All Posts

Introduction The Installation Guide includes console commands to install prerequisites, prepare clusters and install Tanzu Mission Control Self-Managed. Some of these commands are lengthy and are not easy to copy-paste out of the PDF document. This article provides a duplicate form of these commands so it is easier to follow along with the Installation Guide. This article does not include every step. Be sure to follow the Installation Guide and refer back to this article for complex commands. Deploy Installer VM # tdnf install -y git jq openssl-c_rehash tar unzip # curl -L --output /usr/local/bin/kubectl \ https://dl.k8s.io/release/v1.23.10/bin/linux/amd64/kubectl && chmod +x /usr/local/bin/kubectl # curl -L https://github.com/carvel-dev/kapp-controller/releases/download/v0.46.1/kctrl-linux-amd64 -o /tmp/kctrl && install /tmp/kctrl /usr/local/bin && rm /tmp/kctrl Increase the capacity of /tmp to hold images prior to upload # umount /tmp && mount -t tmpfs -o size=10G tmpfs /tmp Mount the solution ISO to the Installer VM # sed -i '/\/mnt\/cdrom/d' /etc/fstab # mount /dev/sr0 /mnt/cdrom -t udf -o ro Create a self-signed certificate authority # openssl req -x509 -sha256 -days 1825 -newkey rsa:2048 \ -keyout $HOME/rootCA.key -out $HOME/rootCA.crt \ -nodes -extensions v3_ca \ -subj "/C=US/ST=CA/L=Palo Alto/O=CompanyName/OU=OrgName/CN=TMC-SM VCD Tech Preview Issuing CA" # ls rootCA.* Deploy Harbor Configure certificates # export KUBECONFIG=$PWD/kubeconfig-harbor.txt # kubectl create secret tls -n cert-manager selfsigned-ca-pair \ --cert=$HOME/rootCA.crt --key=$HOME/rootCA.key # cat <<EOF | kubectl apply -f - { "apiVersion": "cert-manager.io/v1", "kind": "ClusterIssuer", "metadata": { "name": "selfsigned-ca-clusterissuer" }, "spec": { "ca": { "secretName": "selfsigned-ca-pair" } } } EOF Deploy Contour and Harbor 1. Set environment variables with configuration values. # IP address to associate with the Load Balancer for Harbor export HARBOR_LOAD_BALANCER_IP="10.11.12.13" # Desired hostname for the Harbor service. This must be configured to point to the IP # address above. export HARBOR_HOSTNAME="harbor.${HARBOR_LOAD_BALANCER_IP}.**bleep**.io" # This will be used as the initial password for the “admin” user export HARBOR_ADMIN_PASSWORD="AdminPassword" 2. Prepare a values file for the Contour installation # cat <<EOF > contour-packageinstall-values.yaml envoy: service: type: LoadBalancer loadBalancerIP: ${HARBOR_LOAD_BALANCER_IP} EOF 3. Deploy Contour using the Tanzu package # kctrl package install \ -i contour \ -n tanzu-system \ --package contour.tanzu.vmware.com \ --version 1.20.2+vmware.2-tkg.1 \ --values-file contour-packageinstall-values.yaml 4. Create a certificate for the Harbor services using the ClusterIssuer resource # kubectl create ns tanzu-system-registry # cat <<EOF | kubectl apply -f - apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: ${HARBOR_HOSTNAME} namespace: tanzu-system-registry spec: secretName: ${HARBOR_HOSTNAME}-tls duration: 8760h # 365d renewBefore: 720h # 30d subject: organizations: - MyOrgName isCA: false privateKey: algorithm: RSA encoding: PKCS1 size: 2048 usages: - server auth - client auth dnsNames: - ${HARBOR_HOSTNAME} ipAddresses: - ${HARBOR_LOAD_BALANCER_IP} issuerRef: name: selfsigned-ca-clusterissuer kind: ClusterIssuer group: cert-manager.io EOF 5. Prepare a values file for the Harbor installation # cat <<EOF > harbor-packageinstall-values.yaml secretKey: $(head -1 /dev/random | base64 | head -c 16) core: secret: $(head -1 /dev/random | base64 | head -c 16) xsrfKey: $(head -1 /dev/random | base64 | head -c 32) jobservice: secret: $(head -1 /dev/random | base64 | head -c 16) registry: secret: $(head -1 /dev/random | base64 | head -c 16) database: password: $(head -1 /dev/random | base64 | head -c 16) hostname: ${HARBOR_HOSTNAME} harborAdminPassword: ${HARBOR_ADMIN_PASSWORD} tlsCertificateSecretName: ${HARBOR_HOSTNAME}-tls notary: enabled: false persistence: persistentVolumeClaim: registry: size: 128Gi EOF 6. Deploy Harbor using the Tanzu package # kctrl package install \ -i harbor \ -n tanzu-system \ --package harbor.tanzu.vmware.com \ --version 2.6.1+vmware.1-tkg.1 \ --values-file harbor-packageinstall-values.yaml Deploy TMC-SM for VCD Configure certificates # export KUBECONFIG=$PWD/kubeconfig-tmc.txt # kubectl create secret tls -n cert-manager selfsigned-ca-pair \ --cert=$HOME/rootCA.crt --key=$HOME/rootCA.key # cat <<EOF | kubectl apply -f - { "apiVersion": "cert-manager.io/v1", "kind": "ClusterIssuer", "metadata": { "name": "selfsigned-ca-clusterissuer" }, "spec": { "ca": { "secretName": "selfsigned-ca-pair" } } } EOF Install the Solution Add-On 1. Set environment variables with the desired configuration settings. export VCD_HOSTNAME=vcd.example.com export VCD_USERNAME=administrator export VCD_EXT_PASSWORD=password export TMC_SM_INSTANCE_NAME=VALUE_REQUIRED export TMC_SM_ENCRYPTION_KEY=MySuperSecretKeyThatIRemember # Provide the Kubernetes cluster name for TMC deployment, # e.g., tkgm-tmc-cluster export TMC_SM_KUBE_CLUSTER_NAME=VALUE_REQUIRED # Provide DNS zone to configure TMC endpoints, i.e., tmc.mydomain.com export TMC_SM_DNS_ZONE=VALUE_REQUIRED # Provide the Load balancer IP of Contour Envoy, i.e., 10.11.12.23. TMC DNS # Zone should be mapped to this IP. export TMC_SM_LOAD_BALANCER_IP=VALUE_REQUIRED # Provide Harbor project path for pushing/pulling TMC packages during # installation, i.e., harbor.mydomain.com/myproject export TMC_SM_HARBOR_URL=harbor.slz.vcd.local/tmc # Provide Harbor username for Basic authentication export TMC_SM_HARBOR_USERNAME=robot\$tmc # Provide Harbor password for Basic authentication export VCD_EXT_INPUT_HARBOR_PASSWORD=VALUE_REQUIRED # Provide the base64 encoded CA bundle in PEM format of the Harbor server. # It is required if the Harbor server certificate is not signed by a # well-known certificate authority. export VCD_EXT_INPUT_HARBOR_CA_BUNDLE=$(cat $HOME/rootCA.crt | base64 -w0) ############ # Optional Settings ############ # Set MinIO root user name. Defaults to minioadmin. export VCD_EXT_INPUT_MINIO_ROOT_USERNAME= # Set MinIO root user password. If left blank, a random password will be # generated. Format: no less than 8 chars, at least 1 digit, at least 1 # special char(@$!%*#.,-_=*), at least 1 letter, i.e., P@ssw0rd export VCD_EXT_INPUT_MINIO_ROOT_PASSWORD= # Set TMC's PostgreSQL password. If left blank, a random password will be # generated. Format: no less than 8 chars, at least 1 digit, at least 1 # special char(@$!%*#.,-_=*), at least 1 letter, i.e., P@ssw0rd export VCD_EXT_INPUT_POSTGRES_PASSWORD=S3cretPGP@ssw0rd # Set the default Grafana admin user name. Defaults to admin. export VCD_EXT_INPUT_GRAFANA_ADMIN_USERNAME= # Set the default Grafana admin user password. If left blank, a random # password will be generated. Format: no less than 8 chars, at least 1 digit, # at least 1 special char(@$!%*#.,-_=*), at least 1 letter, i.e., P@ssw0rd export VCD_EXT_INPUT_GRAFANA_ADMIN_PASSWORD= # Sets the timeout in seconds for TMC installation. Defaults to 3600. export VCD_EXT_INPUT_DEPLOY_TIMEOUT=3600 2. Load Harbor rootCA.crt # cp $HOME/rootCA.crt /etc/ssl/certs/harbor.pem && rehash_ca_certificates.sh # timeout 1 openssl s_client -quiet -verify_return_error ${HARBOR_HOSTNAME}:443 3. Download the VCD certificate to a file. # /mnt/cdrom/linux.run get certificates --host $VCD_HOSTNAME \ --output /tmp/vcd.pem \ --accept 4. Configure VCD to trust the TMC-SM VCD Integration Solution Add-On. # /mnt/cdrom/linux.run trust --host $VCD_HOSTNAME \ --username $VCD_USERNAME \ --certificate-file /tmp/vcd.pem \ --accept 5. Create the solution add-on instance. # /mnt/cdrom/linux.run create instance --name $TMC_SM_INSTANCE_NAME \ --host $VCD_HOSTNAME \ --username $VCD_USERNAME \ --certificate-file /tmp/vcd.pem \ --encryption-key ${TMC_SM_ENCRYPTION_KEY} \ --input-kube-cluster-name=${TMC_SM_KUBE_CLUSTER_NAME} \ --input-cert-provider=cluster-issuer \ --input-cert-cluster-issuer-name=selfsigned-ca-clusterissuer \ --input-dns-zone=${TMC_SM_DNS_ZONE} \ --input-contour-envoy-load-balancer-ip=${TMC_SM_LOAD_BALANCER_IP} \ --input-harbor-url=${TMC_SM_HARBOR_URL} \ --input-harbor-username=${TMC_SM_HARBOR_USERNAME} \ --accept

Symptoms Attempts to upload the Tanzu Mission Control Self-Managed ISO file fail for any reason. Diagnosis The TMC-SM solution is bundled into a single ISO file. The size of this file may present challenges to upload via the browser in some environments. Alternatively, the ISO may be transferred to the Installer VM and mounted directly from there. There are some changes to the "Deploy Installer VM" section of the Installation Guide when following this guide. Skip the step named "Attach the Solution Add-On ISO to the VM" Skip this command when preparing the VM # mount /dev/sr0 /mnt/cdrom -t udf -o ro Solution Open the Tenant UI for Cloud Provider of the Solutions Organization. Browse to the TMC-SM Installer vApp. Browse to the Photon OS VM in the vApp. Browse to Hardware -> Hard Disks. Edit the disks and add a new 64 GB disk. SSH into the TMC-SM Installer VM. Confirm the new disk is mounted as /dev/sdb # fdisk -l /dev/sdb Format the new disk and mount it to /solutions. Replace /dev/sdb with the appropriate name if needed. # sfdisk /dev/sdb <<EOF 2048,67108864 ; EOF # mkfs.ext4 /dev/sdb1 # mkdir /solutions # echo "/dev/sdb1 /solutions ext4 defaults 1 3" >> /etc/fstab # mount /solutions Confirm that `/solutions` is mounted with 32GB of space # df -h /solutions Filesystem Size Used Avail Use% Mounted on /dev/sdb1 32G 0 24G 0% /solutions Transfer the ISO to the TMC-SM Installer using SCP or other tools scp vmware-vcd-tmc-0.1.0-21897297.iso root@192.168.116.130:/solutions Mount the solution ISO to the existing /mnt/cdrom directory mount /solutions/vmware-vcd-tmc-0.1.0-21897297.iso /mnt/cdrom -t udf -o ro The solution ISO is now mounted and ready to use. There are no other changes to be made to the Installation Guide. Proceed to the "Create a self-signed certificate authority" section.    

Introduction The TMC Self-Managed VCD solution has a CLI for manual or automated access. The configuration steps may vary from the TMC documentation because they include some VCD specific information. All other CLI commands should be the same. Prerequisites CA used for TMC-SM services - Not required if you used an external certificate authority CA used for VCD - Not required if you used an external certificate authority TMC DNS zone (e.g.; tmc.slz.vcd.local) VCD hostname (e.g.; vcd.local) VCD OIDC Client ID - This can be retrieved from the Cloud Director Provider UI VCD tenant organization name (e.g.; company) VCD API Token - This should be created for a user that has the `tmc:admin` or `tmc:member` role Installation Browse to the TMC-SM UI directly or through the VCD UI link Browse to "Automation center" in the lower-left corner of the screen Download the TMC CLI for your platform Follow the on-screen instructions, or take the appropriate steps, to make the `tmc` CLI available in your PATH Configuration Configure certificates You may skip this step if VCD or TMC-SM does not use self-signed certificates. Follow the appropriate steps for your OS to install the VCD and/or TMC-SM CA to your system. Alternatively, you can specify an environment variable pointing to these certificates. # mkdir $HOME/tmc-ssl # cp tmcCA.pem $HOME/tmc-ssl # cp VCD.pem $HOME/tmc-ssl # export SSL_CERT_DIR=$HOME/tmc-ssl The `tmc` CLI will use the `SSL_CERT_DIR` value to load additional trusted certificates when it is executed. Configure TMC CLI tmc login --self-managed --vcd --no-configure \ --name tmc-admin \ --vcd-org company \ --vcd-api-token 24ljsajf2j342j4ljsalfjasflj23j4lkasf \ --endpoint tmc.slz.vcd.local:443 \ --vcd-issuer-url https://vcd.local/oidc \ --vcd-oidc-client-id f14f2242-dc18-4d93-a9a9-07c39570e287 This process can be repeated with different names for multiple users or TMC-SM deployments. # tmc system context list NAME ORG ID ENDPOINT tmc-admin tmc.slz.vcd.local:443 tmc-member tmc.slz.vcd.local:443 # tmc system context use tmc-admin