This page describes how to update the reference to the vCenter CA certificate if it has changed, as your running admin cluster and user clusters must be informed of the change. This affects the vCenter.caCertPath field in the admin cluster configuration file and the user cluster configuration files for Google Distributed Cloud.
You can update the certificate references with the gkectl update command as described here.
Update the referenced vCenter CA certificate in the cluster configuration files
To update the running admin and user clusters to use the new certificate:
Retrieve the new vCenter CA certificate and extract it:
curl -o certs.zip https://VCENTER_IP_ADDRESS_OR_FQDN/certs/download.zip unzip certs.zip
You can use the
-kflag if you want to allow unknown certificates. This is to avoid any certificate issues you may have accessing vCenter.Determine which of the vCenter certificates is valid. Only one of the Linux certificate files in the extracted
..../certs/linfolder is the valid vCenter certificate. To determine which file is the valid vCenter certificate, do the following:Set the following environment variables from the Admin Workstation where
govcis already installed. If not already done, download and install govc tool:export GOVC_URL=https://VCENTER_IP_ADDRESS_OR_FQDN export GOVC_USERNAME=VCENTER_USERNAME export GOVC_PASSWORD=VCENTER_PASSWORD export GOVC_TLS_CA_CERTS=FULL_PATH_OF_EXTRACTED_LIN_FILE export GOVC_INSECURE=false
Replace the following:
VCENTER_IP_ADDRESS_OR_FQDN: the IP address or FQDN of the vCenter Server.VCENTER_USERNAME: the username of the vCenter Server.VCENTER_PASSWORD: the password for the specified username.FULL_PATH_OF_EXTRACTED_LIN_FILE: the full path to the Linux certificate file for which you are conducting a validity test.
To verify that the vCenter certificate is valid, run the
govc aboutcommand:govc about
If the vCenter certificate is valid, the
govc aboutcommand prints details about the vCenter Server similar to the following:FullName: VMware Center Server 7.0.3 build-24322018 Name: VMware Center Server Vendor: VMware, Inc. Version: 7.0.3 Build: 24322018 OS type: linux-x64 API type: VirtualCenter API version: 7.0.3.0 Product ID: vpx UUID: 475fa366-faa9-43f0-9417-e6dadc55514cIf the certificate is invalid, you should see an
x509error. If you see anx509error, update theFULL_PATH_OF_EXTRACTED_LIN_FILEenvironment variable to point at a different Linux certificate file in the extracted..../certs/linfolder, and then run thegovc aboutcommand again. Repeat steps a. and b. until you locate the valid certificate, or until you are done testing each of the Linux certificate files in the extracted..../certs/linfolder.
To backup the old vCenter CA certificate file (which is at the path specified in the
vCenter.caCertPathfield of your admin cluster configuration file), rename it tovcenter-ca-cert.pem.old.Rename the new valid certificate file in the
..../certs/linfolder tovcenter-ca-cert.pemand then move it to the path specified in thevCenter.caCertPathfield of your admin cluster configuration file.Update your admin cluster:
gkectl update admin --config ADMIN_CLUSTER_CONFIG --kubeconfig ADMIN_CLUSTER_KUBECONFIG
Replace the following:
ADMIN_CLUSTER_CONFIG: the path of your admin cluster configuration file.
After the update command completes, the admin cluster will use the new certificate.
Verify that the admin cluster is healthy:
gkectl diagnose cluster --kubeconfig ADMIN_CLUSTER_KUBECONFIG
For more information, see Diagnose an admin cluster.
In each of your user cluster configuration files, set
vCenter.caCertPathto the path of your newvcenter-ca-cert.pemfile.For each of your user clusters, run the
gkectl updatecommand:gkectl update cluster --config USER_CLUSTER_CONFIG --kubeconfig ADMIN_CLUSTER_KUBECONFIG
Replace the following:
USER_CLUSTER_CONFIG: the path of your user cluster configuration file.
After the update command completes for a particular user cluster, the cluster will use the new certificate.
Verify that the user cluster is healthy:
gkectl diagnose cluster --kubeconfig ADMIN_CLUSTER_KUBECONFIG \ --cluster-name USER_CLUSTER_NAME
For more information, see Diagnose a user cluster.