After you meet the prerequisites, you can begin the deployment of the vSphere with Tanzu environment to support the Developer Ready Infrastructure for VMware Cloud Foundation solution. The deployment of vSphere with Tanzu involves deploying and configuring a Supervisor and a Tanzu Kubernetes Cluster.
Prerequisites
Add your Active Directory domain as an identity provider for vCenter Single Sign-On as defined in the Identity and Access Management for VMware Cloud Foundation.
To connect to the Supervisor as a vCenter Single Sign-On user, install the vSphere kubectl plug-in. See Download and Install the Kubernetes CLI Tools for vSphere.
Download the Kubernetes CLI Tools for vSphere from your Supervisor. See Download and Install the Kubernetes CLI Tools for vSphere.
Deploy a Supervisor for Developer Ready Infrastructure for VMware Cloud Foundation
After you have configured VM policies in vSphere and added segments in NSX, you can deploy vSphere with Tanzu. SDDC Manager first validates your environment then redirects you to the vSphere Client where you complete the deployment.
UI Procedure
- Log in to SDDC Manager at https://<sddc_manager_fqdn> as [email protected].
- In the navigation pane, click Solutions.
- On the Solutions page, under Kubernetes - Workload Management, click Deploy.
- To open the Workload management deployment wizard, review and verify the required prerequisites, click Select All, and click Begin.
- On the Select a Cluster page, select the VI workload domain you want to deploy to, select the cluster, and click Next.
- On the Validation page, wait until you see that validation is successful for all components and click Next.
- On the Review page, click Complete in vSphere.
- On the vCenter Server and Network page, make sure the VI workload domain vCenter Server is selected, select NSX as the networking stack option, and click Next.
- Select the VI workload domain cluster.
- For VMware Cloud Foundation 4.5.1 or earlier, on the Select a Cluster page, select the VI workload domain cluster and click Next.
- For VMware Cloud Foundation 5.0 or later, on the Supervisor location page, select Cluster Deployment, configure the settings according to your values in the VMware Cloud Foundation Planning and Preparation Workbook, and click Next
- For VMware Cloud Foundation 4.3.1 and earlier, on the Control Plane size page, select Small and click Next.
- On the Storage page, select the storage policy you created earlier for the three settings and click Next.
- On the Management Network page, configure the settings according to your values in the VMware Cloud Foundation Planning and Preparation Workbook and click Next.
- On the Workload Network page, configure the settings according to your values in the VMware Cloud Foundation Planning and Preparation Workbook and click Next.
- For VMware Cloud Foundation 4.5.1 or earlier, on the Tanzu Kubernetes Grid Service Configuration page, assign the content library to the Tanzu Kubernetes Grid service.
- On the Tanzu Kubernetes Grid Service configuration page, click Add.
- In the Content library dialog box, select the content library you created earlier and click OK.
- On the Tanzu Kubernetes Grid Service Configuration page, click Next.
- On the Review and Confirm page, for VMware Cloud Foundation 4.4 or later, configure the settings according to your values in the VMware Cloud Foundation Planning and Preparation Workbook, click Finish and wait for the deployment to complete.
PowerShell Procedure
Start PowerShell.
Replace the values in the sample code with values from your VMware Cloud Foundation Planning and Preparation Workbook and run the commands in the PowerShell console.
$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io" $sddcManagerUser = "[email protected]" $sddcManagerPass = "VMw@re1!" $sddcDomainName = "sfo-w01" $wmClusterName = "sfo-w01-cl01" $spbmPolicyName = "vsphere-with-tanzu-storage-policy" $contentLibraryName = "Kubernetes" $kubSegmentName = "sfo-w01-seg01-tanzu" $kubSegmentGatewayCIDR = "192.168.20.1/24" $kubSegmentSubnetCidr = "192.168.20.0/24" $ingressSubnetCidr = "192.168.21.0/24" $egressSubnetCidr = "192.168.22.0/24" $wmClusterSizeHint = "Tiny" $wmClusterManagementNetworkMode = "StaticRange" $wmClusterManagementNetworkAddressRangeSize = 5 $wmClusterManagementNetworkSubnetMask = "255.255.255.0" $wmClusterManagementNetworkStartIpAddress = "192.168.20.10" $wmClusterManagementNetworkGateway = "192.168.20.1" $distributedSwitch = "sfo-w01-cl01-vds01" $nsxEdgeCluster = "sfo-w01-ec01" $kubePodCIDRs = "100.100.0.0/20" $kubeServiceCIDR = "100.200.0.0/22" $masterNtpServers = @("172.16.11.253", "172.16.12.253") $masterDnsServers = @("172.16.11.4", "172.16.11.5") $masterDnsName = "sfo-w01-cl01.sfo.rainpole.io" $masterDnsSearchDomain = "sfo.rainpole.io" $workerDnsServers = @("172.16.11.4", "172.16.11.5")
Perform the configuration by running the command in the PowerShell console.
Enable-SupervisorCluster ` -server $sddcManagerFqdn ` -user $sddcManagerUser ` -pass $sddcManagerPass ` -domain $sddcDomainName ` -cluster $wmClusterName ` -sizeHint $wmClusterSizeHint ` -managementVirtualNetwork $kubSegmentName ` -managementNetworkMode $wmClusterManagementNetworkMode ` -managementNetworkStartIpAddress $wmClusterManagementNetworkStartIpAddress ` -managementNetworkAddressRangeSize $wmClusterManagementNetworkAddressRangeSize ` -managementNetworkGateway $wmClusterManagementNetworkGateway ` -managementNetworkSubnetMask $wmClusterManagementNetworkSubnetMask ` -contentLibrary $contentLibraryName ` -ephemeralStoragePolicy $spbmPolicyName ` -imageStoragePolicy $spbmPolicyName ` -masterStoragePolicy $spbmPolicyName ` -nsxEdgeCluster $nsxEdgeCluster ` -distributedSwitch $distributedSwitch ` -podCIDRs $kubePodCIDRs ` -serviceCIDR $kubeServiceCIDR ` -externalIngressCIDRs $ingressSubnetCidr ` -externalEgressCIDRs $egressSubnetCidr ` -masterNtpServers $masterNtpServers ` -masterDnsServers $masterDnsServers ` -masterDnsName $masterDnsName ` -masterDnsSearchDomain $masterDnsSearchDomain ` -workerDnsServers $workerDnsServers `
Replace the Supervisor Kubernetes API Endpoint Certificate for Developer Ready Infrastructure for VMware Cloud Foundation
After you deploy a Supervisor, you generate and install a PEM-formatted, CA-signed certificate for the Supervisor Kubernetes API endpoint. You generate a CSR from the vSphere Client. With the CSR, you generate a PEM-formatted with base64 encoding, CA-signed certificate by using a tool of your choice. When you upload that certificate in the vSphere Client, you replace the existing certificate.
UI Procedure
- Log in to the VI workload domain vCenter Server at https://<vi_workload_vcenter_server_fqdn>/ui as [email protected].
In the Hosts and Clusters inventory, under the VI workload domain data center, select your cluster.
On the cluster inventory page, click the Configure tab.
-
- For VMware Cloud Foundation 4.3.1 and earlier, under Namespaces, select Certificates.
- For VMware Cloud Foundation 4.4, under Supervisor, select Certificates.
In the Workload Platform Management tile, select .
In the Generate CSR dialog box, enter the settings according to your values in the VMware Cloud Foundation Planning and Preparation Workbook and click Next.
Click Download to download the CSR as a file, and click Finish.
Use the certificate request to generate a CER, CA-signed certificate outside of the vSphere Client by using a tool of your choice.
After you have generated a new certificate, in the Workload Platform Management tile, select .
In the Replace Certificate dialog box, provide the new certificate by using a method of your choice.
In the Replace Certificate dialog box, click Replace.
PowerShell Procedure
To generate a CA-signed certificate by using automation in step 4, your VMware Cloud Foundation must be configured to use Microsoft CA-signed certificates. See Configure VMware Cloud Foundation to Use Microsoft CA-Signed Certificates. Additionally, you must use a Windows machine that is a member of the domain, where your Enterprise Certificate Authority is installed, and a domain user with read and enroll permissions for the certificate template. Alternatively, you can use a manual method by your choice to generate a CA-signed certificate.
Start PowerShell.
Replace the values in the sample code with values from your VMware Cloud Foundation Planning and Preparation Workbook and run the commands in the PowerShell console.
$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io" $sddcManagerUser = "[email protected]" $sddcManagerPass = "VMw@re1!" $sddcDomainName = "sfo-w01" $wmClusterName = "sfo-w01-cl01" $CommonName = "sfo-m01-cl01.sfo.rainpole.io" $Organization = "Rainpole" $OrganizationalUnit = "Rainpole" $Country = "US" $StateOrProvince = "California" $Locality = "Palo Alto" $AdminEmailAddress = "[email protected]" $KeySize = 2048 (optional) $mscaComputerName = "dc-rpl01.rainpole.io" $mscaName = "rainpole-DC-RPL01-CA" $caUser = "[email protected]" $caUserPass = "VMw@re1!" $certificateTemplate = "VMware"
Perform the configuration by running the command in the PowerShell console.
New-SupervisorClusterCSR -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -cluster $wmClusterName -CommonName $CommonName -Organization $Organization -OrganizationalUnit $OrganizationalUnit -Country $Country -StateOrProvince $StateOrProvince -Locality $Locality -AdminEmailAddress $AdminEmailAddress -KeySize $Keysize -FilePath ".\SupervisorCluster.csr"
- Generate a CA-signed certificate
- If you have a Windows machine that is a member of the domain, where your Enterprise Certificate Authority is installed, and a domain user that is a member of the
Domain Administratorsgroup, log in to a PowerShell console on that machine with that domain user, and run the command.Request-SignedCertificate -mscaComputerName $mscaComputerName -mscaName $mscaName -domainUsername $caUser -domainPassword $caUserPass -certificateTemplate $certificateTemplate -certificateRequestFile ".\SupervisorCluster.csr" -certificateFile ".\SupervisorCluster.cer"
If you prefer a manual method, copy the contents of the CSR, and use it to generate a new TLS certificate from your provider or your local certificate authority.
- If you have a Windows machine that is a member of the domain, where your Enterprise Certificate Authority is installed, and a domain user that is a member of the
Install the new certificate by running the command in the PowerShell console.
Install-SupervisorClusterCertificate -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -Cluster $wmClusterName -filePath ".\SupervisorCluster.cer"
License the Supervisor for Developer Ready Infrastructure for VMware Cloud Foundation
After you configure a vSphere cluster for vSphere with Tanzu and it becomes a Supervisor, you must assign the cluster a Tanzu edition license.
After you assign a Tanzu edition license to a Supervisor, you can create and configure namespaces.
UI Procedure
- Log in to SDDC Manager at https://<sddc_manager_fqdn> as [email protected].
Add your Tanzu edition license to SDDC Manager.
In the navigation pane, click .
On the Licensing page, click + License key.
In the Add license key dialog box, select VMware Tanzu as the product, enter your license and a description, and click Add.
Apply the Tanzu edition license to the Supervisor.
In the navigation pane, click Solutions.
On the Solutions page, under Kubernetes - Workload Management, click View details.
On the Workload Management page, click the three vertical dots next to the workload management cluster and click Update Workload Management license.
In the Update license dialog box, select the available license and click Apply.
PowerShell Procedure
Start PowerShell.
Replace the values in the sample code with values from your VMware Cloud Foundation Planning and Preparation Workbook and run the commands in the PowerShell console.
$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io" $sddcManagerUser = "[email protected]" $sddcManagerPass = "VMw@re1!" $sddcDomainName = "sfo-w01" $wmClusterName = "sfo-w01-cl01" $licenseKey = "XXXXX-XXXXX-XXXXX-XXXXX-XXXXX"
Assign a license to the Supervisor.
Add-SupervisorClusterLicense -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -cluster $wmClusterName -LicenseKey $licenseKey
Deploy a Supervisor Namespace for Developer Ready Infrastructure for VMware Cloud Foundation
After a Supervisor has been deployed, configured, and licensed, you deploy a Supervisor Namespace on the Supervisor to run Kubernetes applications.
UI Procedure
- Log in to the VI workload domain vCenter Server at https://<vi_workload_vcenter_server_fqdn>/ui as [email protected].
From the vSphere Client menu, select Workload Management.
On the Workload management page, under the Namespaces tab and click Create namespace.
In the Create namespace dialog box, select the VI workload domain cluster, enter a name for the namespace according to your value in the VMware Cloud Foundation Planning and Preparation Workbook, and click Create.
On the namespace page, click Add Storage.
In the Select Storage Policies dialog box, select the storage policy you created earlier and click OK.
PowerShell Procedure
Start PowerShell.
Replace the values in the sample code with values from your VMware Cloud Foundation Planning and Preparation Workbook and run the commands in the PowerShell console.
$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io" $sddcManagerUser = "[email protected]" $sddcManagerPass = "VMw@re1!" $sddcDomainName = "sfo-w01" $wmClusterName = "sfo-w01-cl01" $wmNamespaceName = "sfo-w01-ns01" $spbmPolicyName = "vsphere-with-tanzu-storage-policy"
Perform the configuration by running the command in the PowerShell console.
Add-Namespace -Server $sddcManagerFqdn -User $sddcManagerUser -Pass $sddcManagerPass -Domain $sddcDomainName -Cluster $wmClusterName -Namespace $wmNamespaceName -StoragePolicy $spbmPolicyName
Assign the Supervisor Namespace Roles to Active Directory Groups for Developer Ready Infrastructure for VMware Cloud Foundation
You assign roles for the Namespace to Active Directory groups. You can later assign access to users by adding them to these groups. You assign access to separate Active Directory groups for the edit and view roles in the Namespace.
UI Procedure
- Log in to the VI workload domain vCenter Server at https://<vi_workload_vcenter_server_fqdn>/ui as [email protected].
From the vSphere Client Menu, select Workload Management.
On the Workload management page, under the Namespaces tab and click the Namespace.
Click the Permissions tab.
Provide edit permissions to your Active Directory group intended for admins for the namespace.
On the namespace page, click Add permissions.
In the Add Permissions dialog box, enter the Identity source and User/Group for edit access according to your values in the VMware Cloud Foundation Planning and Preparation Workbook, set the Role to Can edit, and click OK.
Provide read-only permissions to your Active Directory group intended for viewers for the namespace.
On the namespace page, click Manage permissions.
In the Add Permissions dialog box, enter the Identity source and User/Group for read-only access according to your values in the VMware Cloud Foundation Planning and Preparation Workbook, set the Role to Can view, and click OK.
PowerShell Procedure
-
Start PowerShell.
-
Replace the values in the sample code with values from your VMware Cloud Foundation Planning and Preparation Workbook and run the commands in the PowerShell console.
$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io" $sddcManagerUser = "[email protected]" $sddcManagerPass = "VMw@re1!" $sddcDomainName = "sfo-w01" $domainFqdn = "sfo.rainpole.io" $domainBindUser = "svc-vsphere-ad" $domainBindPass = "VMw@re1!" $wmNamespaceName = "sfo-w01-ns01" $wmNamespaceEditUserGroup = "gg-kub-admins" $wmNamespaceViewUserGroup = "gg-kub-readonly"
-
Perform the configuration by running the command in the PowerShell console.
Add-NamespacePermission -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -sddcDomain $sddcDomainName -domain $domainFqdn -domainBindUser $domainBindUser -domainBindPass $domainBindPass -namespace $wmNamespaceName -principal $wmNamespaceEditUserGroup -role edit -type group Add-NamespacePermission -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -sddcDomain $sddcDomainName -domain $domainFqdn -domainBindUser $domainBindUser -domainBindPass $domainBindPass -namespace $wmNamespaceName -principal $wmNamespaceViewUserGroup -role view -type group
Activate the Registry Service on the Supervisor for Developer Ready Infrastructure for VMware Cloud Foundation 4.5.2 or earlier
In VMware Cloud Foundation 4.5.2 or earlier, after the Supervisor is configured, activate a private image registry on the Supervisor through the Registry Service.
UI Procedure
- Log in to the VI workload domain vCenter Server at https://<vi_workload_vcenter_server_fqdn>/ui as [email protected].
In the Hosts and Clusters inventory, select the VI workload domain cluster and click the Configure tab.
-
- For VMware Cloud Foundation 4.3.1 and earlier, under Namespaces, click Image Registry.
- For VMware Cloud Foundation 4.4, under Supervisor, click Image Registry.
On the Image Registry page, click Enable Harbor.
In the Select storage policies dialog box, select the storage policy that you created earlier for placement of container images and click OK.
After the deployment completes successfully, on the Image Registry page, the Health status is Running and a Link to Harbor UI appears.
PowerShell Procedure
Start PowerShell.
Replace the values in the sample code with values from your VMware Cloud Foundation Planning and Preparation Workbook and run the commands in the PowerShell console.
$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io" $sddcManagerUser = "[email protected]" $sddcManagerPass = "VMw@re1!" $sddcDomainName = "sfo-w01" $spbmPolicyName = "vsphere-with-tanzu-storage-policy"
Perform the configuration by running the command in the PowerShell console.
Enable-Registry -Server $sddcManagerFqdn -User $sddcManagerUser -Pass $sddcManagerPass -Domain $sddcDomainName -StoragePolicy $spbmPolicyName
