Refer to this topic if you experience a problem adding additional trusted CA certificates to a TKG cluster.
Troubleshoot Additional Trusted CA Errors
Using either the v1alpha3 API or the v1beta1 API, you can include a trust variable which contains values for additional trusted CA certificates. The common use case is for adding a private container registry certificate to the cluster. See Integrate TKG Service Clusters with a Private Container Registry.
topology:
variables:
- name: trust
value:
additionalTrustedCAs:
- name: my-ca
apiVersion: v1 data: my-ca: # Double Base64 encoded CA certificate kind: Secret metadata: name: CLUSTER_NAME-user-trusted-ca-secret namespace: tap type: Opaque
When you add a trust.additionalTrustedCAs stanza to a TKG cluster spec, Supervisor updates the cluster nodes in a rolling update fashion. However, if you make a mistake in the trust values, the machines do not come up properly and fail to join the cluster.
ls cannot access '/var/tmp/_var_ib_containerd': No such file or directory
"default.validating.tanzukubernetescluster.run.tanzu.vmware.com" denied the request: Invalid certificate internalharbor, Error decoding PEM block for internalharbor in the TanzuKubernetesCluster spec's trust configuration
If you do not use the proper encoding, the machine nodes will not come up and you receive the above error. To fix the problem, properly encode the contents of the certificate and add that value to the secret's data map.
You can run `kubectl replace -f /tmp/kubectl-edit-2005376329.yaml` to try this update again.
