Welcome to the Tanzu Mission Control Self-Managed series. So far in this series, I have covered the installation prerequisites and how to configure them. After that, I demonstrated the TMC-SM installation procedure on the TKGm platform. if you are not following along, you can read the earlier post of this series from the below links:

1: TMC Self-Managed – Introduction & Architecture

2: Configure DNS for TMC Self-Managed

3: Configure OIDC Complaint Identity Provider (Okta)

4: Install Cluster Issuer for TLS Certificates

5: Prepare Harbor Registry

6: Install Tanzu Mission Control Self-Managed on TKGm

The installation procedure for TMC Self-Managed on a vSphere with Tanzu (aka TKGS) Kubernetes platform is a bit different and this post is focused on covering the required steps. Let’s get started.

I have used the following BOM in my lab

Make sure the following are already configured in your environment before attempting the installation:

1: DNS is configured.… Read More

This is the sixth blog post of the TMC Self-Managed blog series. In the previous post of this series, I showed how to configure the final prerequisite (Harbour registry) of the installation. If you are following along with me, you are now ready for the installation. 

If you have landed on this post directly by mistake, I encourage you to read the previous blog posts of this series using the below links:

1: TMC Self-Managed – Introduction & Architecture

2: Configure DNS for TMC Self-Managed

3: Configure OIDC Complaint Identity Provider (Okta)

4: Install Cluster Issuer for TLS Certificates

5: Prepare Harbor Registry

This blog post is focused on installing TMC Self-Managed on Tanzu Kubernetes Grid multi-cloud (TKGm). I will cover the installation procedure for TKGS (vSphere with Tanzu) in a separate post.

I have used the following BOM in my lab

Step 1: Connect to the workload cluster where TMC Self-managed will be installed.… Read More

Here we are at the fifth post in our blog series. In this post, I’ll discuss how to download and prepare TMC Self-Managed artifacts for installation in a harbor registry.

If you have landed on this post directly by mistake, I encourage you to read the previous blog posts of this series using the below links:

1: TMC Self-Managed – Introduction & Architecture

2: Configure DNS for TMC Self-Managed

3: Configure OIDC Complaint Identity Provider (Okta)

4: Install Cluster Issuer for TLS Certificates

Tanzu/Kubernetes supports a wide variety of image registry solutions including JFrog, Docker Hub, Amazon Elastic Container Registry, VMware Harbor, etc. for storing the application images that you deploy on the workload clusters. However, TMC Self-Managed only supports the Harbor image registry at the time of writing this post. The harbor registry must meet the following requirements:

• A minimum storage of 20 GB is recommended for Harbor.
• Authenticated registries are not supported.

Welcome to Tanzu Mission Control Self-Managed Part 4 of the series. I’ll show you how to use cluster issuer and cert-manager for automatic certificate issuing in this post.

If you have landed on this post directly by mistake, I encourage you to read the previous blog posts of this series using the below links:

1: TMC Self-Managed – Introduction & Architecture

2: Configure DNS for TMC Self-Managed

3: Configure OIDC Complaint Identity Provider (Okta)

For its certificates, TMC Self-Managed uses cert-manager. You can use the cert-manager and cluster issuer to create a self-signed certificate for the installation in a lab or POC environment. On the workload cluster where TMC Self-Managed will be installed in my lab, I have installed cert-manager as a Tanzu package.

In an airgap environment, you can follow the instructions outlined in the Add a Package Repository and Install cert-manager in the TKG product documentation to install cert-manager.… Read More

Welcome to Part 3 of the TMc Self-Managed series. Part 1 concentrated on a general introduction to TMC Self-Managed, while Part 2 dived into the DNS configuration. You may read the previous entries in this series if you missed them by clicking the links below.

1: TMC Self-Managed – Introduction & Architecture

2: Configure DNS for TMC Self-Managed

Tanzu Mission Control Self-Managed manages user authentication using Pinniped Supervisor as the identity broker and requires an existing OIDC-compliant identity provider (IDP). Examples of OIDC-compliant IDPs are Okta, Keycloak, VMware Workspace One, etc. The Pinniped Supervisor expects the Issuer URL, client ID, and client secret to integrate with your IDP.

Note: This post demonstrates configuring Okta as an IDP. Although Okta is a SaaS service and is reachable over the internet, the intent is to show how you configure upstream IDP for authentication. In an airgap environment, you may use any IDP that doesn’t require an internet connection.… Read More

I covered the basic introduction of TMC Self-Managed, the general architecture, and the requirements your environment needs to meet before installing TMC Self-Managed in the first post of this series. Before getting your hands dirty with the installation, I’ll cover configuring DNS Zones and records in this post.

To enable correct traffic flow and access to various TMC endpoints, TMC Self-Managed needs a DNS zone to hold the DNS records. To ensure name resolution between the objects that are deployed during TMC Self-Managed installation, create the following A records in your DNS domain. You can create a new DNS zone or can leverage an existing zone.

• alertmanager.<my-tmc-dns-zone>
• auth.<my-tmc-dns-zone>
• blob.<my-tmc-dns-zone>
• console.s3.<my-tmc-dns-zone>
• gts-rest.<my-tmc-dns-zone>
• gts.<my-tmc-dns-zone>
• landing.<my-tmc-dns-zone>
• pinniped-supervisor.<my-tmc-dns-zone>
• prometheus.<my-tmc-dns-zone>
• s3.<my-tmc-dns-zone>
• tmc-local.s3.<my-tmc-dns-zone>
• tmc.<my-tmc-dns-zone>

To simplify the installation procedure, you can also use a wildcard DNS entry as shown below (for POCs only).

The IP address for the above records must point to the external IP of the contour-envoy service that is deployed during the installation.… Read More

Introduction

VMware Tanzu Mission Control is a SaaS offering available through VMware Cloud Services and provides:

• A centralized platform to deploy and manage Kubernetes clusters across multiple clouds.
• Attach existing Kubernetes Clusters in the TMC portal for centralized operations and management.
• A Policy Engine that automates Access control and security policies across a fleet of clusters.
• Manage security across multiple clusters.
• Centralize authentication and authorization, with federated identity from multiple sources.

TMC SaaS cannot be used in specific environments because of compliance or data governance requirements. Industries like Banking, Health Care, and the Defence sector are usually running workloads in an air-gapped environment (dark site). Imagine running a large number of Kubernetes clusters without any central pane of glass to manage day-1 & day-2 operations across the clusters. VMware understood this pain and introduced Tanzu Mission Control Self-Managed (TMC-SM) as an installable product that you can deploy in your environment.

TMC Self-Managed can be installed in data centers, sovereign clouds, and service-provider environments.… Read More