2021-09-02

When you deploy your Tanzu Kubernetes cluster TKC, you possibly want to use your own container registry. Your own container registry may use your enterprise CA signed certificate. By default, all TKC nodes trust all public CA signed certificates. To ensure your enterprise CA signed certificate is trusted by TKC, you need to update TKG Service Configurations to include your enterprise CA. In this blog, I will show you how to do it.

Step 1: Connect to the supervisor context

root@photon-machine [ ~ ]# k config use-context k8s.cluster-1.vcenter.sddc-10-180-30-145.vmwarevmc.com
Switched to context "k8s.cluster-1.vcenter.sddc-10-180-30-145.vmwarevmc.com".

Step 2: Verify the current setting of tkgserviceconfigurations

root@photon-machine [ ~ ]# kubectl get tkgserviceconfigurations
NAME                        DEFAULT CNI
tkg-service-configuration   antrea
root@photon-machine [ ~ ]# kubectl get tkgserviceconfigurations tkg-service-configuration -o yaml
apiVersion: run.tanzu.vmware.com/v1alpha1
kind: TkgServiceConfiguration
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"run.tanzu.vmware.com/v1alpha1","kind":"TkgServiceConfiguration","metadata":{"annotations":{},"name":"tkg-service-configuration"},"spec":{"defaultCNI":"antrea"}}
  creationTimestamp: "2021-08-29T08:38:10Z"
  generation: 2
  managedFields:
  - apiVersion: run.tanzu.vmware.com/v1alpha1
    fieldsType: FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          .: {}
          f:kubectl.kubernetes.io/last-applied-configuration: {}
      f:spec:
        .: {}
        f:defaultCNI: {}
    manager: kubectl-client-side-apply
    operation: Update
    time: "2021-08-29T08:38:10Z"
  - apiVersion: run.tanzu.vmware.com/v1alpha1
    fieldsType: FieldsV1
    fieldsV1:
      f:spec:
        f:trust:
          .: {}
          f:additionalTrustedCAs: {}
    manager: kubectl-edit
    operation: Update
    time: "2021-09-02T00:23:37Z"
  name: tkg-service-configuration
  resourceVersion: "2938228"
  selfLink: /apis/run.tanzu.vmware.com/v1alpha1/tkgserviceconfigurations/tkg-service-configuration
  uid: 4466e3c2-ccb1-4a36-b12a-256344ee1c4a
spec:
  defaultCNI: antrea

Step 3: Edit the tkg-service-configuration to trust additional certificate

Please note that the certificate should be include as base64-encoded string.

kubectl edit tkgserviceconfigurations tkg-service-configuration

root@photon-machine [ ~ ]# kubectl get tkgserviceconfigurations tkg-service-configuration -o yaml
apiVersion: run.tanzu.vmware.com/v1alpha1
kind: TkgServiceConfiguration
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"run.tanzu.vmware.com/v1alpha1","kind":"TkgServiceConfiguration","metadata":{"annotations":{},"name":"tkg-service-configuration"},"spec":{"defaultCNI":"antrea"}}
  creationTimestamp: "2021-08-29T08:38:10Z"
  generation: 2
  managedFields:
  - apiVersion: run.tanzu.vmware.com/v1alpha1
    fieldsType: FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          .: {}
          f:kubectl.kubernetes.io/last-applied-configuration: {}
      f:spec:
        .: {}
        f:defaultCNI: {}
    manager: kubectl-client-side-apply
    operation: Update
    time: "2021-08-29T08:38:10Z"
  - apiVersion: run.tanzu.vmware.com/v1alpha1
    fieldsType: FieldsV1
    fieldsV1:
      f:spec:
        f:trust:
          .: {}
          f:additionalTrustedCAs: {}
    manager: kubectl-edit
    operation: Update
    time: "2021-09-02T00:23:37Z"
  name: tkg-service-configuration
  resourceVersion: "2938228"
  selfLink: /apis/run.tanzu.vmware.com/v1alpha1/tkgserviceconfigurations/tkg-service-configuration
  uid: 4466e3c2-ccb1-4a36-b12a-256344ee1c4a
spec:
  defaultCNI: antrea
  trust:
    additionalTrustedCAs:
    - data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tDQpNSUlGMHpDQ0E3dWdBd0lCQWdJVUtCSjZGZ0VKaEpwR0lpOEtMYkNDRW5FNG9lb3dEUVlKS29aSWh2Y05BUUVODQpCUUF3ZVRFTE1Ba0dBMVVFQmhNQ1EwNHhFREFPQmdOVkJBZ01CMEpsYVdwcGJtY3hFREFPQmdOVkJBY01CMEpsDQphV3BwYm1jeEVEQU9CZ05WQkFvTUIyVjRZVzF3YkdVeEVUQVBCZ05WQkFzTUNGQmxjbk52Ym1Gc01TRXdId1lEDQpWUVFEREJob1lYSmliM0l3TVM1a1lYWnBaSGQ2YUdGdVp5NWpiMjB3SGhjTk1qRXdPRE13TURVeU5qSXdXaGNODQpNekV3T0RJNE1EVXlOakl3V2pCNU1Rc3dDUVlEVlFRR0V3SkRUakVRTUE0R0ExVUVDQXdIUW1WcGFtbHVaekVRDQpNQTRHQTFVRUJ3d0hRbVZwYW1sdVp6RVFNQTRHQTFVRUNnd0haWGhoYlhCc1pURVJNQThHQTFVRUN3d0lVR1Z5DQpjMjl1WVd3eElUQWZCZ05WQkFNTUdHaGhjbUp2Y2pBeExtUmhkbWxrZDNwb1lXNW5MbU52YlRDQ0FpSXdEUVlKDQpLb1pJaHZjTkFRRUJCUUFEZ2dJUEFEQ0NBZ29DZ2dJQkFOOHg4NFNpak4zYTQ2ejE2eENQZWV0M0gzN0hJSThNDQpSOTRzeWtWbHE3cEpKZVBaOExlK24yNTRuaW5WSVNJT1JBUWl5RUhKZk0xVmxjelQzMmUrWlQ0dW1HeFdjVlRZDQo1QzRqM2RDZUdhclB5cGhBaU9zZVk1SDl2emEzeEdOSE53TXZURW42c3JCdms0VHI3VmJGVmdBMFhwS0pHYmJiDQpiUGxPdGhDV01CQ2I1YnVrbzZlK3NNVUFtSkJQMkswc3B5ZTVoL2JBbmJtL0JpSEI0M1VpcGhhaE5xWjlWdGtMDQpCZlZBYTd6TFRnVFNOeGo0YTNGRHdQUUs5cUdpSXBwcFBZTExpUXZCWEJqM21aNG1VemRrb1pJWG9VYXg5QUxWDQp4dlUzSkZNYmcxNTJ3STZyZi9MK21WbTZWQXFIUk83V2Nva1hubUE3UDFvemlVdW1sZFEwMU96NGJhTVZtWW5qDQoxaVJsbVBzK3lZdFVqdU5QcUw5Vks2dUgwQjRweURqbThXR0E4c0ZYczJzRjF6dWRsaFZRZEczZURpWGZwa3RnDQpJV1BLY1NNSGhpTktkYVFIcHZmUDhtb2FaalFRc0hmODZ0cnFJQ2pmN2R3SEJ2OEU1Y3cyME44QVZvSDVBS0FDDQphQXFRSzBNb20yR1VVdWU4MVFSak02VDg2aGhxN2pHMlZCcnduZkQwOW9rci96RlN3UExPQ2FacVE2eE1Jc24xDQpKMlArRFIzWWx6dVBCTFVnR04wMHh6ZDNMY2VWcFRvRlNURk5XUXQ3VVlDbW9sd0pMTk9wZW56eEU5R1ZpUVJCDQoxeTZXWE0rTDdmZjl1QlNIL09CVmhyVVR3WCtPeFpBOVBHeGFQcEdWdUhMOHEzTENuUDc0cElzSmc0bTcwRm5qDQpCbndnd1A3S2ZFeGhBZ01CQUFHalV6QlJNQjBHQTFVZERnUVdCQlJUaE5KZEpYTUhsa2JNbXNkQ3FiVGdoSXVSDQpYVEFmQmdOVkhTTUVHREFXZ0JSVGhOSmRKWE1IbGtiTW1zZENxYlRnaEl1UlhUQVBCZ05WSFJNQkFmOEVCVEFEDQpBUUgvTUEwR0NTcUdTSWIzRFFFQkRRVUFBNElDQVFBd1Q3VmdudSs2Ni9ZNnJOS1NLS3JUUU9MaDc2VzVSNjdKDQoxS3RzcmRWdndsNmhYNmFtSUNVaDZPNGhVMkNXc0NjOGc2WTNGdVdtQm14YVhsenFTRXdzUWsvVExrcFBjbnJ2DQo5VkJKUFVyK3NhanB4TE1DNjVoSy9rblFnNmlMOVoyNW9EdlRYQUlXUjVqNEZ2TWZybWd6b1ZIaXNUcFhFNW9FDQpKazZCQ2NER2NHYVhscERLNjhoQTRVSHhCMFdEeVhsbWV6VWZkak1seVNlWkh2bTMrZE5Vam1qd2k0YzYrWTVyDQpDWHhkR2RiY3ZoR1FxMjVsTC9VS3NCSE52WWhzMTVVNjFaY2M4QmFqWm1tM25YK0psVTd3M1dDMVVzam9tRlduDQp5STFmbDlLbDk0L2Rta1dqL25GSXQ0bGpYeVNhSVVjd2dWd3dnK295SDRUOEY2dGVBYklFWElkbldqZTRWeDhQDQp6QmtSVTdhZjZPUkM0QVRtYU1xM2xPb2daQWlYMFRjbmw3WDVsbG1MZXZleGExVG5KazEwdTdJR2Z4ZlhCTXA1DQoxc1BkMGNwQmxmQ1ZOR0V0MDFhdVBLK055Y2pLcUcvR0xqeVJLc1F5TGsxMDFBY3VrUElQU20zTFM4VXdpaGo4DQpPRHh5K2FOaVE1V3dGdlp4blFrRnluN014QThaSTU1N0pFalRIU0pFK3RKUDFzRERTN3lNWExFSUk1UW5ZOFhkDQpKRU5Vd2VIR2VDUHRGNFlZYlROTk1jc01COTFQbEd0Rm5YZkRuYnd4ZGJocjgxZ29kRDNkakhQNjRnNGt5bGlRDQpvM0dGUnV0eEpSSzBRZWZwRXRBcUJGZENEMTY3YmZpZFJRanNSdWxLaU5rSlJQTTZMR2QwSURXSGxBQVc3aE9RDQpQK3BQZ1FzbCtBPT0NCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
      name: harbor-ca

When you create a new cluster, your own certificate CA will be trusted automatically on all your k8s nodes.

Reference:

Configuration Parameters for the Tanzu Kubernetes Grid Service