To log in securely to Tanzu Kubernetes clusters, download and install the root CA certificate for the vCenter Server and the latest edition of the vSphere Plugin for kubectl.

vCenter Server CA Certificate

vSphere with Tanzu supports vCenter Single Sign-On for cluster access using the vSphere Plugin for kubectl command kubectl vsphere login ….

To log in securely to a Tanzu Kubernetes cluster using the plugin, you need the root CA certificate for the vCenter Server, or the custom CA certificate if your vSphere administrator replaced the root CA certificate.

To download and install the vCenter Server root CA certificate, refer to the VMware knowledge base article How to download and install vCenter Server root certificates.

Tanzu Kubernetes Cluster CA Certificate

To connect securely with the Tanzu Kubernetes cluster API server using the kubectl CLI, you need to the Tanzu Kubernetes cluster CA certificate.

If you are using the latest edition of the vSphere Plugin for kubectl, the first time you log in to the Tanzu Kubernetes cluster, the plugin registers the Tanzu Kubernetes cluster CA certificate in your kubconfig file. This certificate is stored in the Kubernetes secret named TANZU-KUBERNETES-CLUSTER-NAME-ca. The plugin uses this certificate to populate the CA information in the corresponding cluster's certificate authority datastore.

If you are updating vSphere with Tanzu, make sure you update to the latest version of the plugin. See Update the vSphere Plugin for kubectl.