VMware Tanzu Basic: Customizing II

With the VMware vCenter Server 7.0 Update 2 (Release Notes) Tanzu Service also got some interesting new features that made the workarounds obsolete I described in my last write-up. I want to confirm that it no hacks are needed anymore to get self-signed repositories accessable.

External Private Registry Configuration

Checkout the properly documented configuration option:

Changing the default “Service Configuration”

If  you switch your context to the supervisor cluster, you’ll be able to edit a Custom Resource Definition called “TkgServiceConfiguration”. Just execute a

kubectl edit tkgserviceconfiguration tkg-service-configuration

and add some lines at the end of the file

trust:
  additionalTrustedCAs:
    - name: first-cert-name
      data: base64-encoded string of a PEM encoded public cert 1
    - name: second-cert-name
      data: base64-encoded string of a PEM encoded public cert 2

If you change the existing default configuration, each cluster you provision afterwards will be configured with the given root CAs in the ubuntu OS with the same mechanism you’re using on OS level. If you ssh in to one of the nodes you can check the existence of the certificates:

lrwxrwxrwx 1 root root   12 Apr 22 11:55 4304c5e5.0 -> 4304c5e5.pem
lrwxrwxrwx 1 root root   12 Apr 22 11:55 57bcb2da.0 -> 57bcb2da.pem
lrwxrwxrwx 1 root root   12 Apr 22 11:55 d4dae3dd.0 -> d4dae3dd.pem
lrwxrwxrwx 1 root root   19 Apr 22 11:55 502093cc.0 -> tkg-tanzu-ca-ca.pem
lrwxrwxrwx 1 root root   23 Apr 22 11:55 b40c2b1b.0 -> tkg-niceneasy-ch-ca.pem
root [ /etc/ssl/certs ]#

Here you can see tkg-tanzu-ca-ca.pem (first-cert-name = “tanzu-ca”) and tkg-niceneasy-ch-ca.pem (second-cert-name = “niceneasy-ca”). This are two different CAs I’m using on my home lab.

Adapting the Cluster Definition

After the first deployment of a cluster, I checked the Custom Resource Definition for the cluster. I found out that the added lines are directly inserted in the Tanzu cluster definition. So I did a test with an undocumented option:

apiVersion: run.tanzu.vmware.com/v1alpha1
kind: TanzuKubernetesCluster
metadata:
  name: wl-01
  namespace: niceneasy
spec:
  distribution:
    version: v1.20.2+vmware.1-tkg.1.1d4f79a
  settings:
    network:
      cni:
        name: antrea
      pods:
        cidrBlocks:
        - 100.96.0.0/11
      serviceDomain: cluster.local
      services:
        cidrBlocks:
        - 100.64.0.0/13
      trust: 
        additionalTrustedCAs: 
        - data: <base64 encoded certificate> 
          name: tanzu-ca 
        - data: <base64 encoded certificate> 
          name: niceneasy-ch 
    storage:
      classes: []
      defaultClass: vsan-default-storage-policy
  topology:
    controlPlane:
      class: best-effort-small
      count: 1
      storageClass: vsan-default-storage-policy
    workers:
      class: best-effort-medium
      count: 3
      storageClass: vsan-default-storage-policy

This is very handy because you do not need to have all certificates deployed to all clusters per default. I did not find this in the documentation, yet, please ping me if I am wrong.

Tanzu Virtual Machine Service

With the VMware vCenter Server 7.0 Update 2a (Release Notes), the VM Service is introduced allowing to define VMs with the CRDs Tanzu was using only internally to provision the node VMs. Checkout these official blogs here and here for more information.

I have prepared more goodies to share. Stay tuned!

 

Be the first to comment

Leave a Reply

Your email address will not be published.


*