This document guides user to update airgap server CA certificate of v2 workload cluster manually. Cluster operations, such as creating node pools, scaling in/out control plane and nodepool, can recover after updating the cluster with new airgap server CA certificate.


Airgap server is updated with new self-signed certificate or private root CA signed certificate.


If airgap server is updated with public signed certificate, updating existing cluster or following the steps in this guide is not required.

Workload cluster's associated management cluster is updated.


  1. Login to TCA CP appliance via SSH with admin account and enter root mode.
  2. Get Resources.
    1. Locate management cluster kubeconfig file, refer to Get Resources to create kubectl alias of management cluster.
    2. Get workload cluster kubeconfig file.
      # ccli list wc
      | INDEX | NAME             | CONTEXT          | ID                                       | VCENTER ADDRESSES          | CONNECTIVITY | SELECTED | TYPE                |
      | 0     | ipv4-airgap-v1wc | ipv4-airgap-v1wc | 1fabca0a-ac69-406f-950a-92e7ddf7c4ae     | | true         |          | KBS                 |
      | 1     | ipv4-airgap-v2wc | ipv4-airgap-v2wc | aa9fbf86d970421cea233a00b3ea62bf64354f5c | | true         |          | KubeClusterOperator |

      Assuming ipv4-airgap-v2wc is the workload cluster to update, get its kubeconfig file from its associated management cluster and create alias of the workload cluster kubectl command.

      # mk get secret -n ipv4-airgap-v2wc ipv4-airgap-v2wc-kubeconfig -o jsonpath={.data.value} | base64 -d > wc.kc
      # pwd
      # alias wk="kubectl --kubeconfig /home/admin/wc.kc"
  3. Update v2 workload cluster nodes.
    1. Get node IPs of workload cluster.
      [root@hxu-tcacp-1 ~]# wk get node -o wide | awk '{print $1,$6}'
    2. Login to nodes and update node CA cert.

      This step is the same as sub-steps of Update management cluster nodes.

  4. Update v2 workload cluster kapp controller.

    This step is the same with Update v1 workload cluster kapp controller.

  5. Update v2 workload cluster tcakubecluster CR on its management cluster.
    1. Get the CR to update.
      # mk get tkc -n ipv4-airgap-v2wc ipv4-airgap-v2wc
      NAME               AGE
      ipv4-airgap-v2wc   11d
    2. Disable tca-cluster-operator webhook on management cluster.

      It is not allowed to update airgap fields of the tcakubecluster CR. To update it, user needs to disable the webhook of tca-cluster-operator on management cluster and restore it later.

      # mk get ValidatingWebhookConfiguration tca-kubecluster-operator-validating-webhook-configuration -o yaml > webhook.yaml
      # mk delete ValidatingWebhookConfiguration tca-kubecluster-operator-validating-webhook-configuration
    3. Update tcakubecluster CR.
      # mk edit tkc -n ipv4-airgap-v2wc ipv4-airgap-v2wc
          caCert: <cert-base64-content>

      Update spec.airgap.caCert with the new CA base64 encoding string, and save with ":wq".

    4. Restore tca-cluster-operator webhook.

      Restoring tca-cluster-operator webhook will turn on the tca-cluster-operator exposed CR validations. To restore it, just apply the saved webhook config.

      # mk apply -f webhook.yaml


      Restoring this webhook will block you from scaling out workload cluster control plane. TCA UI may report following message.

      HttpStatus: 422 : admission webhook "" denied the request: "wc210v2" is invalid: spec.airgap: Invalid value: "airgap": cannot be modified

      Increase the control plane replica after the webhook is disabled, then restore it back after the operation.

  6. Update v2 workload cluster kubecontrolplane and kubeadmconfigtemplate CRs on its management cluster.