This page describes how to update the reference to the vCenter CA certificate if it has changed, as your running admin cluster and user clusters must be informed of the change. This affects the vCenter.caCertPath
field in the admin cluster configuration file and the user cluster configuration files for Google Distributed Cloud.
You can update the certificate references with the gkectl update
command as described here.
Update the referenced vCenter CA certificate in the cluster configuration files
To update the running admin and user clusters to use the new certificate:
Retrieve the new vCenter CA certificate and extract it:
curl -o certs.zip https://VCENTER_IP_ADDRESS_OR_FQDN/certs/download.zip unzip certs.zip
You can use the
-k
flag if you want to allow unknown certificates. This is to avoid any certificate issues you may have accessing vCenter.Determine which of the vCenter certificates is valid. Only one of the Linux certificate files in the extracted
..../certs/lin
folder is the valid vCenter certificate. To determine which file is the valid vCenter certificate, do the following:Set the following environment variables from the Admin Workstation where
govc
is already installed. If not already done, download and install govc tool:export GOVC_URL=https://VCENTER_IP_ADDRESS_OR_FQDN export GOVC_USERNAME=VCENTER_USERNAME export GOVC_PASSWORD=VCENTER_PASSWORD export GOVC_TLS_CA_CERTS=FULL_PATH_OF_EXTRACTED_LIN_FILE export GOVC_INSECURE=false
Replace the following:
VCENTER_IP_ADDRESS_OR_FQDN
: the IP address or FQDN of the vCenter Server.VCENTER_USERNAME
: the username of the vCenter Server.VCENTER_PASSWORD
: the password for the specified username.FULL_PATH_OF_EXTRACTED_LIN_FILE
: the full path to the Linux certificate file for which you are conducting a validity test.
To verify that the vCenter certificate is valid, run the
govc about
command:govc about
If the vCenter certificate is valid, the
govc about
command prints details about the vCenter Server similar to the following:FullName: VMware Center Server 7.0.3 build-24322018 Name: VMware Center Server Vendor: VMware, Inc. Version: 7.0.3 Build: 24322018 OS type: linux-x64 API type: VirtualCenter API version: 7.0.3.0 Product ID: vpx UUID: 475fa366-faa9-43f0-9417-e6dadc55514c
If the certificate is invalid, you should see an
x509
error. If you see anx509
error, update theFULL_PATH_OF_EXTRACTED_LIN_FILE
environment variable to point at a different Linux certificate file in the extracted..../certs/lin
folder, and then run thegovc about
command again. Repeat steps a. and b. until you locate the valid certificate, or until you are done testing each of the Linux certificate files in the extracted..../certs/lin
folder.
To backup the old vCenter CA certificate file (which is at the path specified in the
vCenter.caCertPath
field of your admin cluster configuration file), rename it tovcenter-ca-cert.pem.old
.Rename the new valid certificate file in the
..../certs/lin
folder tovcenter-ca-cert.pem
and then move it to the path specified in thevCenter.caCertPath
field of your admin cluster configuration file.Update your admin cluster:
gkectl update admin --config ADMIN_CLUSTER_CONFIG --kubeconfig ADMIN_CLUSTER_KUBECONFIG
Replace the following:
ADMIN_CLUSTER_CONFIG
: the path of your admin cluster configuration file.
After the update command completes, the admin cluster will use the new certificate.
Verify that the admin cluster is healthy:
gkectl diagnose cluster --kubeconfig ADMIN_CLUSTER_KUBECONFIG
For more information, see Diagnose an admin cluster.
In each of your user cluster configuration files, set
vCenter.caCertPath
to the path of your newvcenter-ca-cert.pem
file.For each of your user clusters, run the
gkectl update
command:gkectl update cluster --config USER_CLUSTER_CONFIG --kubeconfig ADMIN_CLUSTER_KUBECONFIG
Replace the following:
USER_CLUSTER_CONFIG
: the path of your user cluster configuration file.
After the update command completes for a particular user cluster, the cluster will use the new certificate.
Verify that the user cluster is healthy:
gkectl diagnose cluster --kubeconfig ADMIN_CLUSTER_KUBECONFIG \ --cluster-name USER_CLUSTER_NAME
For more information, see Diagnose a user cluster.