If vCenter certificate of a secondary cloud changes, perform the following steps to update the TLS thumbprint.


  1. SSH to the management cluster control plane virtual IP with the user name capv and update {mgmt-cluster-name}-vsphere-cpi-addon secret.
    kubectl get secret -A | grep cpi-addon
  2. Save the original CPI vSphere configuration to a temporary file.
    kubectl get secret -n tkg-system {mgmt-cluster-name}-vsphere-cpi-addon -o jsonpath='{.data.vsphereconf-custom\.lib\.txt}' |base64 -d >/tmp/vsphereconf.txt
  3. Update the CPI vSphere configuration with the thumbprint of the temporary file.
    Following is the sample vSphere configuration:
    [root@tca /home/admin]# vim /tmp/vsphereconf.txt 
    ((@def vsphere_conf(): -@) 
    user = "administrator@vsphere.local" 
    password = "Admin!23" 
    port = "443" 
    datacenters = "os-test-dc, cellsite-dc" [
    VirtualCenter ""] 
    datacenters = "os-test-dc" 
    thumbprint = "13:C1:98:E9:E2:DF:A9:5A:95:EC:6A:96:FA:8D:DE:CF:56:6C:D3:1C" 
    ip-family = "ipv4" [
    VirtualCenter "sc2-10-10-10-130.eng.vmware.com"] 
    datacenters = "cellsite-dc" 
    thumbprint = "FD:89:0D:8D:B6:A6:FA:CB:E2:B7:15:GF:D3:F0:47:EB:7C:E3:96:70" 
    ip-family = "ipv4" [
    server = "" 
    datacenter = "test-dc"
    thumbprint = "13:C1:98:D9:E2:DF:A9:6A:95:4C:6A:96:EA:8D:FE:CF:56:6C:D3:1C" 
    ip-family = "ipv4
    Note: You must update the thumbprint value.
  4. Encode the CPI vSphere configuration with the new thumbprint.
    export encoded_vsphereconf_content=`base64 -w 0 /tmp/vsphereconf.txt
  5. Update the secret {mgmt-cluster-name}-vsphere-cpi-addon in tkg-system namespace in the management cluster and wait for the Kapp reconciliation. After the reconciliation, vsphere-cloud-config configmap in kube-system namespace is updated.
    kubectl patch secret {mgmt-cluster-name}-vsphere-cpi-addon -n tkg-system -p '{"data": {"vsphereconf-custom.lib.txt":"'${encoded_vsphereconf_content}'"}}'

    Verify that configmap is updated using the following command:

    kubectl -n kube-system get cm vsphere-cloud-config -o yaml
  6. Restart the vsphere-cloud-controller-manager pod to mount the new configmap.
    kubectl rollout restart ds/vsphere-cloud-controller-manager -n kube-system