Use Secure Connection for vSphere Container Storage Plug-in

Follow this procedure if you want to use a secure connection instead of using a self-signed certificate for login.

Procedure

Download trusted root CA certificates from vCenter Server at https://vCenter-IP-Address/certs/download.zip, extract the download.zip file containing certificates, and create config-map using the certificate in the certs/lin directory.

$ curl -LO https://vCenter-IP-Address/certs/download.zip
$ unzip download.zip
$ tree certs/
certs/
├── lin
│   ├── 6355e8d1.0
│   └── 6355e8d1.r1
├── mac
│   ├── 6355e8d1.0
│   └── 6355e8d1.r1
└── win
    ├── 6355e8d1.0.crt
    └── 6355e8d1.r1.crl
 
3 directories, 6 files

Create config-map for root-ca certificate.

$ cd certs/lin
$ kubectl create configmap vc-root-ca-cert --from-file=6355e8d1.0 --namespace=vmware-system-csi
configmap/vc-root-ca-cert created

Set insecure-flag to false in the vsphere-config-secret in the vmware-system-csi namespace.
```
[Global]
.
.
insecure-flag = "false"
ca-file = "/etc/ssl/certs/6355e8d1.0"
.
```

Mount vc-root-ca-cert configmap as a volume to the CA root location of containers vsphere-syncer and vsphere-csi-controller in vsphere-csi-controller pod.

Refer to the following change for the vsphere-csi-controller deployment for vsphere-csi-controller and vsphere-syncer containers.

.
.
containers:
  - name: vsphere-csi-controller
    volumeMounts:
      - mountPath: /etc/ssl/certs/6355e8d1.0
        subPath: 6355e8d1.0
        name: vc-root-ca-cert
  - name: vsphere-syncer
    volumeMounts:
      - mountPath: /etc/ssl/certs/6355e8d1.0
        subPath: 6355e8d1.0
        name: vc-root-ca-cert
.
.    
volumes:
- name: vc-root-ca-cert
  configMap:
    name: vc-root-ca-cert
.
.

Apply the above change for vsphere-csi-controller deployment and wait for the vSphere Container Storage Plug-in controller pods to restart.