Refer to this example to provision a v1beta1 Cluster with one or more additional trusted CA certficates.

v1beta1 Example: Cluster with Additional Trusted CA Certficates

The Cluster v1beta1 API provides the trust variable for provisioning a cluster with one or more additional trusted CA certificates.
Table 1. v1beta1 API Trust Variable
Field Description
trust Section marker. Accepts no data.
additionalTrustedCAs Section marker. Includes an array of certificates with the name for each.
name The user-defined name for the data map field in the Kubernetes secret that contains the CA certificate in PEM format that is double base64-encoded.
Note: Double base64-encoding is required. If the contents are not double base6-encoded, the resulting PEM file cannot be processed.
The following example demonstrates how to add the Kubernetes secret containing a CA certificate to a v1beta1 API Cluster specification. 
#cluster-with-trusted-private-reg-cert.yaml
apiVersion: cluster.x-k8s.io/v1beta1
kind: Cluster
metadata:
  name: cluster01
  namespace: tkgs-cluster-ns
spec:
  clusterNetwork:
    services:
      cidrBlocks: ["198.52.100.0/12"]
    pods:
      cidrBlocks: ["192.101.2.0/16"]
    serviceDomain: "cluster.local"
  topology:
    class: tanzukubernetescluster
    version: v1.26.5+vmware.2-fips.1-tkg.1
    controlPlane:
      replicas: 3
    workers:
      machineDeployments:
        - class: node-pool
          name: node-pool-01
          replicas: 3
    variables:
      - name: vmClass
        value: guaranteed-medium
      - name: storageClass
        value: tkgs-storage-profile
      - name: defaultStorageClass
        value: tkgs-storage-profile
      - name: trust
        value:
          additionalTrustedCAs:
          - name: additional-ca-1
The following example demonstrates the Kubernetes secret that includes an additional trusted CA certficate. 
#additional-ca-1.yaml
apiVersion: v1
data:
  additional-ca-1: TFMwdExTMUNSGlSzZ3Jaa...VVNVWkpRMEMwdExTMHRDZz09
kind: Secret
metadata:
  name: cluster01-user-trusted-ca-secret
  namespace: tkgs-cluster-ns
type: Opaque
Where:
  • The value of the secret's data map is a user-defined string which is the name for the CA certificate (additional-ca-1 in this example) whose value is the CA certificate in PEM format that is double base64-encoded.
  • In the metadata section, the secret must be named CLUSTER-NAME-user-trusted-ca-secret, where CLUSTER-NAME is the name of the Cluster. This secret must be created in the same vSphere Namespace as the Cluster.
To double base64-encode the contents of the CA certificate.

Procedure: New Cluster

Complete the following procedure to include one or more additional trusted CA certificates in a new TKGS cluster.
  1. Double base64-encode the contents of a CA certficate.
  2. Create a Kubernetes secret containing the data map name whose value is a CA certificate in PEM format that is double base64-encoded.
  3. In cluster spec, populate the trust.additionalTrustedCAs variable with the name of the data map.
  4. Provision the cluster as you normally would.

    See Workflow for Provisioning TKG Clusters Using Kubectl.

  5. When the cluster is successfully provisioned, the CA certificate you added is trusted by the cluster.

Procedure: Existing Cluster

Complete the following procedure to add one or more additional trusted CA certificates to an existing cluster.
  1. Double base64-encode the contents of a CA certficate.
  2. Create a Kubernetes secret containing the data map name whose value is a CA certificate in PEM format that is double base64-encoded.
  3. Verify that you have configured kubectl editing.

    See Configure a Text Editor for Kubectl.

  4. Edit the cluster spec.
    kubectl edit tanzukubernetescluster/tkgs-cluster-name
  5. Add the trust.additionalTrustedCAs section to the spec.
  6. Populate the additionalTrustedCAs field with the name of the data map in the secret that contains the CA certificate in PEM format that is double base64-encoded
  7. Save the changes in the text editor and verify that kubectl has registered the changes.
    kubectl edit cluster/tkgs-cluster-name
cluster.run.tanzu.vmware.com/tkgs-cluster-name edited
  8. When a rolling update is initiated for the cluster, the additional trusted CA certificates are added.

    See Understanding the Rolling Update Model for TKG Service Clusters.

Verify Additional Trusted CA Certificates

The additional trusted CA certificates added to the cluster are included in the kubeconfig file for the cluster.

Rotate the Certificate

To rotate a certificate, create a new secret and edit the cluster specification with the appropriate value. This will trigger a rolling update of the cluster.
Note: The system does not monitor changes to the CLUSTER-NAME-user-trusted-ca-secret. If its data map value changes, these changes will not be reflected in the cluster. You need to create a new secret and its data map name to trust.additionalTrustCAs.

Troubleshoot Additional Trusted CA Certificates

See Troubleshoot Additional Trusted CA Errors.

Use Cases

The most common use case is for adding an additional trusted CA for connecting to a container registry. See Integrate TKG Service Clusters with a Private Container Registry.