VMware Cloud Provider Container Service Extension Developer Ready Clouds with Tanzu

Install Tanzu Packages on Tanzu Kubernetes Clusters on VMware Cloud Director

VMware Cloud Director enables Kubernetes-as-a-Service using Container Service Extension(CSE). Providers can offer production-ready Tanzu Kubernetes Grid-based Kubernetes clusters using Container Service Extension. The Container Service extension supports VMware Cloud Director with Multi-tenancy at the core, keeping Cloud Providers user personas in consideration. Developers in customer organizations can install and configure Tanzu packages into Tanzu Kubernetes clusters. This blog describes how customer organization’s Kubernetes administrators, or users (User Personas) can install User-managed Packages using Tanzu CLI into CSE Managed Tanzu Kubernetes clusters. Table 1 describes supported User-Managed packages and their use cases on Tanzu Kubernetes Cluster. Table 2 describes pre-installed core packages on Tanzu Kubernetes Cluster provisioned by CSE within the customer organization. 

User Managed Package NameFunctionDependencyInstall Location
Cert-managementCertificate managementrequired by Contour, Harbor, Prometheus, GrafanaWorkload cluster or Shared Services Cluster
ContourIngress controlrequired by Harbor, GrafanaWorkload or Shared Services Cluster
Harbor RegistryContainer registryn/aShared Services Cluster
PrometheusMonitoringrequired by PrometheusWorkload Cluster
GrafanaMonitoringn/aWorkload Cluster
Fluent-bitLog forwardingn/aWorkload Cluster
Table 1: User-Managed Packages with VMware Cloud Director provisioned TKG Cluster

PackagePackage NamespaceDescription
antreatkg-systemEnables pod networking and enforces network policies for Kubernetes clusters. If Antrea is selected as the CNI provider, this package is installed in every cluster
core-dnstkg-systemProvides DNS Service, installed in every cluster
vcd-csitkg-systemProvides the VMware Cloud Director- Cloud Storage Interface. This package is installed in every cluster
vcd-cpitkg-systemProvides the VMware Cloud Director- Cloud Provider Interface. This package is installed in every cluster
Table 2: Core Packages on VMware Cloud Director provisioned TKG Cluster

The installation of the Tanzu Package is a 3 steps process that will be described in this article. However, before we deep dive into this, it is assumed that the user role following these steps have desired rights to create the Kubernetes cluster on VMware Cloud Director and has installed kubectl on the local machine to manage the tanzu Kubernetes cluster. Additionally, it is important to note that this blog post describes Tanzu Packages for Tanzu Kubernetes Grid version 1.4.0, VMware Cloud Director 10.3.2, and CSE release 3.1.2.
This should be applicable for other Tanzu Kubernetes Grid versions as long as the TKG OVA version, used in step 1, matches with the package repository configured in step 2.

  1. Create and Prepare Tanzu Kubernetes Cluster
  2. Prepare Local Environment with Tanzu CLI and Tanzu Packages
  3. Install User Packages

1. Create and Prepare Tanzu Kubernetes Cluster

Create Tanzu Kubernetes cluster using VMware Cloud Director’s Kubernetes Container UI plug-in. The diagram showcases the summary of Tanzu Kubernetes Cluster.

Figure 1: Create Kubernetes Cluster from the VMware Cloud Director UI, with ‘Allow external traffic to be routed to this cluster’ enabled

Alternatively, create Tanzu Kubernetes cluster using YAML specification with vcd cli, as shown in snippet.

After the cluster creation is successful, it should be like the Figure 2 screen.

Figure 2: Successful Cluster creation from VCD UI.

Download kubeconfig from the VMware Cloud Director Customer portal. As shown in figure 2, click on ‘download kubeconfig’ to get the configuration file.
This file can be used as the kubectl current context by configuring the KUBECONFIG environment variable as follow:

Alternatively, the kubeconfig file can be retrieved using the cse-cli:

All the subsequent commands documented in this article assumes that the kubeconfig pointing to your cluster has been properly setup. Run the following command to list the cluster nodes and confirm kubeconfig is working:

Create Default Storage Class

Most of the packages that use a persistent volume claim expect a default storage class. This file shows an example CSI storage class. You’ll have to create your own that reflects your environment, make sure the annotation storageclass.kubernetes.io/is-default-class is set to true.

Verify the CPI plugin used on the TKG cluster, and verify the version is 1.1.0. The Steps to update the CPI plugin are described here.

Install kapp-controller:

Tanzu Kubernetes Grid uses kapp-controller, it is a package manager that handles the lifecycle of packages. It needs to be installed first by applying the kapp-controller.yaml file attached below.
More details are in the VMware documentation.

Once the kapp-controller is installed, packages can be installed in the Tanzu Kubernetes Grid cluster through the Tanzu CLI.

2. Prepare Local Environment with Tanzu CLI and packages

Install Tanzu CLI 1.4 on the same local machine by following the VMware documentation. The Tanzu CLI package plugin uses the kubectl current context so make sure the right context is configured before running tanzu CLI commands.

Install Tanzu CLI plugin for packages

Once the Tanzu CLI has been installed, if not already done, make sure the package plugin is installed or install it as follow:

Add VMware Repositories

After the Tanzu CLI and its package plugin are installed, it is necessary to add repositories, one for the user-managed packages and one for the core packages.
The URL for these repositories reflects the version of TKG that is being used for user-managed packages. For core packages it relates to the TKG version and Kubernetes version. These versions must match the OVA version that has been used to deploy the cluster at step 1.

TKG VersionTanzu Standard RepositoryCore Repository (per Kubernetes version)
Table 3: Summary of repository tags to use for the different TKG and Kubernetes versions

The repositories are added by running the following commands, note the tag (after the colon) that needs to reflect the TKG version and Kubernetes version the cluster has been deployed with.
In our example, we used the OVA for Kubernetes 1.21 from TKG 1.4.0 that translates in the following commands:

List and install the packages

Once the synchronization task is completed, all the available packages can be listed as follow:

For a specific package, the list of available version can be found as follow:
example with Harbor package

3. Install User-Managed packages

All the examples in the following steps use the versions of the package for TKG 1.4.0. For other TKG version, you might need to use other packages versions. The namespaces used to install the packages reflect the standard namespaces naming convention from Tanzu Kubernetes Grid.

Package Data Values

Some User-Managed packages require a data-values.yaml to be provided that will contain configuration information related to your environment.
Please review VMware documentation to understand how to retrieve the data-values template.

Install Cert-Manager

Cert-manager provides a way to easily generates new certificates and is required by most of the other packages. Use the following command to install cert-manager.
More details in the VMware documentation.

Install Contour

The Contour package is used by Harbor and Grafana.
Once the contour-data-values.yaml file has been created (this sample can be used as is) use the following command to install Contour.
More details in the VMware documentation.

Install Harbor

Once the harbor-data-values.yaml file has been created (this sample needs to be tweaked with at least a different hostname and different password and secret) use the following command to install Contour.
More details are in the VMware documentation.

In TKG 1.4, there is a known issue with Harbor that requires to apply this KB to fix the harbor-notary-signer pod that fails to start.

Create DNS record

When Harbor is deployed using Contour as ingress, it is required to create a DNS record that maps the external IP address of the Envoy load balancer service to the hostname of Harbor (specified in the harbor-data-values.yaml file).
This command output the external ip address:

Use the external IP address assigned to the envoy service and create a DNS record accordingly.
In our example, this PowerShell command creates it.

Figure 3: Harbor after being deployed on a Tanzu Kubernetes cluster using Tanzu Packages


Metric Server

The metric server is required for the successful operation of Prometheus, Grafana, and Fluent-bit packages. Use the following command to install the metrics server on the Tanzu Kubernetes cluster.


Tanzu Kubernetes Grid includes signed binaries for Prometheus that you can deploy on Tanzu Kubernetes clusters to monitor cluster health and services.

While the installation can be customized, the default configuration should be enough for most of the cases.
More details in the VMware documentation.


Grafana allows you to visualize and analyze metrics data collected by Prometheus on your clusters. It comes with out-of-the-box TKG Kubernetes cluster monitoring dashboards.

Once the grafana-data-values.yaml has been created (this sample needs to be tweaked with at least a different virtual_host_fqdn and different admin_password) use the following command to install Grafana.
More details in the VMware documentation

Create DNS record

Just like the Harbor case, a DNS record is required and should point to the same external IP address.
In our example, this PowerShell command creates it:

Figure 4: TKG Kubernetes cluster monitoring dashboard in Grafana

Managing Cluster and Package lifecycle

Please refer to the product interop matrix to select supported package versions. Please refer to the Tanzu CLI documentation for various operations such as install, update, delete of a Tanzu package.

Note: This blog post is co-authored with Sachi Bhatt

Further Reading

CSE 3.1.2 Technical Overview Blog

CSE 3.1.2 Release Blog

Container Service Extension

Container Service Extension Feature Friday Episode 68


Leave a Reply

Your email address will not be published.