Follow this procedure if you want to use a secure connection instead of using a self-signed certificate for login.
Procedure
- Download trusted root CA certificates from vCenter Server at https://vCenter-IP-Address/certs/download.zip, extract the download.zip file containing certificates, and create config-map using the certificate in the certs/lin directory.
$ curl -LO https://vCenter-IP-Address/certs/download.zip $ unzip download.zip $ tree certs/ certs/ ├── lin │ ├── 6355e8d1.0 │ └── 6355e8d1.r1 ├── mac │ ├── 6355e8d1.0 │ └── 6355e8d1.r1 └── win ├── 6355e8d1.0.crt └── 6355e8d1.r1.crl 3 directories, 6 files
- Create config-map for root-ca certificate.
$ cd certs/lin $ kubectl create configmap vc-root-ca-cert --from-file=6355e8d1.0 --namespace=vmware-system-csi configmap/vc-root-ca-cert created
- Set insecure-flag to false in the vsphere-config-secret in the vmware-system-csi namespace.
[Global] . . insecure-flag = "false" ca-file = "/etc/ssl/certs/6355e8d1.0" .
- Mount vc-root-ca-cert configmap as a volume to the CA root location of containers vsphere-syncer and vsphere-csi-controller in vsphere-csi-controller pod.
Refer to the following change for the vsphere-csi-controller deployment for vsphere-csi-controller and vsphere-syncer containers.
. . containers: - name: vsphere-csi-controller volumeMounts: - mountPath: /etc/ssl/certs/6355e8d1.0 subPath: 6355e8d1.0 name: vc-root-ca-cert - name: vsphere-syncer volumeMounts: - mountPath: /etc/ssl/certs/6355e8d1.0 subPath: 6355e8d1.0 name: vc-root-ca-cert . . volumes: - name: vc-root-ca-cert configMap: name: vc-root-ca-cert . .
- Apply the above change for vsphere-csi-controller deployment and wait for the vSphere Container Storage Plug-in controller pods to restart.