Tanzu CLI – x509: certificate signed by unknown authority

The Tanzu CLI is a pretty powerful cli interface for your Tanzu Kubernetes Clusters. It provides features like

  • Bootstrapping the Tanzu Kubernetes Management Cluster
  • Create/Operate/Delete Tanzu Kubernetes Cluster (on Azure/AWS/vSphere)
  • Install tanzu packages (formerly known as TKG Extensions) like cert-manager, contour, harbor, … into your K8s Cluster

The Tanzu CLI itself is build in a modular way. It’s features are coming in the form of plugins for the cli. For instance, if you only want to only install tanzu packages into your existing clusters, you could install the package plugin.
You can download the latest Tanzu CLI Bundle (currently v1.5.1) from the VMware Customer Connect portal for the distribution of your choice (Linux/Mac/Windows).

The Issue

As this works like a charm on linux based systems, there is also Windows out there … =D
Recently I had a customer who wanted to run the cli from a windows client. And here, we ran straight into a certificate issue while trying to install some plugins. At first we suspected the Proxy Server, but I could easyly rebuild it at home.

C:\Users\vRaccoon>tanzu plugin sync
Checking for required plugins...
unable to list plugin from discovery 'default': error while processing package: failed to get resource files from discovery: Checking if image is bundle: Fetching image: Get "https://projects.registry.vmware.com/v2/": x509: certificate signed by unknown authority
All required plugins are already installed and up-to-date
✔  Done

The potential solution

There is a very similar looking issue documented in the Tanzu Community docs
It basically says, you should add the following to the file %USERPROFILE%\.config\tanzu\tkg\config.yaml

release:
    version: ""
TKG_CUSTOM_IMAGE_REPOSITORY_SKIP_TLS_VERIFY: true

Although it helped some people, it hasn’t fixed for me.

The potential workaround (tanzu cli offline install)

Since the previous solution didn’t work for me, I had to find another one. This is where Scott Rosenberg gave me the decisive tip –> There is an offline way to install the plugins:

  1. Download the VMware Tanzu CLI for Windows
  2. Unzip tanzu-cli-bundle-windows-amd64.zip
  3. Copy .\tanzu-cli-bundle-windows-amd64\cli\core\v0.11.1\tanzu-core-windows_amd64.exe to “C:\Program Files\tanzu\tanzu.exe” (or whatever path you like)
  4. Press Win+R to open Run
  5. Enter sysdm.cpl and navigate to Advanced –> Environment Variables
  6. Modify the PATH variable (either in user or system space) and add the directory where you put the tanzu.exe in step 3.

So far, it’s basically following the official documentation. The next step would be installing the plugins, which might fail with the x509 error. As cool as it is to download the latest and greatest versions fully automated with a one-liner, there is also an offline method.
You might have noticed a few more files within the previously download tanzu cli bundle. Besides the Carvel Tools, it also contains the mentioned plugins.

Unzip both .\tanzu-cli-bundle-windows-amd64\cli\tanzu-framework-plugins-context-windows-amd64.zip and .\tanzu-cli-bundle-windows-amd64\cli\tanzu-framework-plugins-standalone-windows-amd64.zip

PS C:\Users\vRaccoon\Downloads\tanzu-cli-bundle-windows-amd64\cli> Expand-Archive .\tanzu-framework-plugins-context-windows-amd64.zip
PS C:\Users\vRaccoon\Downloads\tanzu-cli-bundle-windows-amd64\cli> Expand-Archive .\tanzu-framework-plugins-standalone-windows-amd64.zip
PS C:\Users\vRaccoon\Downloads\tanzu-cli-bundle-windows-amd64\cli> dir


    Directory: C:\Users\vRaccoon\Downloads\tanzu-cli-bundle-windows-amd64\cli


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----        11.03.2022     16:31                core
d-----        14.03.2022     20:03                tanzu-framework-plugins-context-windows-amd64
d-----        14.03.2022     20:03                tanzu-framework-plugins-standalone-windows-amd64
-a----        11.03.2022     16:31       10573929 imgpkg-windows-amd64-v0.18.0+vmware.1.gz
-a----        11.03.2022     16:31       21254783 kapp-windows-amd64-v0.42.0+vmware.1.gz
-a----        11.03.2022     16:31        8243339 kbld-windows-amd64-v0.31.0+vmware.1.gz
-a----        11.03.2022     16:31       47037193 tanzu-framework-plugins-context-windows-amd64.zip
-a----        11.03.2022     16:31      135931889 tanzu-framework-plugins-standalone-windows-amd64.zip
-a----        11.03.2022     16:31        6370521 vendir-windows-amd64-v0.23.0+vmware.1.gz
-a----        11.03.2022     16:31        6642344 ytt-windows-amd64-v0.35.1+vmware.1.gz

To install them, run tanzu plugin install –local <PATH> all

PS C:\Users\vRaccoon\Downloads\tanzu-cli-bundle-windows-amd64\cli> tanzu plugin install --local .\tanzu-framework-plugins-context-windows-amd64\context-plugins\ all
Installing plugin 'cluster:v0.11.1'
Installing plugin 'kubernetes-release:v0.11.1'
✔  successfully installed 'all' plugin
PS C:\Users\vRaccoon\Downloads\tanzu-cli-bundle-windows-amd64\cli> tanzu plugin install --local .\tanzu-framework-plugins-standalone-windows-amd64\standalone-plugins\ all
Installing plugin 'login:v0.11.1'
Installing plugin 'management-cluster:v0.11.1'
Installing plugin 'package:v0.11.1'
Installing plugin 'pinniped-auth:v0.11.1'
Installing plugin 'secret:v0.11.1'
✔  successfully installed 'all' plugin
PS C:\Users\vRaccoon\Downloads\tanzu-cli-bundle-windows-amd64\cli>

Check if all plugins are installed.

PS C:\Users\vRaccoon\Downloads\tanzu-cli-bundle-windows-amd64\cli> tanzu plugin list
unable to list plugin from discovery 'default': error while processing package: failed to get resource files from discovery: Checking if image is bundle: Fetching image: Get "https://projects.registry.vmware.com/v2/": x509: certificate signed by unknown authority
  ←[1mNAME              ←[0m  ←[1mDESCRIPTION                                                      ←[0m  ←[1mSCOPE     ←[0m  ←[1mDISCOVERY←[0m  ←[1mVERSION←[0m  ←[1mSTATUS   ←[0m
  cluster             Kubernetes cluster operations                                      Standalone             v0.11.1  installed
  kubernetes-release  Kubernetes release operations                                      Standalone             v0.11.1  installed
  login               Login to the platform                                              Standalone             v0.11.1  installed
  management-cluster  Kubernetes management cluster operations                           Standalone             v0.11.1  installed
  package             Tanzu package management                                           Standalone             v0.11.1  installed
  pinniped-auth       Pinniped authentication operations (usually not directly invoked)  Standalone             v0.11.1  installed
  secret              Tanzu secret management                                            Standalone             v0.11.1  installed

You still get the error, but you can also see that all the plugins are installed and ready to use.

Leave a Reply

Your email address will not be published.