How can a vSphere administrator replace the Supervisor Cluster API endpoint certificate?

How can a vSphere administrator replace the Supervisor Cluster API endpoint certificate?

A. Use the certificate-manager CLI utility to replace the Supervisor Cluster API endpoint certificate.

B. Use the vSphere Client to replace the Workload platform MTG certificate.

C. Use the vSphere Client to replace the NSX Load Balancer certificate.

D. Use kubectl to replace the Supervisor Cluster API endpoint certificate.

View Answer

Answer: B

Explanation:

As a vSphere administrator, you can replace the certificate for the virtual IP address (VIP) to securely connect to the Supervisor Cluster API endpoint with a certificate signed by a CA that your hosts already trust. The certificate authenticates the Kubernetes control plane to DevOps engineers, both during login and subsequent interactions with the Supervisor Cluster.

Prerequisites

Verify that you have access to a CA that can sign CSRs. For DevOps engineers, the CA must be installed on their system as a trusted root.

Procedure

✑ In the vSphere Client, navigate to the Supervisor Cluster.

✑ Click Configure then under Namespaces select Certificates.

✑ In the Workload platform MTG pane, select Actions > Generate CSR.

✑ Provide the details for the certificate.

✑ Once the CSR is generated, click Copy.

✑ Sign the certificate with a CA.

✑ From the Workload platform MTG pane, select Actions > Replace Certificate.

✑ Upload the signed certificate file and click Replace Certificate.

✑ Validate the certificate on the IP address of the Kubernetes control plane.