Z2RxaytLSXYKUHRnbjFyMzVJdGt0V2UrV0hnMEY0SVhWUnNVQUt2bUtQMSs4d216VTVjNFhUVDJCcEp6MVZBdnZiR3l4WTRDOAp0WEN5b2JPOVBnZFFjN2NORlBiaktIRUVXZTdXcloyVG1ocGtpbDlCeTJxU3N5VUsvNEN2eFozYjh1QjZ1YzJ3CkN5Mm9YZ0JUM2pHTUFqN1lkbzVPNUhyK1dqUDZsN3JhV3JvQk0rRVZDcUFLSmlPdTdTdTRhbkI2Tmo3OWp4MzgKZ1dQTVhJdVlDTjAzbWpkOGtReWhibmVnVFNra1NkUGV0bFgwV2Q5YkxWU2NLRDFQd2sreWxpcExzdXBRdmd4dAoxUEViZ25LRm5kQ1YySThtWG1kaGJtME43OFBrWXE1V0tIVlpBZ01CQUFHamdmNHdnZnN3Z1pFR0ExVWRJd1NCCmlUQ0JocUZ1cEd3d2FqRWdNQjRHQTFVRUF3d1hjSEp2ZUhrdWJuTmlkV054WlhONWMzUmxiUzV1WlhReEN6QUoKQmdOVkJBWVRBa2xPTVFzd0NRWURWUVFJREFKTlNERU5NQXNHQTFVRUJ3d0VVSFZ1WlRFUE1BMEdBMVVFQ2d3RwpWazEzWVhKbE1Rd3dDZ1lEVlFRTERBTkJUbE9DRkdVUjF0czVlcitsRkozKzVJejdSS1RhaW1JYU1Ba0dBMVVkCkV3UUNNQUF3Q3dZRFZSMFBCQVFEQWdUd01DNEdBMVVkRVFRbk1DV0hCQlFVQUFlSEJBcXNUdG1DRjNCeWIzaDUKTG01elluVmpjV1Z6ZVhOMFpXMHVibVYwTUIwR0ExVWREZ1FXQkJRK3pBa2s3MHNqM3FnWFJmcFNOZ0lIMkpWeApuREFOQmdrcWhraUc5dzBCQVFzRkFBT0NBZ0VBTGJnTDFENSsyU2lBVFZBb0Nrckt4bkR1R09hV1RTbXVYSFlBCjRhU3gzaTlDcVBYQVN4QnV1dmx3YWRGZW44aHdxbTA5b2xuNER2bVVlbDk2YnQvRGg1VzZ6WGRKQ3cvSXlTSy8KM3VMa1NkQU5ORnNkUHIvRU9meTRncFQxUG5KMDdrdVBVdkUxK0Jwejc3VVMwWFpON3AwUTd1Y2xWRVhXREhpMAo0eUJOOFByKzQ0NktEZ005VktYYTZCM0dVVFBXOXQ5QTlHc2JZTXJsTkFwWjVPYVNodzhGY1dGdkJlYmZhT0JQCmpmVlh3RWl5WmU1UFd0OTRPVDRGVE9KUjYrQzVQUHlaQnRhRnFJbURLell2ZVJDaVlOSGJ6WWV0ZlFkVkd6VHcKbyt4em9NNFg4UEZ2TnI2UWFCM1FlOHdTeVVZSWs5cUtqNmJrakFsYXVNQi85d0dWdTBIK0NkV1FXR0YvS3ZjdgpldHNMSVB4Yk5EQTQvUlB5WmJPajZ6dXJsVEJ3anpQdUMzSnJCZGxWUE5EaEtzSWpTaDYzYUI3a1FLRTE5ZnpKCkU3SkV3ZDA0cUd1VUI3T0pHNGcyaTU4NytEV0FNZTZPak53aWFoRHpIMUtMZTlXN1VCSEhCbFIwdmpWL0Z3bmUKdmp4bVZYRkV0RnZQVXUzc0tZVHZ6RHVuZVBrZkx3UUsvd1Fna2orRkdnQXVXOEVEd1lGK2dPaHFjM1d4eHcwSwpWOTI1R0FKNVp3VDZnUlJPdmxGWXZ1T3RPaVBobHlsNDlhUDJkWWxaTFZyUXoxaGtJcE4wU3ZJNUQ4NENsTCt3Cm8xMnRJcC9mR3Z1dW9ycE50UEU3STZhUzV0QXJaL2ZqVW1yNDV5T2tZdlAyQUluTWVwYjRNME1hZDByNVFHQVEKVnNrOW5aQT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ==
- Provision a new set of Kubernetes control and worker nodes with new Harbor certificate.
kubectl get machinesets -A NAMESPACE NAME CLUSTER REPLICAS READY AVAILABLE AGE VERSION napp-ns-default napp-cluster-default-workers-gw6dj-649cb95985 napp-cluster-default 1 35s v1.26.5+vmware.2-fips.1 napp-ns-default napp-cluster-default-workers-gw6dj-747c99665f napp-cluster-default 5 5 5 3h40m v1.26.5+vmware.2-fips.1