You can change the Vault certificate authority (CA) configuration for a cluster by assigning the cluster a different Vault CA integration. This ability is useful in scenarios where you want the cluster to connect to a different Vault server or want to change other Vault CA parameters.

To change the cluster to a different Vault CA integration, you must assign the cluster the CA label that is associated with that integration.

You can change a cluster from one Vault CA integration to another Vault CA integration. You cannot change the cluster to a different CA provider's integration (for example, a Venafi CA's integration).

Prerequisites

  • Get an API token and an access code to authenticate your requests to the Tanzu Service Mesh API. You must use the access code in the csp-auth-token header in your requests. For information about generating an API token and getting an access code, see Authentication with the Tanzu Service Mesh REST API.

  • Create a Vault CA Integration for the cluster before you onboard the cluster.

  • Create the Vault integration to which you want to change the cluster. You can create this integration after you onboard the cluster. Note the CA label associated with the Vault integration.

Important:

Before you assign a different CA integration to the cluster, consider the following impact on the cluster's global namespace. Verify that the root of trust from the cluster's new CA integration is the same as the root of trust that the other clusters in the global namespace use. The use of different roots of trust will have a very negative impact on cross-cluster connectivity in the global namespace.

Troubleshoot a Cluster with Different Roots of Trust in the Global Namespace gives steps on how to remedy the problems that occur on a cluster after the cluster is assigned a CA integration with a different root of trust from the one that the other clusters in the global namespace use.

Procedure

  1. Submit the following request.
    PUT https://{server_name}/tsm/v1alpha2/projects/default/clusters/{cluster_id}?createOnly=false

    Where {server_name} is the host name of the Tanzu Service Mesh server (for example, prod-1.nsxservicemesh.vmware.com), and {cluster_id} is the identifier of the cluster whose Vault CA integration you want to change.

    Request body

    {
      "displayName": "cluster-name",
      "tags": [],
      "labels": [],
      "autoInstallServiceMesh": true,
      "enableNamespaceExclusions": false,
      "enableNamespaceInclusions": true,
      "namespaceExclusions": [],
      "namespaceInclusions": [
        {
          "match": "default",
          "type": "EXACT"
        }
      ],
      "description": "",
      "registryAccount": "",
      "caLabels": [
        {
          "key": "CertificateAuthority",
          "value": "new-ca-label"
        }
      ],
      "enableInternalGateway": false
    }'

    Example of the request body

    {
      "displayName": "my-cluster",
      "tags": [],
      "labels": [],
      "autoInstallServiceMesh": true,
      "enableNamespaceExclusions": false,
      "enableNamespaceInclusions": true,
      "namespaceExclusions": [],
      "namespaceInclusions": [
        {
          "match": "default",
          "type": "EXACT"
        }
      ],
      "description": "",
      "registryAccount": "",
      "caLabels": [
        {
          "key": "CertificateAuthority",
          "value": "vault-2"
        }
      ],
      "enableInternalGateway": false
    }'
  2. Under caLabels, set value to the CA label associated with the Vault CA integration that you want to assign to the cluster.
    Important:

    Do not change the other values in the cluster configuration. Make sure that these values are the same that you specified when onboarding the cluster.

    In the example of the request body in step 1, we have changed value to a CA label of vault-2 to assign the associated Vault CA integration to a cluster my-cluster.