With the VMware vCenter Server 7.0 Update 2 (Release Notes) Tanzu Service also got some interesting new features that made the workarounds obsolete I described in my last write-up. I want to confirm that it no hacks are needed anymore to get self-signed repositories accessable.
External Private Registry Configuration
Checkout the properly documented configuration option:
Changing the default “Service Configuration”
If you switch your context to the supervisor cluster, you’ll be able to edit a Custom Resource Definition called “TkgServiceConfiguration”. Just execute a
kubectl edit tkgserviceconfiguration tkg-service-configuration
and add some lines at the end of the file
trust: additionalTrustedCAs: - name: first-cert-name data: base64-encoded string of a PEM encoded public cert 1 - name: second-cert-name data: base64-encoded string of a PEM encoded public cert 2
If you change the existing default configuration, each cluster you provision afterwards will be configured with the given root CAs in the ubuntu OS with the same mechanism you’re using on OS level. If you ssh in to one of the nodes you can check the existence of the certificates:
lrwxrwxrwx 1 root root 12 Apr 22 11:55 4304c5e5.0 -> 4304c5e5.pem lrwxrwxrwx 1 root root 12 Apr 22 11:55 57bcb2da.0 -> 57bcb2da.pem lrwxrwxrwx 1 root root 12 Apr 22 11:55 d4dae3dd.0 -> d4dae3dd.pem lrwxrwxrwx 1 root root 19 Apr 22 11:55 502093cc.0 -> tkg-tanzu-ca-ca.pem lrwxrwxrwx 1 root root 23 Apr 22 11:55 b40c2b1b.0 -> tkg-niceneasy-ch-ca.pem root [ /etc/ssl/certs ]#
Here you can see tkg-tanzu-ca-ca.pem (first-cert-name = “tanzu-ca”) and tkg-niceneasy-ch-ca.pem (second-cert-name = “niceneasy-ca”). This are two different CAs I’m using on my home lab.
Adapting the Cluster Definition
After the first deployment of a cluster, I checked the Custom Resource Definition for the cluster. I found out that the added lines are directly inserted in the Tanzu cluster definition. So I did a test with an undocumented option:
apiVersion: run.tanzu.vmware.com/v1alpha1 kind: TanzuKubernetesCluster metadata: name: wl-01 namespace: niceneasy spec: distribution: version: v1.20.2+vmware.1-tkg.1.1d4f79a settings: network: cni: name: antrea pods: cidrBlocks: - 100.96.0.0/11 serviceDomain: cluster.local services: cidrBlocks: - 100.64.0.0/13 trust: additionalTrustedCAs: - data: <base64 encoded certificate> name: tanzu-ca - data: <base64 encoded certificate> name: niceneasy-ch storage: classes:  defaultClass: vsan-default-storage-policy topology: controlPlane: class: best-effort-small count: 1 storageClass: vsan-default-storage-policy workers: class: best-effort-medium count: 3 storageClass: vsan-default-storage-policy
This is very handy because you do not need to have all certificates deployed to all clusters per default. I did not find this in the documentation, yet, please ping me if I am wrong.
Tanzu Virtual Machine Service
With the VMware vCenter Server 7.0 Update 2a (Release Notes), the VM Service is introduced allowing to define VMs with the CRDs Tanzu was using only internally to provision the node VMs. Checkout these official blogs here and here for more information.
I have prepared more goodies to share. Stay tuned!