Install Tanzu Mission Control Self-Managed on vSphere with Tanzu on vSphere 7

Welcome to the Tanzu Mission Control Self-Managed series. So far in this series, I have covered the installation prerequisites and how to configure them. After that, I demonstrated the TMC-SM installation procedure on the TKGm platform. if you are not following along, you can read the earlier post of this series from the below links:

1: TMC Self-Managed – Introduction & Architecture

2: Configure DNS for TMC Self-Managed

3: Configure OIDC Complaint Identity Provider (Okta)

4: Install Cluster Issuer for TLS Certificates

5: Prepare Harbor Registry

6: Install Tanzu Mission Control Self-Managed on TKGm

The installation procedure for TMC Self-Managed on a vSphere with Tanzu (aka TKGS) Kubernetes platform is a bit different and this post is focused on covering the required steps. Let’s get started.

I have used the following BOM in my lab

Software Components Version
vSphere Namespace 1.24.9
VMware vSphere ESXi 7.0 U3n
VMware vCenter (VCSA) 7.0 U3n
VMware vSAN 7.0 U3n
NSX ALB 22.1.3

Make sure the following are already configured in your environment before attempting the installation:

1: DNS is configured.

2: OIDC complaint IDP is configured.

3: Networking and NSX Advanced Load Balancer are configured as per instructions outlined in the TKGS product documentation

4: WCP is enabled as per instructions outlined in the product documentation

After WCP is enabled, download the kubectl utility by following the instructions outlined in Download and Install the Kubernetes CLI Tools page.

Step 1: Use an External Harbor Registry with Tanzu Kubernetes Clusters

In an airgap environment, a private harbor registry is needed to host TMC Self-Managed installation binaries. If the harbor registry uses a self-signed certificate, the Tanzu Kubernetes Cluster where you deploy TMC-SM must trust the registry’s self-signed certificate. This configuration is done by modifying the tkgserviceconfigurations in the supervisor cluster context.

1.1: Connect to the supervisor cluster using kubectl

1.2: List tkgserviceconfigurations

1.3: Obtain tkgserviceconfigurations yaml

Edit the obtained yaml file and add an additional section trust  with the additionalTrustedCAs field. This allows you to define any number of self-signed certificates that Tanzu Kubernetes Clusters should trust.

An example for inserting CA certificates is shown below:

1.4: Update tkgserviceconfiguration.

Step 2: Create a vSphere Namespace for hosting Service TKC

As a best practice, it is advised to separate the service tkc from the workload tkcs. You can create a dedicated namespace for the tkc where TMC-SM will be installed. To create a vSphere namespace, follow the instructions outlined in the Configuring and Managing vSphere Namespaces

Step 3: Deploy a new Service TKC

3.1: Create a yaml file for tkc creation. An example yaml is shown below for reference



3.2: Create TKC

3.3 Validate that the TKC has been successfully created

Step 4: Prepare SVC TKC to run Tanzu Packages

To install packages on any workload cluster created in vSphere with Tanzu, you have to configure a package repository first. In an airgap environment, the package repository is stored in the internal harbor registry. You relocate the tanzu packages to your internal repository. 

To relocate tanzu packages, follow the instructions outlined in the Preparing an Internet-Restricted Environment documentation.

4.1: Connect to the Service TKC

4.2: Create a cluster role binding

4.3: Install Kapp-controller

4.3.1: Create a file tanzu-system-kapp-ctrl-restricted.yaml containing the Kapp Controller Pod Security Policy

4.3.2: Apply the tanzu-system-kapp-ctrl-restricted.yaml file to the svc tkc.

4.3.3: Create a file kapp-controller.yaml containing the Kapp Controller Manifest 

4.3.4: Apply the kapp-controller.yaml file to the svc tkc.

4.3.5: Modify kapp ConfigMap

By default happ-controller doesn’t trust any self-signed certificate and causes an issue when installing tanzu packages from an internal repository. To fix this issue, you have to edit the kapp-controller configMap and insert your image registry self-signed certificate.

Create a yaml as shown below and insert your registry certificate under the caCerts section.

4.3.6: Apply the yaml

4.3.7: Restart kapp-controller pod

4.4:  Configure Package Repository

4.4.1: Add tanzu package repository

4.4.2: Verify that the repository was installed

Step 5: Install and Configure cert-manager

Install cert-manager in the service tkc by following the instructions outlined in the Install cert-manager in the product documentation.

Step 6:  Configure cluster issuer for TLS certificates

This step is covered in the article  Set up a cluster issuer for TLS certificates.

Step 7: Add TMC Self-Managed artifacts to the Harbor Registry

This is covered in Step 5 of the article Prepare Harbor Registry

Step 8: Stage the TMC Self-Managed Package on the Workload Cluster

This is covered in Step 3 of the article Install TMC Self-managed

Step 9: Create TMC Self-Managed Configuration File

This is covered in Step 5 of the article Install TMC Self-Managed

Important: The only difference is in the values.yaml file is, there would not be any serviceAnnotation for contourEnvoy as AKO doesn’t run as a pod in workload clusters created in a TKGS platform.

Step 10: Install TMC Self-Managed in Service TKC

This is already covered in Step 6 of the previous article Deploy the Tanzu Mission Control Self-Managed stack

And that’s it for this post. In the next post, I will demonstrate how to consume the TMC Self-managed stack for day-1/day-2 operations.

I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing.

Leave a ReplyCancel reply