Making TMC Managed Kapp Controller Trust Your Private CA

Problem Statement

Many environments have an image registry such as harbor they use internally which is signed by a private CA.
When trying to add a package repository to an attached cluster in TMC from a registry with a private CA, it will fail with an x509 certificate validation error.

Solution

TMC will deploy Kapp Controller in any cluster that does not have kapp controller already installed. The namespace in which TMC provisions Kapp Controller is called tanzu-system. To solve the certificate issue we need to connect to our clusters and update the kapp controller config secret with the CA cert we want to trust.

Retrieve the secret

The first step is to retrieve the secret from the cluster

kubectl get secret -n tanzu-system kapp-controller-config -o yaml > kc-config.yaml

the value we recieve will look like:

apiVersion: v1
kind: Secret
metadata:
  annotations:
    tanzu.vmware.com/owner: tmc
  creationTimestamp: "2023-02-15T11:37:12Z"
  name: kapp-controller-config
  namespace: tanzu-system
  resourceVersion: "5229"
  uid: a9fce43b-3c10-491a-b483-97f69990e127
type: Opaque

prepare the certificate data

Here we assume you have the certificate chain in a file called chain.crt.

export CA_DATA=`cat chain.crt | base64 -w 0`

Update the secret yaml from before

we now need to add the relevant config to the secret yaml

cat << EOF >> kc-config.yaml
data:
  dangerousSkipTLSVerify: ""
  httpProxy: ""
  httpsProxy: ""
  noProxy: ""
  caCerts: ${CA_DATA}
EOF

the final file will look like:

apiVersion: v1
kind: Secret
metadata:
  annotations:
    tanzu.vmware.com/owner: tmc
  creationTimestamp: "2023-02-15T11:37:12Z"
  name: kapp-controller-config
  namespace: tanzu-system
  resourceVersion: "5229"
  uid: a9fce43b-3c10-491a-b483-97f69990e127
type: Opaque
data:
  dangerousSkipTLSVerify: ""
  httpProxy: ""
  httpsProxy: ""
  noProxy: ""
  caCerts: LS0tLS1CRUd.........

Final preperation step

we need to remove a field from this yaml file which we can do with:

sed -i '/resourceVersion/d' kc-config.yaml

Apply the change

We can now apply the change:

kubectl apply -f kc-config.yaml

Summary

This is a relatively easy task, and not to difficult. Hopefully in the future this will be available out of the box in TMC, but for now this is an easy solution to get started.

Leave a Reply

%d bloggers like this: