To log in securely to vSphere with Tanzu clusters, including the Supervisor Cluster and Tanzu Kubernetes clusters, configure the vSphere Plugin for kubectl with the appropriate TLS certificate and ensure that you are running the latest edition of the plugin.
Supervisor Cluster CA Certificate
vSphere with Tanzu supports vCenter Single Sign-On for cluster access using the vSphere Plugin for kubectl command kubectl vsphere login …. To install and use this utility, see Download and Install the Kubernetes CLI Tools for vSphere.
The vSphere Plugin for kubectl defaults to secure login and requires a trusted certificate, the default being the certificate signed by the vCenter Server root CA. Although the plugin supports the --insecure-skip-tls-verify flag, for security reasons this is not recommended.
| Option | Instructions |
|---|---|
| Download and install the vCenter Server root CA certificate on each client machine. |
Refer to the VMware knowledge base article How to download and install vCenter Server root certificates. |
| Replace the VIP certificate used for the Supervisor Cluster with a certificate signed by a CA each client machine trusts. |
See Replace the VIP Certificate to Securely Connect to the Supervisor Cluster API Endpoint |
Tanzu Kubernetes Cluster CA Certificate
To connect securely with the Tanzu Kubernetes cluster API server using the kubectl CLI, you need to download the Tanzu Kubernetes cluster CA certificate.
If you are using the latest edition of the vSphere Plugin for kubectl, the first time you log in to the Tanzu Kubernetes cluster, the plugin registers the Tanzu Kubernetes cluster CA certificate in your kubeconfig file. This certificate is stored in the Kubernetes secret named TANZU-KUBERNETES-CLUSTER-NAME-ca. The plugin uses this certificate to populate the CA information in the corresponding cluster's certificate authority datastore.
If you are updating vSphere with Tanzu, make sure you update to the latest version of the plugin. See Update the vSphere Plugin for kubectl.
