I recently deployed the latest release of VMware Data Services Manager (DSM) 9.0 in my VMware Cloud Foundation (VCF) 9.0 lab to explore the new integration with VCF Automation (VCFA), allowing organizations to enable a true Database-as-a-Service (DBaaS) for their users.
While setting up the connection from VCFA to DSM, I ran into the following error:
VCFABinding CR is not ready in 50 seconds, with reason: VCFABinding CR is not ready: failed to create VCFA TM client: Get "https://auto01.vcf.lab:443/api/versions": tls: failed to verify certificate: x509: certificate signed by unknown authority
From the error message, it looks like DSM is having an issue validating the self-signed TLS certificate from VCFA, which I figured most users would be using, especially within a lab environment.
After a bit of searching around, I came to learn this was a known issue mentioned in the DSM Release Notes and it pointed to this Broadcom KB 398007, that outlined the solution but it was still missing some details.
The KB mentioned Root / Signing CA of VCFA, but it did not provide any details on how exactly to retrieve that information.
At first, I was digging through the VCF Operations Fleet Manager Locker API, which is where all the self-signed TLS certificates for the various VCF Operations/Automation components are stored to see if I can identify the correct TLS certificate and while I eventually got the same answer, it certainly was a lot of trial and error!
Ultimately, it was thanks to the DSM Engineering team for providing a more elegant way to retrieve the required TLS certificate for DSM, along with a simpler method to create the Kubernetes ConfigMap containing the certificate information.
I believe the KB will be updated to reflect the new instructions, but in case you are running into this same issue, here are the abbreviated steps.
Step 1 - Login to VCFA Provider Interface and navigate to Certificate Management->Certificates Library and right click on "restbaseuri.1" and copy the PEM output.
Step 2 - Create a new file YAML file (vcfa-ca.yaml) that contains the following along with your VCFA TLS certificate in PEM format from Step 1. Ensure it is properly indented and you can use an online YAML linter to ensure it is properly formatted.
kind: ConfigMap
apiVersion: v1
metadata:
name: vcfa-ca
namespace: dsm-system
data:
tls.crt: |
-----BEGIN CERTIFICATE-----
MIID....
...
-----END CERTIFICATE-----
Step 3 - SSH as the root user to DSM Appliance and copy the vcfa-ca.yaml file that you had created from Step 2 and run the following command to create the new ConfigMap in the dsm-system namespace
kubectl --kubeconfig /opt/vmware/tdm-provider/moneta-gateway/kubeconfig-gateway.yaml apply -f vcfa-ca.yaml
Note: This step bypasses the need to use the DSM API and interacts directly with the DSM Kubernetes sub-system. Alternatively, if you wanted to avoid the need for SSH, you can download the DSM Kubernetes Configuration file by logging into the DSM Admin Console by opening a web browser to your DSM Appliance hostname and login with a DSM Admin user, which you will need to create. Once logged in, you can click on the user in the upper right hand corner and download the Kubernetes Configuration File and remotely issue the kubectl command.
Step 4 - Once the ConfigMap has been successfully created, the failed connection task which will automatically retry should now succeed and if you refresh the page, you should no longer see the error message but the following screen to confirm the connection between VCFA and DSM is now successful!
JFYI - In case you were being proactive and you were pre-creating the required ConfigMap before initiating the connection to DSM from VCFA, there is another TLS certificate that you will need when issuing the connection, which is optional but you might be curious on how to obtain this certificate?
To retrieve the Certificate Authority Certificate (interesting label) for DSM itself, you can just open a browser to the DSM Admin Console and in your web browser bar, click on the Certificate Details->Details and then click on the Export button to download the certificate to your local desktop.
While I was debugging my DSM setup, I also had the opportunity to share some feedback on how we can improve both the initial deployment of DSM but also the connection to VCFA with the UX team, so hopefully we will see some of these improved in future updates.
Thanks for the comment!