“Unauthorized” is a HTTP 401 error, so I’m assuming TLS is working or it wouldn’t even report anything back. The DAC, however, has no HTTP authorization…
First up you shouldn’t need to generate your own certificates, I’d advise using cbopcfg --no-operator --namespace foo | kubectl create -f -n foo as it does it all for you. See if that works.
If the error is still occurring, I’m guessing the 401 is happening between the DAC and the Kubernetes API. The DAC should have a secret created for it automatically with a service token in it. I’d be tempted to extract that any use it with kubectl to verify it actually works against the API.