Refer to the example YAML to provision a TanzuKubernetesCluster using the v1alpha3 API with additional trusted CA certificates for SSL/TLS.

v1alpha3 Example: TKC with Additional Trusted CA Certificates

The cluster is customized as follows. Refer to the v1alpha3 API spec for details.
  • Additional trusted CA certificates are declared in the network.trust.additionalTrustedCAs section of the cluster specification
  • The additionalTrustedCAs field is an a array of name-value pairs:
    • The name field is a user-defined string
    • The data value is the contents of the CA certificate in PEM format that is base64-encoded
apiVersion: run.tanzu.vmware.com/v1alpha3
kind: TanzuKubernetesCluster
metadata:
  name: tkc-additional-trusted-cas
  namespace: tkgs-cluster-ns
spec:
  topology:
    controlPlane:
      replicas: 3
      vmClass: guaranteed-medium
      storageClass: tkgs-storage-policy
      tkr:
        reference:
          name: v1.25.7---vmware.3-fips.1-tkg.1
    nodePools:
    - name: worker
      replicas: 3
      vmClass: guaranteed-medium
      storageClass: tkgs-storage-policy
      tkr:
        reference:
          name: v1.25.7---vmware.3-fips.1-tkg.1
  settings:
    storage:
      defaultClass: tkgs-storage-policy
    network:
      trust:
        additionalTrustedCAs:
          - name: CompanyInternalCA-1
            data: LS0tLS1C...LS0tCg==
          - name: CompanyInternalCA-2
            data: MTLtMT1C...MT0tPg==

Procedure: New Cluster

Complete the following procedure to include one or more additional trusted CA certificates in a new TKGS cluster.
  1. Populate the additionalTrustedCAs field with the name and data value for one or more CA certificates.
  2. Provision the cluster as you normally would.

    See Workflow for Provisioning TKG Clusters Using Kubectl.

  3. When the cluster is successfully provisioned, the CA certificates you added are trusted by the cluster.

Procedure: Existing Cluster

Complete the following procedure to add one or more additional trusted CA certificates to an existing cluster.
  1. Verify that you have configured kubectl editing.

    See Configure a Text Editor for Kubectl.

  2. Edit the cluster spec.
    kubectl edit tanzukubernetescluster/tkgs-cluster-name
  3. Add the network.trust.additionalTrustedCAs section to the spec.
  4. Populate the additionalTrustedCAs field with the name and data value for one or more CA certificates.
  5. Save the changes in the text editor and verify that kubectl has registered the changes.
    kubectl edit tanzukubernetescluster/tkgs-cluster-name
tanzukubernetescluster.run.tanzu.vmware.com/tkgs-cluster-name edited
  6. When a rolling update is initiated for the cluster, the additional trusted CA certificates are added.

    See Understanding the Rolling Update Model for TKG Service Clusters.

Verify Additional Trusted CA Certificates

The additional trusted CA certificates added to the cluster are included in the kubeconfig file for the cluster.

Troubleshoot Additional Trusted CA Certificates

See Troubleshoot Additional Trusted CA Errors.

Use Cases

The most common use case is for adding an additional trusted CA for connecting to a container registry. See Integrate TKG Service Clusters with a Private Container Registry.