To log in securely to Supervisor and TKG Service clusters, configure the vSphere Plugin for kubectl with the appropriate TLS certificate and ensure that you are running the latest edition of the plugin.

Supervisor CA Certificate

The vSphere IaaS control plane supports vCenter Single Sign-On for cluster access using the vSphere Plugin for kubectl command kubectl vsphere login ….

The vSphere Plugin for kubectl defaults to secure login and requires a trusted certificate, the default being the certificate signed by the vCenter Server root CA. Although the plugin supports the --insecure-skip-tls-verify flag, for security reasons this is not recommended.

To securely log in to the Supervisor and TKG Service clusters using the vSphere Plugin for kubectl, you have two options:
Option Instructions

Download and install the vCenter Server root CA certificate on each client machine.

For Linux, see the section below: Download the Trusted Root CA Certificates for vCenter and Install Them on an Ubuntu Client

For Windows and Mac, refer to the VMware knowledge base article: How to download and install vCenter Server root certificates.

Replace the VIP certificate used for the Supervisor with a certificate signed by a CA each client machine trusts.

See Installing and Configuring vSphere IaaS Control Plane.

Note: For more information on vSphere authentication, including vCenter Single Sign-On, managing and rotating vCenter Server certificates, and troubleshooting, refer to the vSphere Authentication documentation.

TKG Cluster CA Certificate

To connect securely with the TKG cluster API server using the kubectl CLI, you need to download the TKG cluster CA certificate.

If you are using the latest edition of the vSphere Plugin for kubectl, the first time you log in to the TKG cluster, the plugin registers the TKG cluster CA certificate in the kubeconfig file. This certificate is also stored in the Kubernetes secret named TANZU-KUBERNETES-CLUSTER-NAME-ca. The plugin uses the certificate to populate the CA information in the corresponding cluster's certificate authority datastore.

If you have updated Supervisor, make sure you update to the latest version of the plugin.

Download the Trusted Root CA Certificates for vCenter and Install Them on an Ubuntu Client

Follow this procedure to download the trusted root CA certificates for vCenter Server and install them on an Ubuntu client so that you can securely log into Supervisor and TKG Service clusters using the vSphere Plugin for kubectl.
  1. Install the vSphere Plugin for kubectl. See Install the Kubernetes CLI Tools for vSphere.
  2. Download the trusted root CA certificates for vCenter Server where Workload Management is enabled.
    wget https://VC-IP-or_FQDN/certs/download.zip --no-check-certificate
  3. Extract the contents of the download.zip file to the current directory.
    unzip download.zip -d .
  4. Change the path to the Linux directory.
    cd /certs/lin
  5. List (ls) the CA certificates in the /certs/lin directory.

    You should see two certificates in PEM form: *.0 and *.r1. A PEM-formatted certificate is human-readable in base64 format, and starts with ----BEGIN CERTIFICATE----.

  6. Append the *.crt extension to the certificate files. For example:
    cp dbad4059.0 dbad4059.0.crt
    cp dbad4059.r1 dbad4059.r1.crt
  7. Copy the files to the OpenSSL certificate directory in /etc/ssl/certs.
    sudo cp dbad4059.0.crt /etc/ssl/certs
    sudo cp dbad4059.r1.crt /etc/ssl/certs
  8. Securely log in to Supervisor.
    kubectl vsphere login --server=IP-or-FQDN --vsphere-username USERNAME
  9. Securely log in to the TKG Service cluster.
    kubectl vsphere login --server=IP-or-FQDN --vsphere-username USERNAME --tanzu-kubernetes-cluster-name CLUSTER-NAME --tanzu-kubernetes-cluster-namespace VSPHERE-NS