diff --git a/carvel-packages/training-platform/bundle/config/06-secrets.yaml b/carvel-packages/training-platform/bundle/config/06-secrets.yaml
index 1c293ff8..4460eea1 100644
--- a/carvel-packages/training-platform/bundle/config/06-secrets.yaml
+++ b/carvel-packages/training-platform/bundle/config/06-secrets.yaml
@@ -52,7 +52,6 @@ kind: Secret
 metadata:
   name: #@ "{}-ca".format(data.values.clusterIngress.domain)
   namespace: #@ data.values.operator.namespace
-type: kubernetes.io/tls
 data:
   ca.crt: #@ base64.encode(ingress_ca_certificate)
 #@ end
diff --git a/project-docs/release-notes/version-2.7.0.md b/project-docs/release-notes/version-2.7.0.md
index bac1b90a..4aca7ab3 100644
--- a/project-docs/release-notes/version-2.7.0.md
+++ b/project-docs/release-notes/version-2.7.0.md
@@ -189,3 +189,11 @@ Bugs Fixed
   the Kubernetes cluster besides Educates. The affected rules were
   `disallow-ingress-nginx-custom-snippets`, `restrict-annotations`
   `restrict-ingress-paths` and `prevent-cr8escape`.
+
+* The generated CA secret was incorrectly setting the secret type to
+  `kubernetes.io/tls` which resulted in Kubernetes rejecting it as it didn't
+  contain `tls.crt` and `tls.key` data attributes as required by Kubernetes
+  for that type of secret. Secret type should have been left as default generic
+  opaque data secret. This issue was inadvertantly introduced when support was
+  added for providing the CA secret as an actual secret rather than being
+  enmbedded in the data values file when deploying Educates.