After you meet the prerequisites, you can begin the deployment of the vSphere with Tanzu environment to support the Developer Ready Infrastructure for VMware Cloud Foundation solution. The deployment of vSphere with Tanzu involves deploying and configuring a Supervisor Cluster and a Tanzu Kubernetes Cluster.

Prerequisites

Deploy a Supervisor Cluster for Developer Ready Infrastructure for VMware Cloud Foundation

After you have configured VM policies in vSphere and added segments in NSX-T Data Center, you can deploy vSphere with Tanzu. SDDC Manager first validates your environment then redirects you to the vSphere Client where you complete the deployment.

UI Procedure

  1. Log in to SDDC Manager at https://<sddc_manager_fqdn> as administrator@vsphere.local.
  2. In the navigation pane, click Solutions.

  3. On the Solutions page, under Kubernetes - Workload Management, click Deploy.

  4. Review and verify the required prerequisites, click Select All, and click Begin to open the Workload management deployment wizard.

  5. On the Select a Cluster page, select the VI workload domain you want to deploy to, select the cluster, and click Next.

  6. On the Validation page, wait until you see that validation is successful for all components and click Next.

  7. On the Review page, click Complete in vSphere.

  8. On the vCenter Server and Network page, make sure the VI workload domain vCenter Server is selected, select NSX as the networking stack option, and click Next.

  9. On the Select a Cluster page, select the VI workload domain cluster and click Next.

  10. For VMware Cloud Foundation 4.3.1 and earlier, on the Control Plane size page, select Small and click Next.

  11. On the Storage page, select the storage policy you created earlier for the three settings and click Next.

  12. On the Management Network page, configure the settings according to your values in the VMware Cloud Foundation Planning and Preparation Workbook and click Next.

  13. On the Workload Network page, configure the settings according to your values in the VMware Cloud Foundation Planning and Preparation Workbook and click Next.

  14. On the Tanzu Kubernetes Grid Service Configuration page, assign the content library to the Tanzu Kubernetes Grid service.

    1. On the Tanzu Kubernetes Grid Service configuration page, click Add.

    2. In the Content library dialog box, select the content library you created earlier and click OK.

    3. On the Tanzu Kubernetes Grid Service Configuration page, click Next.

  15. On the Review and Confirm page, for VMware Cloud Foundation 4.4, configure the settings according to your values in the VMware Cloud Foundation Planning and Preparation Workbook, click Finish and wait for the deployment to complete.

PowerShell Procedure

  1. Start Windows PowerShell.

  2. Replace the values in the sample code with values from your VMware Cloud Foundation Planning and Preparation Workbook and run the commands in the PowerShell console.

    $sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
    $sddcManagerUser = "administrator@vsphere.local"
    $sddcManagerPass = "VMw@re1!"
    $sddcDomainName = "sfo-w01"
    
    $wmClusterName = "sfo-w01-cl01"
    $spbmPolicyName = "vsphere-with-tanzu-storage-policy"
    $contentLibraryName = "Kubernetes"
    $kubSegmentName = "sfo-w01-kub-seg01"
    $kubSegmentGatewayCIDR = "192.168.20.1/24"
    $kubSegmentSubnetCidr = "192.168.20.0/24"
    $ingressSubnetCidr = "192.168.21.0/24"
    $egressSubnetCidr = "192.168.22.0/24"
    
    
    $wmClusterSizeHint = "Tiny"
    $wmClusterManagementNetworkMode = "StaticRange"
    $wmClusterManagementNetworkAddressRangeSize = 5
    $wmClusterManagementNetworkSubnetMask = "255.255.255.0"
    $wmClusterManagementNetworkStartIpAddress = "192.168.20.10"
    $wmClusterManagementNetworkGateway = "192.168.20.1"
    $distributedSwitch = "sfo-w01-cl01-vds01"
    $nsxEdgeCluster = "sfo-w01-ec01"
    $kubePodCIDRs = "100.100.0.0/20" 
    $kubeServiceCIDR = "100.200.0.0/22"
    $masterNtpServers = @("172.16.11.253", "172.16.12.253")
    $masterDnsServers = @("172.16.11.4", "172.16.11.5")
    $masterDnsName  = "sfo-w01-cl01.sfo.rainpole.io"
    $masterDnsSearchDomain = "sfo.rainpole.io"
    $workerDnsServers = @("172.16.11.4", "172.16.11.5")
  3. Perform the configuration by running the command in the PowerShell console.

    Enable-SupervisorCluster `
    -server $sddcManagerFqdn `
    -user $sddcManagerUser `
    -pass $sddcManagerPass `
    -domain $sddcDomainName `
    -cluster $wmClusterName `
    -sizeHint $wmClusterSizeHint `
    -managementVirtualNetwork $kubSegmentName `
    -managementNetworkMode $wmClusterManagementNetworkMode `
    -managementNetworkStartIpAddress $wmClusterManagementNetworkStartIpAddress `
    -managementNetworkAddressRangeSize $wmClusterManagementNetworkAddressRangeSize `
    -managementNetworkGateway $wmClusterManagementNetworkGateway `
    -managementNetworkSubnetMask $wmClusterManagementNetworkSubnetMask `
    -contentLibrary $contentLibraryName `
    -ephemeralStoragePolicy $spbmPolicyName `
    -imageStoragePolicy $spbmPolicyName `
    -masterStoragePolicy $spbmPolicyName `
    -nsxEdgeCluster $nsxEdgeCluster `
    -distributedSwitch $distributedSwitch `
    -podCIDRs $kubePodCIDRs `
    -serviceCIDR $kubeServiceCIDR `
    -externalIngressCIDRs $ingressSubnetCidr `
    -externalEgressCIDRs $egressSubnetCidr `
    -masterNtpServers $masterNtpServers `
    -masterDnsServers $masterDnsServers `
    -masterDnsName $masterDnsName `
    -masterDnsSearchDomain $masterDnsSearchDomain `
    -workerDnsServers $workerDnsServers `

Replace the Supervisor Cluster Kubernetes API Endpoint Certificate for Developer Ready Infrastructure for VMware Cloud Foundation

After you deploy a Supervisor Cluster, you generate and install a PEM-formatted, CA-signed certificate for the Supervisor Cluster Kubernetes API endpoint. You generate a CSR from the vSphere Client. With the CSR, you generate a PEM-formatted with base64 encoding, CA-signed certificate by using a tool of your choice. When you upload that certificate in the vSphere Client, you replace the existing certificate.

UI Procedure

  1. Log in to the VI workload domain vCenter Server at https://<vi_workload_vcenter_server_fqdn>/ui as administrator@vsphere.local.
  2. In the Hosts and Clusters inventory, under the VI workload domain data center, select your cluster.

  3. On the cluster inventory page, click the Configure tab.

    • For VMware Cloud Foundation 4.3.1 and earlier, under Namespaces, select Certificates.
    • For VMware Cloud Foundation 4.4, under Supervisor cluster, select Certificates.
  4. In the Workload Platform Management tile, select Actions > Generate CSR.

  5. In the Generate CSR dialog box, enter the settings according to your values in the VMware Cloud Foundation Planning and Preparation Workbook and click Next.

  6. Click Download to download the CSR as a file, and click Finish.

  7. Use the certificate request to generate a CER, CA-signed certificate outside of the vSphere Client by using a tool of your choice.

  8. After you have generated a new certificate, in the Workload Platform Management tile, select Actions > Replace Certificate.

  9. In the Replace Certificate dialog box, provide the new certificate by using a method of your choice.

  10. In the Replace Certificate dialog box, click Replace.

PowerShell Procedure

To generate a CA-signed certificate by using automation in step 4, your VMware Cloud Foundation must be configured to use Microsoft CA-signed certificates. See Configure VMware Cloud Foundation to Use Microsoft CA-Signed Certificates. Additionally, you must use a Windows machine that is a member of the domain, where your Enterprise Certificate Authority is installed, and a domain user with read and enroll permissions for the certificate template. Alternatively, you can use a manual method by your choice to generate a CA-signed certificate.

  1. Start Windows PowerShell.

  2. Replace the values in the sample code with values from your VMware Cloud Foundation Planning and Preparation Workbook and run the commands in the PowerShell console.

    $sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
    $sddcManagerUser = "administrator@vsphere.local"
    $sddcManagerPass = "VMw@re1!"
    
    $sddcDomainName = "sfo-w01"
    
    $wmClusterName = "sfo-w01-cl01"
    $CommonName = "sfo-m01-cl01.sfo.rainpole.io"
    $Organization = "Rainpole"
    $OrganizationalUnit = "Rainpole"
    $Country = "US"
    $StateOrProvince = "California"
    $Locality = "Palo Alto"
    $AdminEmailAddress = "admin@rainpole.io"
    $KeySize = 2048 (optional)
    
    $mscaComputerName = "dc-rpl01.rainpole.io"
    $mscaName = "rainpole-DC-RPL01-CA"
    $caUser = "svc-vcf-ca@rainpole.io"
    $caUserPass = "VMw@re1!"
    $certificateTemplate = "VMware"
  3. Perform the configuration by running the command in the PowerShell console.

    New-SupervisorClusterCSR -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -cluster $wmClusterName -CommonName $CommonName -Organization $Organization -OrganizationalUnit $OrganizationalUnit -Country $Country -StateOrProvince $StateOrProvince -Locality $Locality -AdminEmailAddress $AdminEmailAddress -KeySize $Keysize -FilePath ".\SupervisorCluster.csr"
  4. Generate a CA-signed certificate
    • If you have a Windows machine that is a member of the domain, where your Enterprise Certificate Authority is installed, and a domain user that is a member of the Domain Administrators group, log in to a PowerShell console on that machine with that domain user, and run the command.
      Request-SignedCertificate -mscaComputerName $mscaComputerName -mscaName $mscaName -domainUsername $caUser -domainPassword $caUserPass -certificateTemplate $certificateTemplate -certificateRequestFile ".\SupervisorCluster.csr" -certificateFile ".\SupervisorCluster.cer"
    • If you prefer a manual method, copy the contents of the CSR, and use it to generate a new TLS certificate from your provider or your local certificate authority.

  5. Install the new certificate by running the command in the PowerShell console.

    Install-SupervisorClusterCertificate -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -Cluster $wmClusterName -filePath ".\SupervisorCluster.cer"

License the Supervisor Cluster for Developer Ready Infrastructure for VMware Cloud Foundation

After you configure a vSphere cluster for vSphere with Tanzu and it becomes a Supervisor Cluster, you must assign the cluster a Tanzu edition license.

After you assign a Tanzu edition license to a Supervisor Cluster, you can create and configure namespaces.

UI Procedure

  1. Log in to SDDC Manager at https://<sddc_manager_fqdn> as administrator@vsphere.local.
  2. Add your Tanzu edition license to SDDC Manager.

    1. In the navigation pane, click Administration > Licensing.

    2. On the Licensing page, click + License key.

    3. In the Add license key dialog box, select VMware Tanzu as the product, enter your license and a description, and click Add.

  3. Apply the Tanzu edition license to the Supervisor Cluster.

    1. In the navigation pane, click Solutions.

    2. On the Solutions page, under Kubernetes - Workload Management, click View details.

    3. On the Workload Management page, click the three vertical dots next to the workload management cluster and click Update Workload Management license.

    4. In the Update license dialog box, select the available license and click Apply.

PowerShell Procedure

  1. Start Windows PowerShell.

  2. Replace the values in the sample code with values from your VMware Cloud Foundation Planning and Preparation Workbook and run the commands in the PowerShell console.

    $sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
    $sddcManagerUser = "administrator@vsphere.local"
    $sddcManagerPass = "VMw@re1!"
    
    $sddcDomainName = "sfo-w01"
    
    $wmClusterName = "sfo-w01-cl01"
    $wmClusterLicenseKey = "XXXXX-XXXXX-XXXXX-XXXXX-XXXXX"
  3. Assign a license to the Supervisor Cluster.

    Add-SupervisorClusterLicense -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -cluster $wmClusterName -LicenseKey $wmClusterLicenseKey

Deploy a Supervisor Namespace for Developer Ready Infrastructure for VMware Cloud Foundation

After a Supervisor Cluster has been deployed, configured, and licensed, you deploy a Supervisor Namespace on the Supervisor Cluster to run Kubernetes applications.

UI Procedure

  1. Log in to the VI workload domain vCenter Server at https://<vi_workload_vcenter_server_fqdn>/ui as administrator@vsphere.local.
  2. From the vSphere Client menu, select Workload Management.

  3. On the Workload management page, under the Namespaces tab and click Create namespace.

  4. In the Create namespace dialog box, select the VI workload domain cluster, enter a name for the namespace according to your value in the VMware Cloud Foundation Planning and Preparation Workbook, and click Create.

  5. On the namespace page, click Add Storage.

  6. In the Select Storage Policies dialog box, select the storage policy you created earlier and click OK.

PowerShell Procedure

  1. Start Windows PowerShell.

  2. Replace the values in the sample code with values from your VMware Cloud Foundation Planning and Preparation Workbook and run the commands in the PowerShell console.

    $sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
    $sddcManagerUser = "administrator@vsphere.local"
    $sddcManagerPass = "VMw@re1!"
    
    $sddcDomainName = "sfo-w01"
    
    $wmClusterName = "sfo-w01-cl01"
    $wmNamespaceName = "sfo-w01-ns01"
    $spbmPolicyName = "vsphere-with-tanzu-storage-policy"
  3. Perform the configuration by running the command in the PowerShell console.

    Add-Namespace -Server $sddcManagerFqdn -User $sddcManagerUser -Pass $sddcManagerPass -Domain $sddcDomainName -Cluster $wmClusterName -Namespace $wmNamespaceName -StoragePolicy $spbmPolicyName

Assign the Supervisor Namespace Roles to Active Directory Groups for Developer Ready Infrastructure for VMware Cloud Foundation

You assign roles for the Namespace to Active Directory groups. You can later assign access to users by adding them to these groups. You assign access to separate Active Directory groups for the edit and view roles in the Namespace.

UI Procedure

  1. Log in to the VI workload domain vCenter Server at https://<vi_workload_vcenter_server_fqdn>/ui as administrator@vsphere.local.
  2. From the vSphere Client Menu, select Workload Management.

  3. On the Workload management page, under the Namespaces tab and click the Namespace.

  4. Click the Permissions tab.

  5. Provide edit permissions to your Active Directory group intended for admins for the namespace.

    1. On the namespace page, click Add permissions.

    2. In the Add Permissions dialog box, enter the Identity source and User/Group for edit access according to your values in the VMware Cloud Foundation Planning and Preparation Workbook, set the Role to Can edit, and click OK.

  6. Provide read-only permissions to your Active Directory group intended for viewers for the namespace.

    1. On the namespace page, click Manage permissions.

    2. In the Add Permissions dialog box, enter the Identity source and User/Group for read-only access according to your values in the VMware Cloud Foundation Planning and Preparation Workbook, set the Role to Can view, and click OK.

PowerShell Procedure

  1. Start Windows PowerShell.

  2. Replace the values in the sample code with values from your VMware Cloud Foundation Planning and Preparation Workbook and run the commands in the PowerShell console.

    $sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
    $sddcManagerUser = "administrator@vsphere.local"
    $sddcManagerPass = "VMw@re1!"
    
    $sddcDomainName = "sfo-w01"
    
    $domainFqdn = "sfo.rainpole.io"
    $domainBindUser = "svc-vsphere-ad"
    $domainBindPass = "VMw@re1!"
    
    $wmNamespaceName = "sfo-w01-ns01"
    $wmNamespaceEditUserGroup = "gg-kub-admins"
    $wmNamespaceViewUserGroup = "gg-kub-readonly"
  3. Perform the configuration by running the command in the PowerShell console.

    Add-NamespacePermission -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -sddcDomain $sddcDomainName -domain $domainFqdn -domainBindUser $domainBindUser -domainBindPass $domainBindPass -namespace $wmNamespaceName -principal $wmNamespaceEditUserGroup -role edit -type group
    
    Add-NamespacePermission -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -sddcDomain $sddcDomainName -domain $domainFqdn -domainBindUser $domainBindUser -domainBindPass $domainBindPass -namespace $wmNamespaceName -principal $wmNamespaceViewUserGroup -role view -type group

Activate the Registry Service on the Supervisor Cluster for Developer Ready Infrastructure for VMware Cloud Foundation

After the Supervisor Cluster is configured, activate a private image registry on the Supervisor Cluster through the Registry Service.

UI Procedure

  1. Log in to the VI workload domain vCenter Server at https://<vi_workload_vcenter_server_fqdn>/ui as administrator@vsphere.local.
  2. In the Hosts and Clusters inventory, select the VI workload domain cluster and click the Configure tab.

    • For VMware Cloud Foundation 4.3.1 and earlier, under Namespaces, click Image Registry.
    • For VMware Cloud Foundation 4.4, under Supervisor cluster, click Image Registry.
  3. On the Image Registry page, click Enable Harbor.

  4. In the Select storage policies dialog box, select the storage policy that you created earlier for placement of container images and click OK.

After the deployment completes successfully, on the Image Registry page, the Health status is Running and a Link to Harbor UI appears.

PowerShell Procedure

  1. Start Windows PowerShell.

  2. Replace the values in the sample code with values from your VMware Cloud Foundation Planning and Preparation Workbook and run the commands in the PowerShell console.

    $sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
    $sddcManagerUser = "administrator@vsphere.local"
    $sddcManagerPass = "VMw@re1!"
    
    $sddcDomainName = "sfo-w01"
    
    $spbmPolicyName = "vsphere-with-tanzu-storage-policy"
  3. Perform the configuration by running the command in the PowerShell console.

    Enable-Registry -Server $sddcManagerFqdn -User $sddcManagerUser -Pass $sddcManagerPass -Domain $sddcDomainName -StoragePolicy $spbmPolicyName