Problem Statement
Many environments have an image registry such as harbor they use internally which is signed by a private CA.
When trying to add a package repository to an attached cluster in TMC from a registry with a private CA, it will fail with an x509 certificate validation error.
Solution
TMC will deploy Kapp Controller in any cluster that does not have kapp controller already installed. The namespace in which TMC provisions Kapp Controller is called tanzu-system. To solve the certificate issue we need to connect to our clusters and update the kapp controller config secret with the CA cert we want to trust.
Retrieve the secret
The first step is to retrieve the secret from the cluster
kubectl get secret -n tanzu-system kapp-controller-config -o yaml > kc-config.yaml
the value we recieve will look like:
apiVersion: v1
kind: Secret
metadata:
annotations:
tanzu.vmware.com/owner: tmc
creationTimestamp: "2023-02-15T11:37:12Z"
name: kapp-controller-config
namespace: tanzu-system
resourceVersion: "5229"
uid: a9fce43b-3c10-491a-b483-97f69990e127
type: Opaque
prepare the certificate data
Here we assume you have the certificate chain in a file called chain.crt.
export CA_DATA=`cat chain.crt | base64 -w 0`
Update the secret yaml from before
we now need to add the relevant config to the secret yaml
cat << EOF >> kc-config.yaml
data:
dangerousSkipTLSVerify: ""
httpProxy: ""
httpsProxy: ""
noProxy: ""
caCerts: ${CA_DATA}
EOF
the final file will look like:
apiVersion: v1
kind: Secret
metadata:
annotations:
tanzu.vmware.com/owner: tmc
creationTimestamp: "2023-02-15T11:37:12Z"
name: kapp-controller-config
namespace: tanzu-system
resourceVersion: "5229"
uid: a9fce43b-3c10-491a-b483-97f69990e127
type: Opaque
data:
dangerousSkipTLSVerify: ""
httpProxy: ""
httpsProxy: ""
noProxy: ""
caCerts: LS0tLS1CRUd.........
Final preperation step
we need to remove a field from this yaml file which we can do with:
sed -i '/resourceVersion/d' kc-config.yaml
Apply the change
We can now apply the change:
kubectl apply -f kc-config.yaml
Summary
This is a relatively easy task, and not to difficult. Hopefully in the future this will be available out of the box in TMC, but for now this is an easy solution to get started.