Deploying TKG 2.0 Clusters in TKGS on vSphere 8 to Trust Private CA Certificates

Posted on 01-09-2023 by Manish Jha

In a vSphere with Tanzu environment, when you enable Workload Management, the Supervisor cluster that gets deployed operates as the management cluster. After supervisor cluster is deployed, you can provision two types of workload clusters

Tanzu Kubernetes clusters.
Clusters based on a ClusterClass (aka Classy Cluster).

TKG on vSphere 8 provides different sets of APIs to deploy a TKC or a Classy cluster:

v1alpha3 API
v1beta1 API

When you deploy a cluster using v1beta1 API, you get a Classy Cluster or TKG 2.0 cluster which is based on a default ClusterClass definition.

By default workload cluster don’t trust any self-signed certificates. Prior to TKG 2.0 clusters, the easiest way to make Tanzu Kubernetes Clusters (TKCs) to trust any self-signed CA certificate was to edit tkgserviceconfigurations and define your Trusted CAs there. This setting was then enforced on any newly deployed TKCs.

For TKG 2.0 clusters, the process has changed a bit and in this post I will walk through configuring the same.… Read More

Layer 7 Ingress in vSphere with Tanzu using NSX ALB

Posted on 01-04-2022 by Manish Jha

Introduction

vSphere with Tanzu currently doesn’t provide the AKO orchestration feature out-of-the-box. What I mean by this statement is that you can’t automate the deployment of AKO pods based on the cluster labels. There is no AkoDeploymentConfig that gets created when you enable workload management on a vSphere cluster and because of this, you don’t have anything running in your supervisor cluster to keep an eye on the cluster labels and take the decision of automated AKO installation in the workload clusters.

However, this does not preclude you from using NSX ALB to provide layer-7 ingress for your workload clusters. AKO installation in a vSphere with Tanzu environment is done via helm charts and is a completely self-managed solution. You will be in charge of maintaining the AKO life cycle.

My Lab Setup

My lab’s bill of materials is shown below.

Component	Version
NSX ALB (Enterprise)	20.1.7
AKO	1.6.2
vSphere	7.0 U3c
Helm	3.7.4

The current setup of the NSX ALB is shown in the table below.… Read More

vSphere with Tanzu Integration in VCD

Posted on 15-06-2021 by Manish Jha

Overview

Prior to v10.2, VMware Cloud Director supported K8 cluster deployment natively and integrated with ENT-PKS. With the release of v10.2, K8 integration is extended to vSphere with Tanzu. This integration enables Service Providers to create a self-service platform for Kubernetes Clusters that are backed by the vSphere 7.0 and NSX-T 3.0. By using Kubernetes with VMware Cloud Director, you can provide a multi-tenant Kubernetes service to your tenants.

In this article, I will walk through the steps of integrating vSphere with Tanzu with VCD.

Pre-requisites for Tanzu Integration with VCD

Before using vSphere With Tanzu with VCD, you have to meet the following pre-requisites:

VMware Cloud Director appliance deployed & initial configuration completed. Please see VMware’s official documentation on how to install & configure VCD.
vCenter 7.0 (or later version) with an enabled vSphere with VMware Tanzu functionality added to VMware Cloud Director. This is done under Resources > Infrastructure Resources > vCenter Server Instances.

vSphere with Tanzu Leveraging NSX ALB-Part-2: Deploy Supervisor Cluster

Posted on 03-04-2021 by Manish Jha

In the last post of this series, I discussed Avi Controller deployment and configuration. In this post, I will demonstrate supervisor cluster deployment which lays the foundation for the TKG clusters.

Since I have explained the process of workload management in this post, I am not going to go through each step again. However, I want to discuss load balancer option.

When configuring Load Balancer, select type as Avi and punch in the IP address of the Avi controller VM followed by port 443.
Specify the credentials that you configured at the time of the Avi controller deployment.
Grab the certificate from Avi controller and paste it here.

Note: To grab the certificate thumbprint of the Avi Controller, navigate to Templates > Security > SSL/TLS Certificates and click on the arrow button in front of the self-signed certificate that you created for the controller VM.

Copy the contents of the certificate by clicking on the copy to clipboard button. … Read More

vSphere with Tanzu Leveraging NSX ALB-Part-1: Avi Controller Deployment & Configuration

Posted on 03-04-2021 by Manish Jha

With the release of vSphere 7.0 U2, VMware introduced support of Avi Load Balancer (NSX Advanced Load Balancer) for vSphere with Tanzu, and thus fully supported load balancing is now enabled for Kubernetes. Prior to vSphere 7.0 U2, HA Proxy was the only supported load balancer when vSphere with Tanzu needed to be deployed on vSphere Distributed Switch (vDS) based networking.

HA Proxy was not supported for production-ready workloads as it has its own limitations. NSX ALB is a next-generation load balancing solution and its integration with vSphere with Tanzu, enables customers to run production workloads in the Kubernetes cluster.

When vSphere with Tanzu is enabled leveraging NSX ALB, ALB Controller VM has access to the Supervisor Cluster, Tanzu Kubernetes Grid clusters, and the applications/services that are deployed on top of TKG Cluster.

The below diagram shows the high-level topology of NSX ALB & vSphere with Tanzu.

In this post, I will cover the steps of deploying & configuring NSX ALB for vSphere with Tanzu.… Read More

Deploying Tanzu on VDS Networking-Part 3: Create Namespace & Deploy TKG Cluster

Posted on 18-03-2021 by Manish Jha

In the last post of this series, I demonstrated the deployment of the supervisor cluster which acts as a base for deploying Tanzu Kubernetes Guest (TKG) clusters. In this post, we will learn how to create a namespace and deploy the TKG cluster, and once the TKG cluster is up and running, how to deploy a sample application on top of TKG.

This series of blogs will cover the following topics:

1: HA Proxy Deployment & Configuration

2: Enable Workload Management

3: How to Deploy Applications in TKG Cluster

Let’s get started.

Create Namespace

A namespace enables a vSphere administrator to control the resources that are available for a developer to provision TKG clusters. Using namespace vSphere administrators stops a developer from consuming more resources than what is assigned to them.

To create a namespace, navigate to the Menu > Workload Management and click on Create Namespace.

Select the cluster where the namespace will be created and provide a name for the namespace.

Deploying Tanzu on VDS Networking-Part 2: Configure Workload Management

Posted on 13-03-2021 by Manish Jha

In the first post of this series, I talked about vSphere with Tanzu architecture and explained the deployment & configuration of the HA Proxy Appliance which acts as a load balancer for TKG Guest Clusters and Supervisor Cluster.

In this post, I will walk through steps of enabling workload management which basically deploys & configure the supervisor cluster.

This series of blogs will cover the following topics:

1: HA Proxy Deployment & Configuration

2: Enable Workload Management

3: How to Deploy Applications in TKG Cluster

Note: Before enabling Workload Management, make sure you have vSphere with Tanzu license available with you. If you don’t have the license, you can register for this product to get a 60 days evaluation license.

Prerequisites for Enabling Workload management

A vSphere Cluster created and both DRS and HA are enabled on the cluster.
A vSphere Distributed Switch created and all ESXi hosts are added to the VDS.

Deploying Tanzu on VDS Networking-Part 1: HA Proxy Configuration

Posted on 12-03-2021 by Manish Jha

VMware Tanzu is the suite or portfolio of products and solutions that allow its customers to Build, Run, and Manage containerized applications (Kubernetes controlled). An earlier release of Tanzu was offered along with VCF leveraging NSX-T networking. Later VMware decoupled Tanzu from VCF and the solution is called vSphere with Tanzu and can be deployed directly on vSphere VDS without having NSX-T.

vSphere with Tanzu on VDS has the following limitations:

No support for vSphere Pod if NSX-T not used.
No support for Harbor Image Registry.

When Tanzu (Workload Management) is enabled on vSphere, a supervisor cluster is deployed which consists of 3 nodes for high availability. So you need some kind of load balancing to distribute traffic coming to the supervisor cluster. VMware uses a customized version of HA Proxy as a software load balancer for supervisor nodes.

This series of blogs will cover the following topics:

1: HA Proxy Deployment & Configuration

2: Enable Workload Management

3: How to Deploy Applications in TKG Cluster

Networking Requirements for HA Proxy

Before I jump into the lab and walk through deployment/configuration steps, I want to discuss networking pre-requisites for HA proxy first. … Read More

Spread the Love

Introduction

My Lab Setup

Spread the Love

Overview

Pre-requisites for Tanzu Integration with VCD

Spread the Love

Spread the Love

Spread the Love

Create Namespace

Spread the Love

Spread the Love

Spread the Love