VMware Beta Community
returntrip
Contributor
Contributor
‎08-08-2023 02:50 AM
Jump to solution

Unable to reconcile tanzu-standard repo

I am unable to reconcile the tanzau-standard repo due to a certificate error. How can I import or trust the authority for the harbor host to overcome this issue?

returntrip_0-1691488138825.png

 

Reply
0 Kudos
1 Solution

Accepted Solutions
jeffmace
VMware Employee
VMware Employee
‎08-17-2023 05:27 PM
Jump to solution

I believe this can be solved by adding the root CAs to the kapp-controller pods.

Generate a ca-certificates.crt file with the contents of all CAs to be trusted.

rm -f ca-certificates.crt
cat rootCA.crt >> ca-certificates.crt
# Repeat for all trusted CAs

Load the certificate bundle into Kubernetes and update the kapp-controller deployment to include it in all pods.

kubectl create -n tkg-system configmap kapp-controller-ca-certificates --from-file=ca-certificates.crt

cat <<EOF | kubectl patch -n tkg-system deployment/kapp-controller --patch-file=/dev/stdin
spec:
  template:
    spec:
      containers:
      - name: kapp-controller
        volumeMounts:
        - mountPath: /etc/ssl/certs/ca-certificates.crt
          subPath: ca-certificates.crt
          name: ca-certificates
          readOnly: true
       volumes:
       - configMap:
           name: kapp-controller-ca-certificates
         name: ca-certificates
EOF 

The kapp-controller pods will restart with the new configuration and should start working. You can follow the kapp-controller logs for more details.

kubectl -n tkg-system logs -f deployment/kapp-controller

 

View solution in original post

Reply
0 Kudos
1 Reply
jeffmace
VMware Employee
VMware Employee
‎08-17-2023 05:27 PM
Jump to solution

I believe this can be solved by adding the root CAs to the kapp-controller pods.

Generate a ca-certificates.crt file with the contents of all CAs to be trusted.

rm -f ca-certificates.crt
cat rootCA.crt >> ca-certificates.crt
# Repeat for all trusted CAs

Load the certificate bundle into Kubernetes and update the kapp-controller deployment to include it in all pods.

kubectl create -n tkg-system configmap kapp-controller-ca-certificates --from-file=ca-certificates.crt

cat <<EOF | kubectl patch -n tkg-system deployment/kapp-controller --patch-file=/dev/stdin
spec:
  template:
    spec:
      containers:
      - name: kapp-controller
        volumeMounts:
        - mountPath: /etc/ssl/certs/ca-certificates.crt
          subPath: ca-certificates.crt
          name: ca-certificates
          readOnly: true
       volumes:
       - configMap:
           name: kapp-controller-ca-certificates
         name: ca-certificates
EOF 

The kapp-controller pods will restart with the new configuration and should start working. You can follow the kapp-controller logs for more details.

kubectl -n tkg-system logs -f deployment/kapp-controller

 

Reply
0 Kudos