After you meet the prerequisites, you can begin the deployment of the vSphere with Tanzu environment to support the Developer Ready Infrastructure for VMware Cloud Foundation solution. The deployment of vSphere with Tanzu involves deploying and configuring a Supervisor and a Tanzu Kubernetes Cluster.
Prerequisites
-
Add your Active Directory domain as an identity provider for vCenter Single Sign-On as defined in the Identity and Access Management for VMware Cloud Foundation.
-
To connect to the Supervisor as a vCenter Single Sign-On user, install the vSphere kubectl plug-in. See Download and Install the Kubernetes CLI Tools for vSphere.
-
Download the Kubernetes CLI Tools for vSphere from your Supervisor. See Download and Install the Kubernetes CLI Tools for vSphere.
Deploy a Supervisor for Developer Ready Infrastructure for VMware Cloud Foundation
After you have configured VM policies in vSphere and added segments in NSX, you can deploy vSphere with Tanzu. SDDC Manager first validates your environment then redirects you to the vSphere Client where you complete the deployment.
Procedure
- Log in to SDDC Manager at https://<sddc_manager_fqdn> as [email protected].
- In the navigation pane, click Solutions.
- On the Solutions page, under Kubernetes - Workload Management, click Deploy.
-
Review and verify the required prerequisites, click Select All, and click Begin.
- On the Select a Cluster page, select the VI workload domain you want to deploy to, select the cluster, and click Next.
- On the Validation page, wait until you see that validation is successful for all components and click Next.
- On the Review page, click Complete in vSphere.
- On the vCenter Server and Network page, make sure the VI workload domain vCenter Server is selected, select NSX as the networking stack option, and click Next.
-
On the Supervisor location page, select Cluster Deployment, configure the settings according to your values in the
VMware Cloud Foundation Planning and Preparation Workbookand click Next
- On the Storage page, select the storage policy you created earlier for the three settings and click Next.
-
On the Management Network page, select the Static Network Mode option and configure the settings according to your values in the
VMware Cloud Foundation Planning and Preparation Workbookand click Next.
- On the Workload Network page, configure the settings according to your values in the VMware Cloud Foundation Planning and Preparation Workbook and click Next.
-
On the Review and Confirm page, configure the settings according to your values in the VMware Cloud Foundation Planning and Preparation Workbook and click Finsh.
Replace the Supervisor Kubernetes API Endpoint Certificate for Developer Ready Infrastructurefor VMware Cloud Foundation
After you deploy a Supervisor, generate an SSL certificate using the PowerShell module for VMware Validated Solutions and replace the certificate of the Supervisor Kubernetes API endpoint.
Procedure
-
Generate an SSL certificate using the PowerShell module for VMware Validated Solutions.
-
Start Windows PowerShell.
-
Replace the sample values in the variables below and run the commands in the PowerShell console.
$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io" $sddcManagerUser = "[email protected]" $sddcManagerPass = "VMw@re1!" $sddcDomainName = "sfo-w01" $sddcClusterName = "sfo-w01-cl01" $commonName = "sfo-m01-cl01.sfo.rainpole.io" $encryptionKeySize = 2048 $orgName = "rainpole" $orgUnitName = "Platform Engineering" $orgLocalityName = "San Francisco" $orgStateProvinceName = "California" $orgCountryCode = "US" $adminEmailAddress = "[email protected]" $caType = "msca" $caFqdn = "rpl-ad01.rainpole.io" $caUsername = "Administrator" $caPassword = "VMw@re1!" $caTemplate = "VMware" $outputPath = ".\certificates\" $csrFilePath = Join-Path $outputPath "$commonName.csr"
-
Perform the configuration by running the command in the PowerShell console.
New-SupervisorClusterCSR -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -cluster $sddcClusterName -CommonName $commonName -Organization $orgName -OrganizationalUnit $orgUnitName -Locality $orgLocalityName -StateOrProvince $orgStateProvinceName -Country $orgCountryCode -AdminEmailAddress $adminEmailAddress -KeySize $encryptionKeySize -FilePath $csrFilePath Invoke-RequestSignedCertificate -caFqdn $caFqdn -csrFilePath $csrFilePath -outDirPath $outputPath -certificateAuthority $caType -username $caUsername -password $caPassword -certificateTemplate $caTemplate
-
-
Replace the SSL certificate.
- Log in to the VI workload domain vCenter Server at https://<vi_workload_vcenter_server_fqdn>/ui with a user assigned the Administrator role.
-
For VMware Cloud Foundation 5.2:
-
From the vSphere Client menu, select Workload Management.
-
On the Workload Management page, click the Supervisors tab and click the Supervisor for the workload domain.
-
-
For VMware Cloud Foundation 5.1 and 5.1:
-
In the Hosts and Clusters inventory, under the VI workload domain data center, select your cluster.
-
On the cluster inventory page, click the Configure tab.
-
-
Under Supervisor, select Certificates.
-
In the Workload Platform Management tile, select .
-
In the Replace Certificate dialog box, provide the new certificate by using a method of your choice.
-
In the Replace Certificate dialog box, click Replace.
License the Supervisor for Developer Ready Infrastructure for VMware Cloud Foundation
After you configure a vSphere cluster for vSphere with Tanzu and it becomes a Supervisor, you must assign the cluster a Tanzu edition license.
After you assign a Tanzu edition license to a Supervisor, you can create and configure namespaces.
Procedure
- Log in to SDDC Manager at https://<sddc_manager_fqdn> as [email protected].
-
Add your Tanzu edition license to SDDC Manager.
-
In the navigation pane, click
. -
On the Licensing page, click + License key.
-
In the Add license key dialog box, select VMware Tanzu as the product, enter your license and a description, and click Add.
-
-
Apply the Tanzu edition license to the Supervisor.
-
In the navigation pane, click Solutions.
-
On the Solutions page, under Kubernetes - Workload Management, click View details.
-
On the Workload Management page, click the three vertical dots next to the workload management cluster and click Update Workload Management license.
-
In the Update license dialog box, select the available license and click Apply.
-
Deploy a Supervisor Namespace for Developer Ready Infrastructure for VMware Cloud Foundation
After a Supervisor has been deployed, configured, and licensed, you deploy a Supervisor Namespace on the Supervisor to run Kubernetes applications.
Procedure
- Log in to the VI workload domain vCenter Server at https://<vi_workload_vcenter_server_fqdn>/ui with a user assigned the Administrator role.
-
From the vSphere Client menu, select Workload Management.
-
On the Workload management page, under the Namespaces tab and click Create namespace.
-
In the Create namespace dialog box, select the VI workload domain cluster, enter a name for the namespace according to your value in the VMware Cloud Foundation Planning and Preparation Workbook, and click Create.
-
On the namespace page, click Add Storage.
-
In the Select Storage Policies dialog box, select the storage policy you created earlier and click OK.
Assign the Supervisor Namespace Roles to Active Directory Groups for Developer Ready Infrastructure for VMware Cloud Foundation
You assign roles for the Namespace to Active Directory groups. You can later assign access to users by adding them to these groups. You assign access to separate Active Directory groups for the edit and view roles in the Namespace.
Procedure
- Log in to the VI workload domain vCenter Server at https://<vi_workload_vcenter_server_fqdn>/ui with a user assigned the Administrator role.
-
From the vSphere Client Menu, select Workload Management.
-
On the Workload management page, under the Namespaces tab and click the Namespace.
-
Click the Permissions tab.
-
Provide edit permissions to your Active Directory group intended for admins for the namespace.
-
On the namespace page, click Add.
-
In the Add Permissions dialog box, enter the Identity source and User/Group for edit access according to your values in the VMware Cloud Foundation Planning and Preparation Workbook, set the Role to Can edit, and click OK.
-
-
Provide read-only permissions to your Active Directory group intended for viewers for the namespace.
-
On the namespace page, click Manage permissions.
-
In the Add Permissions dialog box, enter the Identity source and User/Group for read-only access according to your values in the VMware Cloud Foundation Planning and Preparation Workbook, set the Role to Can view, and click OK.
-
Install Contour as a Supervisor Service for Developer Ready Infrastructure for VMware Cloud Foundation
You use Contour for running Harbor as a Supervisor service.
Procedure
Install Harbor as a Supervisor Service for Developer Ready Infrastructure for VMware Cloud Foundation
After you configure the Supervisor in the workload domain cluster, you must install Harbor as a Supervisor service. You can then use Harbor as a registry for workloads running on TKG clusters.
Procedure
Establish Trust with the Harbor Service for Developer Ready Infrastructure for VMware Cloud Foundation
If there is a plan to use this registry with TKG clusters in another Supervisor, configure trust between the Supervisor and Harbor.
Procedure
Configure vSphere Host and VM Groups and Rules for Stretched vSAN Cluster for Developer Ready Infrastructure for VMware Cloud Foundation
To ensure the Supervisor virtual machines stay together in the correct availability zone, they must be grouped together and assigned to a site.
You complete this procedure if you are using a stretched vSAN cluster.
Procedure
- Log in to the VI workload domain vCenter Server at https://<vi_workload_vcenter_server_fqdn>/ui with a user assigned the Administrator role.
- In the Hosts and clusters inventory, expand the workload domain vCenter Server tree and expand the workload domain data center.
- Select the default workload domain cluster and click the Configure tab.
- In the left pane, navigate to Add. and click
- In the Create VM/Host rule dialog box, enter a name for the VM group, from the Type drop-down menu, select Keep virtual machines together.
- In the Members section, click Add, and, in the Add group member, select the the Supervisor Control Plane node virtual machines and click OK.
- In the Create VM/Host rule dialog box, click OK.
- In the left pane, navigate to .
- On the VM/Host rule page, select the sfo-w01-cl01_primary-az-vmgroup VM rule and click Edit.
- In the Edit VM/Host rule dialog, from the drop-down menu, select Should run on hosts in group, from the Host group drop-down menu, select the primary host group for the workload domain, and click OK.
Repeat this procedure for the Tanzu Kubernetes Grid Service Cluster Control Plane VMs.