Persistent Storage on a vSphere storage

I am currently taking my first steps with Rancher. I have a VmWare vCenter server and I’d like to rely on the vSphere storage for providing persistent volumes. My cluster nodes are deployed manually: when provisioning the cluster in Rancher I select “From my own existing nodes” with a “Custom Cloud provider”. I manually provide the “cloud_provider” configuration to the cluster options in YAML. The cluster node is installed without problem that way.

After that, I configure a storage class using the “VMWare vSphere Volume” provisioner via the Rancher web. So far, so good.

Then, I try to add a volume to my cluster but it does not work. The status of the PVC stays to a “Pending” state: an x509 certificate problem actually prevents PV to be created.

$ admin@node01:~$ docker logs -f kube-controller-manager
I1109 11:01:13.436871       1 event.go:221] Event(v1.ObjectReference{Kind:"PersistentVolumeClaim", Namespace:"default", Name:"my-vsphere-volume", UID:"b88f14f8-e40e-11e8-a513-005056a3f168", APIVersion:"v1", ResourceVersion:"2441", FieldPath:""}): type: 'Warning' reason: 'ProvisioningFailed' Failed to provision volume with StorageClass "sphere-storage": Post x509: certificate signed by unknown authority

In fact, my vCenter uses a self signed certificate that Rancher does not trust. I can workaround the problem adding manually the vCenter ca-certificate into the /etc/ssl/certs/ca-certificates.crt file into the “kube-controller-manager” container but this is not the way to go.

I found the doc at but I don’t understand how to do the same for “kube-controller-manager”.

I go round in circles from days with that! Is there something stupid (or not) I missed? Any help/pointer would be greatly welcome.

PS: I’m not yet so familiar with docker nor rancher, please be indulgent! :slight_smile:

Thanks in anticipation.



1 Like

I am having the same issue.

From the documentation


The main purpose of global options is to be able to define a common set of configuration parameters that will be inherited by all vCenters defined under the virtual_center directive unless explicitly defined there.

Accordingly, the global directive accepts the same configuration options that are available under the virtual_center directive. Additionally it accepts a single parameter that can only be specified here:

  name: vsphere
      insecure-flag: true

Same doc: