This document guides user to update airgap server CA certificate of a management cluster which is upgraded from TCA 2.2 to TCA 2.3.
Prerequisites
The tkgcontext of management cluster has been updated.
Procedure
- Update management cluster nodes.
This step will update all the management cluster nodes. User needs to login to each node with capv account for updating. The user needs to get cluster node IP addresses by ccli show status command. For each output IP address, user need to follow the sub-steps.
# ccli show status status: Running phase: PostConfig nodes: - ip: 172.16.69.112 vmName: ipv4-airgap-mgmt-master-control-plane-qc6nx ... - ip: 172.16.69.213 vmName: ipv4-airgap-mgmt-np1-7648d7cd8f-79xvg ... - ip: 172.16.70.143 vmName: ipv4-airgap-mgmt-np1-7648d7cd8f-svmz9 ...
- Login to node from TCA CP appliance via ssh capv@<node ip> and enter root mode.
# ssh [email protected] capv@ipv4-airgap-mgmt-master-control-plane-qc6nx [ ~ ]$ sudo su
- Copy the CA file with .pem suffix to /etc/ssl/certs folder and run rehash_ca_certificate.sh. Test the connectivity with curl command.
root [ /home/capv ]# cp ca.crt /etc/ssl/certs/airgap-repo-server.example.com.pem # end with .pem is a must! root [ /home/capv ]# rehash_ca_certificates.sh root [ /home/capv ]# curl https://airgap-repo-server.example.com -v --head # test it works
- Copy CA file to/etc/containerd/<airgap-server-fqdn>.crt and restart containerd with systemctl restart containerd, then verify it can pull image from airgap server with command crictl pull <airgap-server-fqdn>/registry/tkr-compatibility:v1.
root [ /home/capv ]# cp ca.crt /etc/containerd/airgap-repo-server.example.com.crt root [ /home/capv ]# systemctl restart containerd root [ /home/capv ]# systemctl status containerd root [ /home/capv ]# crictl pull airgap-repo-server.example.com/registry/tkr-compatibility:v1 # test pulling from airgap repo
- Login to node from TCA CP appliance via ssh capv@<node ip> and enter root mode.
- Update management cluster secrets
update tkg-pkg-tkg-system-values secret if exist
Savetkgpackagevalues.yaml valueoftkg-pkg-tkg-system-valuessecret to a file# mk get secret -n tkg-system tkg-pkg-tkg-system-values -o jsonpath={.data."tkgpackagevalues\.yaml"} | base64 -d > tkgpkg.yamledit
tkgpkg.yamlwith new CA certificate in base64 format, and save it with ":wq"# vi tkgpkg.yaml akoOperatorPackage: {} clusterclassPackage: {} configvalues: ... TKG_CUSTOM_IMAGE_REPOSITORY_CA_CERTIFICATE: <new CA cert in base64 format> ... tkrSourceControllerPackage: tkrSourceControllerPackageValues: bomImagePath: a-11.dc1.vmw/registry/tkr-bom bomMetadataImagePath: a-11.dc1.vmw/registry/tkr-compatibility caCerts: <new CA cert in base64 format> ...patch secret# mk patch secret -n tkg-system tkg-pkg-tkg-system-values -p "{\"data\":{\"tkgpackagevalues.yaml\": \"`base64 tkgpkg.yaml -w 0`\"}}"Update TKR secrets
tkr-source-controller-valuesandtkr-vsphere-resolver-valueswith new CA certificate content.- Decode secret data and save to a yaml file.
# mk get secret -n tkg-system tkr-source-controller-values -o jsonpath='{.data.values\.yaml}' | base64 -d > data.yaml - Edit the decoded secret data file, replace the value of
caCertswith new encoded CA certificate content, then save the file with ":wq".# vi data.yaml namespace: tkg-system legacyNamespace: tkr-system bomImagePath: airgap-repo-server-2.ipv6.eng.vmware.com/registry/tkr-bom bomMetadataImagePath: airgap-repo-server-2.ipv6.eng.vmware.com/registry/tkr-compatibility tkrRepoImagePath: airgap-repo-server-2.ipv6.eng.vmware.com/registry/tkr-repository-vsphere-nonparavirt defaultCompatibleTKR: v1.24.10+vmware.1-tkg.2 skipVerifyRegistryCert: false initialDiscoverFrequency: 60 continuousDiscoverFrequency: 600 caCerts: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZ2VENDQTZXZ0F3SUJBZ0lVVmJ4bkZ4emtjZXM2c2dhUU1RamltaGR1bWtrd0RRWUpLb1pJaHZjTkFRRU4KQlFBd2JqRUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdNQjBKbGFXcHBibWN4RURBT0JnTlZCQWNNQjBKbAphV3BwYm1jeER6QU5CZ05WQkFvTUJsWk5kMkZ5WlRFTU1Bb0dBMVVFQ3d3RFZFVkRNUnd3R2dZRFZRUUREQk5wCmNIWTJMbVZ1Wnk1MmJYZGhjbVV1WTI5dE1CNFhEVEl5TURneU5qQXlOVGcxT1ZvWERUTXlNRGd5TXpBeU5UZzEKT1Zvd2JqRUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdNQjBKbGFXcHBibWN4RURBT0JnTlZCQWNNQjBKbAphV3BwYm1jeER6QU5CZ05WQkFvTUJsWk5kMkZ5WlRFTU1Bb0dBMVVFQ3d3RFZFVkRNUnd3R2dZRFZRUUREQk5wCmNIWTJMbVZ1Wnk1MmJYZGhjbVV1WTI5dE1JSUNJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBZzhBTUlJQ0NnS0MKQWdFQTZ4c2RVcVF5bVBUN3lvcCtQaFZVTnBnSVhNQVMwMENQWjFSZndNM1M0RE11cDJxWWRiN2JOMXphVkx6WApPbGpoQmNYNmo1S1llWnhDNitvUEU4eE14a2d0L21FZkNpREp4SU9XcWt0cVJjbjZ4U3EvUzgydTdKTTVRZURaCnJnaXYwcGl5NVBWS0I1LzU4RlEvWXFpaHR0YUVYT3V4Y3A2V1J0bVNyTVd5enJHc0kwcExBTktJeEdERW5vajAKSkNacFNHSE9oM21uczVPVi9GRFhHcjZhL3N1RmxvWGFqMnFvRnRkQzhnUkpseUJnWjc0OHVob3NZZ0VmZjdzcwpkMUJ3SzA0ZndCdlBxRDJxSHV4a2JSWk1JTkgxVysrbjUzTVlUcDBOeUFtbmx1R0NreWNwa3FEc0hJa3ZjREJVCndXL3VpV1hudy9lbVhlQWJuSENwZVQ5UGxiUjJzUmt4bUJOSkZLQ0FFc1diMFBGVzVHcURVMDdmUkRVTkE3VG4KZkRIdWxNMXMvMFhESFo4UEZDYjlhZ0xxczdFZ2NTanhZNUVLNDVsL3Z1OUo0SHVib0xGUUFxR0VzUm1mSnY0dwpuemowaTM3SDlLMXk4MnVMMldYVUp0c282aHdzTUkyeW5EcFpYaVNOK1p1SHYxZmZVb1UwK3dqR0FoS2NjdkE4CkxZMVh4RzRGcFRteWQzcFZhbjhTL0RDallMTmlHRHFzQ1B3ckRUbTRhVnFwbktWaHZWejdFTVF0Nk9jaVU2dTUKTGV3UzNwMS9lUkx3eWlzbDBrMWx0SnRtNUR0RkUvYVA2NVQ0azFCWHBOdUZuTzdWaE5ibFNRSVBpaGVxN2VtcgozcFdjb3NzZ0sxQUVkc29kcWhBWjNVSlgvMXRFM25kZzFmVkZ1VEdURWJOZkpJRUNBd0VBQWFOVE1GRXdIUVlEClZSME9CQllFRktTaVNEUXpEeUtTZWlUVUt6UTlLUlBOYm5WUE1COEdBMVVkSXdRWU1CYUFGS1NpU0RRekR5S1MKZWlUVUt6UTlLUlBOYm5WUE1BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRU5CUUFEZ2dJQgpBSE9NcG9JdlBtUk55cWV5dmpnOVdvb2s5eWs1MDNkb3p2RXIxWnZjeUNjZlljaHlYNHVTR2NpelZEK2tLUUFVCkorWkZjMUpQL0w4UUNodzRXVkRBV3NGSjhPZHZvZFlKamRhaUVuREM4UitVdkU5bmxLdnJjd3BmaFJmUWEzcGsKKy9Lb0xObDVCakVIbGpaakhDZTF1YTFreEdaZ0J4VW5MNHZpVG9BZVFWVHVpbmRNcDdUU1BqSVlxOHFPZDB2agppam5PV21GSEFQS1RGRTViQ2pia0ZzYXdqcDd4MjZOUW5Vbit3ajRlenIyMDEwZCtjMFc3SXhEd3BSNFlDWnh1CnV4WTdMWHNxckIvN25tLzA1NEZ4aW84RzI0ZCs5SnBjMWhyeXRvMmVHN3VETXFrMEVUcGx6ZVV0SHVEMlh6WFMKU3N2NjgrYU1leEp4Um9aZmFJRTEyNnJFTDFoaDdLUGdDallIa01aRjJrUnorRUl0NXhvMDA3cUh0dGhkSmxEdgpoMVZrZHhQRU1ZNTU0SUtTQitsZkFQdVZleGJiTFJyUFBlOGFkSnk5cXgyMXhSaE5vTUhXVHJJbjU1VWdwSzBtCmRadWNPbjBWRHR5Y09mRkExT1NDZkJZUWZRbU5MRnpLNlNoU28wMVlmZU1vbktpL0l0WldkS0lWcUJDVU42SlYKN1BQbUQzTHFEM3ZMa0orZC83TmpFVnYydWtRQ1BGTXhCQ2NyKzBwZlhZUGJpYkZma2VyYjZ2NVN1TXVaZGZVeApGbmRGQXFhOG1EWk9iNDBDUFpoV1ZIaDFubS9MV0JkU3lWWFphSUNaM3V0RG05dy9vcDVFaEFPSVUrcFgxSDRZClpranJSTExpWW9zQVRLckdnZzdhQm5ZcjRUancrWE5zTDhxTHVUS0RLc05NCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0= imageRepository: airgap-repo-server-2.ipv6.eng.vmware.com/registry deployment: hostNetwork: false nodeSelector: null tolerations: [] httpProxy: null httpsProxy: null noProxy: null
- Encode new secret data file content. Copy the encoded output string.
# cat data.yaml | base64 -w 0 bmFtZXNwYWNlOiB0a2ctc3lzdGVtCmxlZ2FjeU5hbWVzcGFjZTogdGtyLXN5c3RlbQpib21JbWFnZVBhdGg6IGFpcmdhcC1yZXBvLXNlcnZlci0yLmlwdjYuZW5nLnZtd2FyZS5jb20vcmVnaXN0cnkvdGtyLWJvbQpib21NZXRhZGF0YUltYWdlUGF0aDogYWlyZ2FwLXJlcG8tc2VydmVyLTIuaXB2Ni5lbmcudm13YXJlLmNvbS9yZWdpc3RyeS90a3ItY29tcGF0aWJpbGl0eQp0a3JSZXBvSW1hZ2VQYXRoOiBhaXJnYXAtcmVwby1zZXJ2ZXItMi5pcHY2LmVuZy52bXdhcmUuY29tL3JlZ2lzdHJ5L3Rrci1yZXBvc2l0b3J5LXZzcGhlcmUtbm9ucGFyYXZpcnQKZGVmYXVsdENvbXBhdGlibGVUS1I6IHYxLjI0LjEwK3Ztd2FyZS4xLXRrZy4yCnNraXBWZXJpZnlSZWdpc3RyeUNlcnQ6IGZhbHNlCmluaXRpYWxEaXNjb3ZlckZyZXF1ZW5jeTogNjAKY29udGludW91c0Rpc2NvdmVyRnJlcXVlbmN5OiA2MDAKY2FDZXJ0czogTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVWjJWRU5EUVRaWFowRjNTVUpCWjBsVlZtSjRia1o0ZW10alpYTTJjMmRoVVUxUmFtbHRhR1IxYld0cmQwUlJXVXBMYjFwSmFIWmpUa0ZSUlU0S1FsRkJkMkpxUlV4TlFXdEhRVEZWUlVKb1RVTlJNRFI0UlVSQlQwSm5UbFpDUVdkTlFqQktiR0ZYY0hCaWJXTjRSVVJCVDBKblRsWkNRV05OUWpCS2JBcGhWM0J3WW0xamVFUjZRVTVDWjA1V1FrRnZUVUpzV2s1a01rWjVXbFJGVFUxQmIwZEJNVlZGUTNkM1JGWkZWa1JOVW5kM1IyZFpSRlpSVVVSRVFrNXdDbU5JV1RKTWJWWjFXbmsxTW1KWVpHaGpiVlYxV1RJNWRFMUNORmhFVkVsNVRVUm5lVTVxUVhsT1ZHY3hUMVp2V0VSVVRYbE5SR2Q1VFhwQmVVNVVaekVLVDFadmQySnFSVXhOUVd0SFFURlZSVUpvVFVOUk1EUjRSVVJCVDBKblRsWkNRV2ROUWpCS2JHRlhjSEJpYldONFJVUkJUMEpuVGxaQ1FXTk5RakJLYkFwaFYzQndZbTFqZUVSNlFVNUNaMDVXUWtGdlRVSnNXazVrTWtaNVdsUkZUVTFCYjBkQk1WVkZRM2QzUkZaRlZrUk5VbmQzUjJkWlJGWlJVVVJFUWs1d0NtTklXVEpNYlZaMVduazFNbUpZWkdoamJWVjFXVEk1ZEUxSlNVTkpha0ZPUW1kcmNXaHJhVWM1ZHpCQ1FWRkZSa0ZCVDBOQlp6aEJUVWxKUTBOblMwTUtRV2RGUVRaNGMyUlZjVkY1YlZCVU4zbHZjQ3RRYUZaVlRuQm5TVmhOUVZNd01FTlFXakZTWm5kTk0xTTBSRTExY0RKeFdXUmlOMkpPTVhwaFZreDZXQXBQYkdwb1FtTllObW8xUzFsbFduaEROaXR2VUVVNGVFMTRhMmQwTDIxRlprTnBSRXA0U1U5WGNXdDBjVkpqYmpaNFUzRXZVemd5ZFRkS1RUVlJaVVJhQ25KbmFYWXdjR2w1TlZCV1MwSTFMelU0UmxFdldYRnBhSFIwWVVWWVQzVjRZM0EyVjFKMGJWTnlUVmQ1ZW5KSGMwa3djRXhCVGt0SmVFZEVSVzV2YWpBS1NrTmFjRk5IU0U5b00yMXVjelZQVmk5R1JGaEhjalpoTDNOMVJteHZXR0ZxTW5GdlJuUmtRemhuVWtwc2VVSm5XamMwT0hWb2IzTlpaMFZtWmpkemN3cGtNVUozU3pBMFpuZENkbEJ4UkRKeFNIVjRhMkpTV2sxSlRrZ3hWeXNyYmpVelRWbFVjREJPZVVGdGJteDFSME5yZVdOd2EzRkVjMGhKYTNaalJFSlZDbmRYTDNWcFYxaHVkeTlsYlZobFFXSnVTRU53WlZRNVVHeGlVakp6VW10NGJVSk9Ta1pMUTBGRmMxZGlNRkJHVnpWSGNVUlZNRGRtVWtSVlRrRTNWRzRLWmtSSWRXeE5NWE12TUZoRVNGbzRVRVpEWWpsaFoweHhjemRGWjJOVGFuaFpOVVZMTkRWc0wzWjFPVW8wU0hWaWIweEdVVUZ4UjBWelVtMW1TblkwZHdwdWVtb3dhVE0zU0RsTE1YazRNblZNTWxkWVZVcDBjMjgyYUhkelRVa3llVzVFY0ZwWWFWTk9LMXAxU0hZeFptWlZiMVV3SzNkcVIwRm9TMk5qZGtFNENreFpNVmg0UnpSR2NGUnRlV1F6Y0ZaaGJqaFRMMFJEYWxsTVRtbEhSSEZ6UTFCM2NrUlViVFJoVm5Gd2JrdFdhSFpXZWpkRlRWRjBOazlqYVZVMmRUVUtUR1YzVXpOd01TOWxVa3gzZVdsemJEQnJNV3gwU25SdE5VUjBSa1V2WVZBMk5WUTBhekZDV0hCT2RVWnVUemRXYUU1aWJGTlJTVkJwYUdWeE4yVnRjZ296Y0ZkamIzTnpaMHN4UVVWa2MyOWtjV2hCV2pOVlNsZ3ZNWFJGTTI1a1p6Rm1Wa1oxVkVkVVJXSk9aa3BKUlVOQmQwVkJRV0ZPVkUxR1JYZElVVmxFQ2xaU01FOUNRbGxGUmt0VGFWTkVVWHBFZVV0VFpXbFVWVXQ2VVRsTFVsQk9ZbTVXVUUxQ09FZEJNVlZrU1hkUldVMUNZVUZHUzFOcFUwUlJla1I1UzFNS1pXbFVWVXQ2VVRsTFVsQk9ZbTVXVUUxQk9FZEJNVlZrUlhkRlFpOTNVVVpOUVUxQ1FXWTRkMFJSV1VwTGIxcEphSFpqVGtGUlJVNUNVVUZFWjJkSlFncEJTRTlOY0c5SmRsQnRVazU1Y1dWNWRtcG5PVmR2YjJzNWVXczFNRE5rYjNwMlJYSXhXblpqZVVOalpsbGphSGxZTkhWVFIyTnBlbFpFSzJ0TFVVRlZDa29yV2taak1VcFFMMHc0VVVOb2R6UlhWa1JCVjNOR1NqaFBaSFp2WkZsS2FtUmhhVVZ1UkVNNFVpdFZka1U1Ym14TGRuSmpkM0JtYUZKbVVXRXpjR3NLS3k5TGIweE9iRFZDYWtWSWJHcGFha2hEWlRGMVlURnJlRWRhWjBKNFZXNU1OSFpwVkc5QlpWRldWSFZwYm1STmNEZFVVMUJxU1ZseE9IRlBaREIyYWdwcGFtNVBWMjFHU0VGUVMxUkdSVFZpUTJwaWEwWnpZWGRxY0RkNE1qWk9VVzVWYml0M2FqUmxlbkl5TURFd1pDdGpNRmMzU1hoRWQzQlNORmxEV25oMUNuVjRXVGRNV0hOeGNrSXZOMjV0THpBMU5FWjRhVzg0UnpJMFpDczVTbkJqTVdoeWVYUnZNbVZITjNWRVRYRnJNRVZVY0d4NlpWVjBTSFZFTWxoNldGTUtVM04yTmpncllVMWxlRXA0VW05YVptRkpSVEV5Tm5KRlRERm9hRGRMVUdkRGFsbElhMDFhUmpKclVub3JSVWwwTlhodk1EQTNjVWgwZEdoa1NteEVkZ3BvTVZaclpIaFFSVTFaTlRVMFNVdFRRaXRzWmtGUWRWWmxlR0ppVEZKeVVGQmxPR0ZrU25rNWNYZ3lNWGhTYUU1dlRVaFhWSEpKYmpVMVZXZHdTekJ0Q21SYWRXTlBiakJXUkhSNVkwOW1Sa0V4VDFORFprSlpVV1pSYlU1TVJucExObE5vVTI4d01WbG1aVTF2Ymt0cEwwbDBXbGRrUzBsV2NVSkRWVTQyU2xZS04xQlFiVVF6VEhGRU0zWk1hMG9yWkM4M1RtcEZWbll5ZFd0UlExQkdUWGhDUTJOeUt6QndabGhaVUdKcFlrWm1hMlZ5WWpaMk5WTjFUWFZhWkdaVmVBcEdibVJHUVhGaE9HMUVXazlpTkRCRFVGcG9WMVpJYURGdWJTOU1WMEprVTNsV1dGcGhTVU5hTTNWMFJHMDVkeTl2Y0RWRmFFRlBTVlVyY0ZneFNEUlpDbHByYW5KU1RFeHBXVzl6UVZSTGNrZG5aemRoUW01WmNqUlVhbmNyV0U1elREaHhUSFZVUzBSTGMwNU5DaTB0TFMwdFJVNUVJRU5GVWxSSlJrbERRVlJGTFMwdExTMD0KaW1hZ2VSZXBvc2l0b3J5OiBhaXJnYXAtcmVwby1zZXJ2ZXItMi5pcHY2LmVuZy52bXdhcmUuY29tL3JlZ2lzdHJ5CmRlcGxveW1lbnQ6CiAgaG9zdE5ldHdvcms6IGZhbHNlCiAgbm9kZVNlbGVjdG9yOiBudWxsCiAgdG9sZXJhdGlvbnM6IFtdCiAgaHR0cFByb3h5OiBudWxsCiAgaHR0cHNQcm94eTogbnVsbAogIG5vUHJveHk6IG51bGwK
- Patch secret with new encoded output sting of STEP c.
# mk patch secret/tkr-source-controller-values -n tkg-system -p '{"data": {"values.yaml": "bmFtZXNwYWNlOiB0a2ctc3lzdGVtCmxlZ2FjeU5hbWVzcGFjZTogdGtyLXN5c3RlbQpib21JbWFnZVBhdGg6IGFpcmdhcC1yZXBvLXNlcnZlci0yLmlwdjYuZW5nLnZtd2FyZS5jb20vcmVnaXN0cnkvdGtyLWJvbQpib21NZXRhZGF0YUltYWdlUGF0aDogYWlyZ2FwLXJlcG8tc2VydmVyLTIuaXB2Ni5lbmcudm13YXJlLmNvbS9yZWdpc3RyeS90a3ItY29tcGF0aWJpbGl0eQp0a3JSZXBvSW1hZ2VQYXRoOiBhaXJnYXAtcmVwby1zZXJ2ZXItMi5pcHY2LmVuZy52bXdhcmUuY29tL3JlZ2lzdHJ5L3Rrci1yZXBvc2l0b3J5LXZzcGhlcmUtbm9ucGFyYXZpcnQKZGVmYXVsdENvbXBhdGlibGVUS1I6IHYxLjI0LjEwK3Ztd2FyZS4xLXRrZy4yCnNraXBWZXJpZnlSZWdpc3RyeUNlcnQ6IGZhbHNlCmluaXRpYWxEaXNjb3ZlckZyZXF1ZW5jeTogNjAKY29udGludW91c0Rpc2NvdmVyRnJlcXVlbmN5OiA2MDAKY2FDZXJ0czogTFMwdExTMUNSVWRKVGlCRFJWSlVTVVpKUTBGVVJTMHRMUzB0Q2sxSlNVWjJWRU5EUVRaWFowRjNTVUpCWjBsVlZtSjRia1o0ZW10alpYTTJjMmRoVVUxUmFtbHRhR1IxYld0cmQwUlJXVXBMYjFwSmFIWmpUa0ZSUlU0S1FsRkJkMkpxUlV4TlFXdEhRVEZWUlVKb1RVTlJNRFI0UlVSQlQwSm5UbFpDUVdkTlFqQktiR0ZYY0hCaWJXTjRSVVJCVDBKblRsWkNRV05OUWpCS2JBcGhWM0J3WW0xamVFUjZRVTVDWjA1V1FrRnZUVUpzV2s1a01rWjVXbFJGVFUxQmIwZEJNVlZGUTNkM1JGWkZWa1JOVW5kM1IyZFpSRlpSVVVSRVFrNXdDbU5JV1RKTWJWWjFXbmsxTW1KWVpHaGpiVlYxV1RJNWRFMUNORmhFVkVsNVRVUm5lVTVxUVhsT1ZHY3hUMVp2V0VSVVRYbE5SR2Q1VFhwQmVVNVVaekVLVDFadmQySnFSVXhOUVd0SFFURlZSVUpvVFVOUk1EUjRSVVJCVDBKblRsWkNRV2ROUWpCS2JHRlhjSEJpYldONFJVUkJUMEpuVGxaQ1FXTk5RakJLYkFwaFYzQndZbTFqZUVSNlFVNUNaMDVXUWtGdlRVSnNXazVrTWtaNVdsUkZUVTFCYjBkQk1WVkZRM2QzUkZaRlZrUk5VbmQzUjJkWlJGWlJVVVJFUWs1d0NtTklXVEpNYlZaMVduazFNbUpZWkdoamJWVjFXVEk1ZEUxSlNVTkpha0ZPUW1kcmNXaHJhVWM1ZHpCQ1FWRkZSa0ZCVDBOQlp6aEJUVWxKUTBOblMwTUtRV2RGUVRaNGMyUlZjVkY1YlZCVU4zbHZjQ3RRYUZaVlRuQm5TVmhOUVZNd01FTlFXakZTWm5kTk0xTTBSRTExY0RKeFdXUmlOMkpPTVhwaFZreDZXQXBQYkdwb1FtTllObW8xUzFsbFduaEROaXR2VUVVNGVFMTRhMmQwTDIxRlprTnBSRXA0U1U5WGNXdDBjVkpqYmpaNFUzRXZVemd5ZFRkS1RUVlJaVVJhQ25KbmFYWXdjR2w1TlZCV1MwSTFMelU0UmxFdldYRnBhSFIwWVVWWVQzVjRZM0EyVjFKMGJWTnlUVmQ1ZW5KSGMwa3djRXhCVGt0SmVFZEVSVzV2YWpBS1NrTmFjRk5IU0U5b00yMXVjelZQVmk5R1JGaEhjalpoTDNOMVJteHZXR0ZxTW5GdlJuUmtRemhuVWtwc2VVSm5XamMwT0hWb2IzTlpaMFZtWmpkemN3cGtNVUozU3pBMFpuZENkbEJ4UkRKeFNIVjRhMkpTV2sxSlRrZ3hWeXNyYmpVelRWbFVjREJPZVVGdGJteDFSME5yZVdOd2EzRkVjMGhKYTNaalJFSlZDbmRYTDNWcFYxaHVkeTlsYlZobFFXSnVTRU53WlZRNVVHeGlVakp6VW10NGJVSk9Ta1pMUTBGRmMxZGlNRkJHVnpWSGNVUlZNRGRtVWtSVlRrRTNWRzRLWmtSSWRXeE5NWE12TUZoRVNGbzRVRVpEWWpsaFoweHhjemRGWjJOVGFuaFpOVVZMTkRWc0wzWjFPVW8wU0hWaWIweEdVVUZ4UjBWelVtMW1TblkwZHdwdWVtb3dhVE0zU0RsTE1YazRNblZNTWxkWVZVcDBjMjgyYUhkelRVa3llVzVFY0ZwWWFWTk9LMXAxU0hZeFptWlZiMVV3SzNkcVIwRm9TMk5qZGtFNENreFpNVmg0UnpSR2NGUnRlV1F6Y0ZaaGJqaFRMMFJEYWxsTVRtbEhSSEZ6UTFCM2NrUlViVFJoVm5Gd2JrdFdhSFpXZWpkRlRWRjBOazlqYVZVMmRUVUtUR1YzVXpOd01TOWxVa3gzZVdsemJEQnJNV3gwU25SdE5VUjBSa1V2WVZBMk5WUTBhekZDV0hCT2RVWnVUemRXYUU1aWJGTlJTVkJwYUdWeE4yVnRjZ296Y0ZkamIzTnpaMHN4UVVWa2MyOWtjV2hCV2pOVlNsZ3ZNWFJGTTI1a1p6Rm1Wa1oxVkVkVVJXSk9aa3BKUlVOQmQwVkJRV0ZPVkUxR1JYZElVVmxFQ2xaU01FOUNRbGxGUmt0VGFWTkVVWHBFZVV0VFpXbFVWVXQ2VVRsTFVsQk9ZbTVXVUUxQ09FZEJNVlZrU1hkUldVMUNZVUZHUzFOcFUwUlJla1I1UzFNS1pXbFVWVXQ2VVRsTFVsQk9ZbTVXVUUxQk9FZEJNVlZrUlhkRlFpOTNVVVpOUVUxQ1FXWTRkMFJSV1VwTGIxcEphSFpqVGtGUlJVNUNVVUZFWjJkSlFncEJTRTlOY0c5SmRsQnRVazU1Y1dWNWRtcG5PVmR2YjJzNWVXczFNRE5rYjNwMlJYSXhXblpqZVVOalpsbGphSGxZTkhWVFIyTnBlbFpFSzJ0TFVVRlZDa29yV2taak1VcFFMMHc0VVVOb2R6UlhWa1JCVjNOR1NqaFBaSFp2WkZsS2FtUmhhVVZ1UkVNNFVpdFZka1U1Ym14TGRuSmpkM0JtYUZKbVVXRXpjR3NLS3k5TGIweE9iRFZDYWtWSWJHcGFha2hEWlRGMVlURnJlRWRhWjBKNFZXNU1OSFpwVkc5QlpWRldWSFZwYm1STmNEZFVVMUJxU1ZseE9IRlBaREIyYWdwcGFtNVBWMjFHU0VGUVMxUkdSVFZpUTJwaWEwWnpZWGRxY0RkNE1qWk9VVzVWYml0M2FqUmxlbkl5TURFd1pDdGpNRmMzU1hoRWQzQlNORmxEV25oMUNuVjRXVGRNV0hOeGNrSXZOMjV0THpBMU5FWjRhVzg0UnpJMFpDczVTbkJqTVdoeWVYUnZNbVZITjNWRVRYRnJNRVZVY0d4NlpWVjBTSFZFTWxoNldGTUtVM04yTmpncllVMWxlRXA0VW05YVptRkpSVEV5Tm5KRlRERm9hRGRMVUdkRGFsbElhMDFhUmpKclVub3JSVWwwTlhodk1EQTNjVWgwZEdoa1NteEVkZ3BvTVZaclpIaFFSVTFaTlRVMFNVdFRRaXRzWmtGUWRWWmxlR0ppVEZKeVVGQmxPR0ZrU25rNWNYZ3lNWGhTYUU1dlRVaFhWSEpKYmpVMVZXZHdTekJ0Q21SYWRXTlBiakJXUkhSNVkwOW1Sa0V4VDFORFprSlpVV1pSYlU1TVJucExObE5vVTI4d01WbG1aVTF2Ymt0cEwwbDBXbGRrUzBsV2NVSkRWVTQyU2xZS04xQlFiVVF6VEhGRU0zWk1hMG9yWkM4M1RtcEZWbll5ZFd0UlExQkdUWGhDUTJOeUt6QndabGhaVUdKcFlrWm1hMlZ5WWpaMk5WTjFUWFZhWkdaVmVBcEdibVJHUVhGaE9HMUVXazlpTkRCRFVGcG9WMVpJYURGdWJTOU1WMEprVTNsV1dGcGhTVU5hTTNWMFJHMDVkeTl2Y0RWRmFFRlBTVlVyY0ZneFNEUlpDbHByYW5KU1RFeHBXVzl6UVZSTGNrZG5aemRoUW01WmNqUlVhbmNyV0U1elREaHhUSFZVUzBSTGMwNU5DaTB0TFMwdFJVNUVJRU5GVWxSSlJrbERRVlJGTFMwdExTMD0KaW1hZ2VSZXBvc2l0b3J5OiBhaXJnYXAtcmVwby1zZXJ2ZXItMi5pcHY2LmVuZy52bXdhcmUuY29tL3JlZ2lzdHJ5CmRlcGxveW1lbnQ6CiAgaG9zdE5ldHdvcms6IGZhbHNlCiAgbm9kZVNlbGVjdG9yOiBudWxsCiAgdG9sZXJhdGlvbnM6IFtdCiAgaHR0cFByb3h5OiBudWxsCiAgaHR0cHNQcm94eTogbnVsbAogIG5vUHJveHk6IG51bGwK"}}' secret/tkr-source-controller-values patched - Follow same steps to update secret
tkr-vsphere-resolver-values
- Decode secret data and save to a yaml file.
- Update management cluster configmaps.
- Update tkr-controller-config with new CA certificate content.
# mk edit cm tkr-controller-config -n tkg-system # Please edit the object below. Lines beginning with a '#' will be ignored, # and an empty file will abort the edit. If an error occurs while saving this file will be # reopened with the relevant failures. # apiVersion: v1 data: caCerts: | -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- imageRepository: airgap-repo-server.example.com/registry ...Copy the new CA certificate content and overwrite the existing caCerts field.
Save it with ":wq".
Then restart tkr-source-controller-manager deployment and tkr-vsphere-resolver-webhook-manager deployment
# mk rollout restart deployment -n tkg-system tkr-source-controller-manager
# mk rollout restart deployment -n tkg-system tkr-vsphere-resolver-webhook-manager
- Update kapp-controller-config with new CA certificate content.
# mk edit cm kapp-controller-config -n tkg-system # Please edit the object below. Lines beginning with a '#' will be ignored, # and an empty file will abort the edit. If an error occurs while saving this file will be # reopened with the relevant failures. # apiVersion: v1 data: caCerts: | -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- imageRepository: airgap-repo-server.example.com/registry ...Copy the new CA certificate content and overwrite existing caCerts field.
Save it with ":wq".
Then restart kapp-controller-manager deployment.
# mk rollout restart deployment -n tkg-system kapp-controller
- Update tkr-controller-config with new CA certificate content.
- Update manangement cluster kubecontrolplane and kubeadmconfigtemplate CRs.
- Update kubecontrolplane CR.
# mk get kcp -n tkg-system NAME CLUSTER INITIALIZED API SERVER AVAILABLE REPLICAS READY UPDATED UNAVAILABLE AGE VERSION ipv4-airgap-mgmt-master-control-plane ipv4-airgap-mgmt true true 1 1 1 0 11d v1.22.9+vmware.1 # mk edit kcp -n tkg-system ipv4-airgap-mgmt-master-control-plane ... - content: <cert-base64-content> encoding: base64 path: /etc/containerd/airgap-repo-server.example.crt permissions: "0444" ...Locate the airgap server CA certificate file content and update it with new CA certificate base64 encoding string.
Save it with ":wq".
Note:This operation will result in control plane nodes redeployment.
- Update kubeadmconfigtemplate CR.
# mk get kubeadmconfigtemplate -n tkg-system NAME AGE ipv4-airgap-mgmt-np1 11d # mk edit kubeadmconfigtemplate -n tkg-system ipv4-airgap-mgmt-np1 ... spec: template: spec: files: - content: <cert-base64-content> encoding: base64 path: /etc/containerd/airgap-repo-server.example.com.crt permissions: "0444" ...Locate the airgap server CA certificate file content and update it with new CA certificate base64 encoding string.
Save it with ":wq".
- Update kubecontrolplane CR.
- Update tcakubenetescluster CR in TCA CP minikube.
# kubectl config get-contexts CURRENT NAME CLUSTER AUTHINFO NAMESPACE ipv4-airgap-mgmt-admin@ipv4-airgap-mgmt ipv4-airgap-mgmt ipv4-airgap-mgmt-admin ipv4-mgmt-admin@ipv4-mgmt ipv4-mgmt ipv4-mgmt-admin * minikube minikube minikube default # kubectl config use-context minikube # if star is not on minikube in the last command # kubectl get tkc -A NAMESPACE NAME AGE ipv4-airgap-mgmt ipv4-airgap-mgmt 11d ipv4-mgmt ipv4-mgmt 13d # kubectl edit tkc -n ipv4-airgap-mgmt ipv4-airgap-mgmt ... telco.vmware.com/airgap-ca-cert: <cert-base64-content> telco.vmware.com/airgap-fqdn: airgap-repo-server.example.com ...Locate the airgap server CA certificate file content and update it with new CA certificate base64 encoding string.
Save it with ":wq".
