Update vCenter CA certificate references

This page describes how to update the reference to the vCenter CA certificate if it has changed, as your running admin cluster and user clusters must be informed of the change. This affects the vCenter.caCertPath field in the admin cluster configuration file and the user cluster configuration files for GKE on VMware.

You can update the certificate references with the gkectl update command as described here.

Update the referenced vCenter CA certificate in the cluster configuration files

To update the running admin and user clusters to use the new certificate:

  1. Retrieve the new vCenter CA certificate and unzip it:

    curl -o certs.zip https://VCENTER_IP_ADDRESS/certs/download.zip
unzip certs.zip

    You can use the -k flag if you want to allow unknown certificates. This is to avoid any certificate issues you may have accessing vCenter.

  2. Save the Linux certificate to a file named vcenter-ca.pem.

  3. In your admin cluster configuration file, set vCenter.caCertPath to the path of your new vcenter-ca.pem file.

  4. Update your admin cluster:

    gkectl update admin --config ADMIN_CLUSTER_CONFIG --kubeconfig ADMIN_CLUSTER_KUBECONFIG

    Replace:

    • ADMIN_CLUSTER_CONFIG with the path of your admin cluster configuration file.

    After the update command completes, the admin cluster will use the new certificate.

  5. Verify that the admin cluster is healthy:

    gkectl diagnose cluster --kubeconfig ADMIN_CLUSTER_KUBECONFIG

    For more information, see Diagnose an admin cluster.

  6. In each of your user cluster configuration files, set vCenter.caCertPath to the path of your new vcenter-ca.pem file.

  7. For each of your user clusters, run the gkectl update command: 

    gkectl update cluster --config USER_CLUSTER_CONFIG --kubeconfig ADMIN_CLUSTER_KUBECONFIG

    Replace:

    • USER_CLUSTER_CONFIG with the path of your user cluster configuration file.

    After the update command completes for a particular user cluster, the cluster will use the new certificate.

  8. Verify that the user cluster is healthy:

    gkectl diagnose cluster --kubeconfig ADMIN_CLUSTER_KUBECONFIG \
  --cluster-name USER_CLUSTER_NAME

    For more information, see Diagnose a user cluster.