Follow this procedure if you want to use a secure connection instead of using a self-signed certificate for login.

Procedure

  1. Download trusted root CA certificates from vCenter Server at https://vCenter-IP-Address/certs/download.zip, extract the download.zip file containing certificates, and create config-map using the certificate in the certs/lin directory.
    $ curl -LO https://vCenter-IP-Address/certs/download.zip
    $ unzip download.zip
    $ tree certs/
    certs/
    ├── lin
    │   ├── 6355e8d1.0
    │   └── 6355e8d1.r1
    ├── mac
    │   ├── 6355e8d1.0
    │   └── 6355e8d1.r1
    └── win
        ├── 6355e8d1.0.crt
        └── 6355e8d1.r1.crl
     
    3 directories, 6 files
  2. Create config-map for root-ca certificate.
    $ cd certs/lin
    $ kubectl create configmap vc-root-ca-cert --from-file=6355e8d1.0 --namespace=vmware-system-csi
    configmap/vc-root-ca-cert created
  3. Set insecure-flag to false in the vsphere-config-secret in the vmware-system-csi namespace.
    [Global]
    .
    .
    insecure-flag = "false"
    ca-file = "/etc/ssl/certs/6355e8d1.0"
    .
  4. Mount vc-root-ca-cert configmap as a volume to the CA root location of containers vsphere-syncer and vsphere-csi-controller in vsphere-csi-controller pod.
    Refer to the following change for the vsphere-csi-controller deployment for vsphere-csi-controller and vsphere-syncer containers.
    .
    .
    containers:
      - name: vsphere-csi-controller
        volumeMounts:
          - mountPath: /etc/ssl/certs/6355e8d1.0
            subPath: 6355e8d1.0
            name: vc-root-ca-cert
      - name: vsphere-syncer
        volumeMounts:
          - mountPath: /etc/ssl/certs/6355e8d1.0
            subPath: 6355e8d1.0
            name: vc-root-ca-cert
    .
    .    
    volumes:
    - name: vc-root-ca-cert
      configMap:
        name: vc-root-ca-cert
    .
    .
  5. Apply the above change for vsphere-csi-controller deployment and wait for the vSphere Container Storage Plug-in controller pods to restart.