After you meet the prerequisites, you can begin the deployment of the vSphere with Tanzu environment to support the Developer Ready Infrastructure for VMware Cloud Foundation solution. The deployment of vSphere with Tanzu involves deploying and configuring a Supervisor and a Tanzu Kubernetes Cluster.

Prerequisites

Deploy a Supervisor for Developer Ready Infrastructure for VMware Cloud Foundation

After you have configured VM policies in vSphere and added segments in NSX, you can deploy vSphere with Tanzu. SDDC Manager first validates your environment then redirects you to the vSphere Client where you complete the deployment.

Procedure

  1. Log in to SDDC Manager at https://<sddc_manager_fqdn> as [email protected].
  2. In the navigation pane, click Solutions.
  3. On the Solutions page, under Kubernetes - Workload Management, click Deploy.
  4. Review and verify the required prerequisites, click Select All, and click Begin.

  5. On the Select a Cluster page, select the VI workload domain you want to deploy to, select the cluster, and click Next.
  6. On the Validation page, wait until you see that validation is successful for all components and click Next.
  7. On the Review page, click Complete in vSphere.
  8. On the vCenter Server and Network page, make sure the VI workload domain vCenter Server is selected, select NSX as the networking stack option, and click Next.
  9. On the Supervisor location page, select Cluster Deployment, configure the settings according to your values in the

    VMware Cloud Foundation Planning and Preparation Workbook

    and click Next

  10. On the Storage page, select the storage policy you created earlier for the three settings and click Next.
  11. On the Management Network page, select the Static Network Mode option and configure the settings according to your values in the

    VMware Cloud Foundation Planning and Preparation Workbook

    and click Next.

  12. On the Workload Network page, configure the settings according to your values in the VMware Cloud Foundation Planning and Preparation Workbook and click Next.
  13. On the Review and Confirm page, configure the settings according to your values in the VMware Cloud Foundation Planning and Preparation Workbook and click Finsh.

Replace the Supervisor Kubernetes API Endpoint Certificate for Developer Ready Infrastructurefor VMware Cloud Foundation

After you deploy a Supervisor, generate an SSL certificate using the PowerShell module for VMware Validated Solutions and replace the certificate of the Supervisor Kubernetes API endpoint.

Procedure

  1. Generate an SSL certificate using the PowerShell module for VMware Validated Solutions.

    1. Start Windows PowerShell.

    2. Replace the sample values in the variables below and run the commands in the PowerShell console.

      $sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io" $sddcManagerUser = "[email protected]" $sddcManagerPass = "VMw@re1!"
       
      $sddcDomainName = "sfo-w01"
      $sddcClusterName = "sfo-w01-cl01"
      
      $commonName = "sfo-m01-cl01.sfo.rainpole.io"
      $encryptionKeySize = 2048
      $orgName = "rainpole"
      $orgUnitName = "Platform Engineering"
      $orgLocalityName = "San Francisco"
      $orgStateProvinceName = "California"
      $orgCountryCode = "US"
      $adminEmailAddress = "[email protected]"
      
      $caType = "msca"
      $caFqdn = "rpl-ad01.rainpole.io"
      $caUsername = "Administrator"
      $caPassword = "VMw@re1!"
      $caTemplate = "VMware"
      
      $outputPath = ".\certificates\"
      $csrFilePath = Join-Path $outputPath "$commonName.csr"
    3. Perform the configuration by running the command in the PowerShell console.

      New-SupervisorClusterCSR -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -cluster $sddcClusterName -CommonName $commonName -Organization $orgName -OrganizationalUnit $orgUnitName -Locality $orgLocalityName -StateOrProvince $orgStateProvinceName -Country $orgCountryCode -AdminEmailAddress $adminEmailAddress -KeySize $encryptionKeySize -FilePath $csrFilePath
      
      Invoke-RequestSignedCertificate -caFqdn $caFqdn -csrFilePath $csrFilePath -outDirPath $outputPath -certificateAuthority $caType -username $caUsername -password $caPassword -certificateTemplate $caTemplate
  2. Replace the SSL certificate.

    1. Log in to the VI workload domain vCenter Server at https://<vi_workload_vcenter_server_fqdn>/ui with a user assigned the Administrator role.
    2. For VMware Cloud Foundation 5.2:

      1. From the vSphere Client menu, select Workload Management.

      2. On the Workload Management page, click the Supervisors tab and click the Supervisor for the workload domain.

    3. For VMware Cloud Foundation 5.1 and 5.1:

      1. In the Hosts and Clusters inventory, under the VI workload domain data center, select your cluster.

      2. On the cluster inventory page, click the Configure tab.

  3. Under Supervisor, select Certificates.

  4. In the Workload Platform Management tile, select Actions > Replace Certificate.

  5. In the Replace Certificate dialog box, provide the new certificate by using a method of your choice.

  6. In the Replace Certificate dialog box, click Replace.

License the Supervisor for Developer Ready Infrastructure for VMware Cloud Foundation

After you configure a vSphere cluster for vSphere with Tanzu and it becomes a Supervisor, you must assign the cluster a Tanzu edition license.

After you assign a Tanzu edition license to a Supervisor, you can create and configure namespaces.

Procedure

  1. Log in to SDDC Manager at https://<sddc_manager_fqdn> as [email protected].
  2. Add your Tanzu edition license to SDDC Manager.

    1. In the navigation pane, click Administration > Licensing.

    2. On the Licensing page, click + License key.

    3. In the Add license key dialog box, select VMware Tanzu as the product, enter your license and a description, and click Add.

  3. Apply the Tanzu edition license to the Supervisor.

    1. In the navigation pane, click Solutions.

    2. On the Solutions page, under Kubernetes - Workload Management, click View details.

    3. On the Workload Management page, click the three vertical dots next to the workload management cluster and click Update Workload Management license.

    4. In the Update license dialog box, select the available license and click Apply.

Deploy a Supervisor Namespace for Developer Ready Infrastructure for VMware Cloud Foundation

After a Supervisor has been deployed, configured, and licensed, you deploy a Supervisor Namespace on the Supervisor to run Kubernetes applications.

Procedure

  1. Log in to the VI workload domain vCenter Server at https://<vi_workload_vcenter_server_fqdn>/ui with a user assigned the Administrator role.
  2. From the vSphere Client menu, select Workload Management.

  3. On the Workload management page, under the Namespaces tab and click Create namespace.

  4. In the Create namespace dialog box, select the VI workload domain cluster, enter a name for the namespace according to your value in the VMware Cloud Foundation Planning and Preparation Workbook, and click Create.

  5. On the namespace page, click Add Storage.

  6. In the Select Storage Policies dialog box, select the storage policy you created earlier and click OK.

Assign the Supervisor Namespace Roles to Active Directory Groups for Developer Ready Infrastructure for VMware Cloud Foundation

You assign roles for the Namespace to Active Directory groups. You can later assign access to users by adding them to these groups. You assign access to separate Active Directory groups for the edit and view roles in the Namespace.

Procedure

  1. Log in to the VI workload domain vCenter Server at https://<vi_workload_vcenter_server_fqdn>/ui with a user assigned the Administrator role.
  2. From the vSphere Client Menu, select Workload Management.

  3. On the Workload management page, under the Namespaces tab and click the Namespace.

  4. Click the Permissions tab.

  5. Provide edit permissions to your Active Directory group intended for admins for the namespace.

    1. On the namespace page, click Add.

    2. In the Add Permissions dialog box, enter the Identity source and User/Group for edit access according to your values in the VMware Cloud Foundation Planning and Preparation Workbook, set the Role to Can edit, and click OK.

  6. Provide read-only permissions to your Active Directory group intended for viewers for the namespace.

    1. On the namespace page, click Manage permissions.

    2. In the Add Permissions dialog box, enter the Identity source and User/Group for read-only access according to your values in the VMware Cloud Foundation Planning and Preparation Workbook, set the Role to Can view, and click OK.

Install Contour as a Supervisor Service for Developer Ready Infrastructure for VMware Cloud Foundation

You use Contour for running Harbor as a Supervisor service.

Procedure

  1. Navigate to the Contour versions section of the Supervisor-services repository and download the following files according to the required Contour version.
    • The Contour service definition contour.yml.
    • The Contour configuration file contour-data-values.yml.
  2. Log in to the VI workload domain vCenter Server at https://<vcenter_server_fqdn>/ui as [email protected].
  3. From the vSphere Client Menu, select Workload Management, and click the Services tab.
  4. On the Services tab, click Add New Service and upload the contour.yml service definition.
  5. Open the contour-data-values.yml file and edit the properties as required.
  6. In the Contour service card, select Actions > Manage service.
  7. Select the Supervisor and paste the contents of the contour-data-values.yml file in YAML Service Config without changing the default values.
  8. Click OK.

Install Harbor as a Supervisor Service for Developer Ready Infrastructure for VMware Cloud Foundation

After you configure the Supervisor in the workload domain cluster, you must install Harbor as a Supervisor service. You can then use Harbor as a registry for workloads running on TKG clusters.

Procedure

  1. Navigate to the Harbor versions section of the Supervisor-services repository and download the following files for the required Harbor version.
    • The Harbor service definition harbor.yml.
    • The Harbor configuration file harbor-data-values.yml.
  2. Log in to the VI workload domain vCenter Server at https://<vcenter_server_fqdn>/ui as [email protected].
  3. From the vSphere Client Menu, select Workload Management, and click the Services tab.
  4. On the Services tab, click Add and upload the harbor.yml service definition.
  5. Open the harbor-data-values.yml file and edit the properties as required.

    You should change all default passwords and secrets within the harbor-data-values.yml file to ensure a secure environment.

  6. See Installing and Configuring Harbor and Contour in vSphere with Tanzu.
  7. Back on the Services tab, in the Harbor service card, select Actions > Manage Service.
  8. Select the Supervisor, paste the contents of the modified harbor-data-values.yml file in YAML Service Config, and click OK.
  9. On the Workload Management page, click the Namespaces tab and click the Contour namespace. On the Network tab, select Services. Take a note at the External IPs value for envoy.
  10. On the DNS server, include an A record in the Harbor FQDN mapping to the Envoy ingress IP address.

Establish Trust with the Harbor Service for Developer Ready Infrastructure for VMware Cloud Foundation

If there is a plan to use this registry with TKG clusters in another Supervisor, configure trust between the Supervisor and Harbor.

Procedure

  1. Download the ca.cert certificate of the Harbor registry.
    1. Log in to the Harbor Web interface as a Harbor system administrator.
    2. Select Administration > Configuration.
    3. On the System Settings tab, next to Registry Root Certificate, click Download.
  2. Add the Harbor CA to the image-fetcher-ca-bundle ConfigMap in the kube-system namespace.
    1. Configure the KUBE_EDITOR environment variable as described in Configure a Text Editor for Kubectl.
    2. Edit the ConfigMap by running the following command.
      kubectl edit configmap image-fetcher-ca-bundle -n kube-system
    3. Append the contents of the Harbor ca.cert file to the ConfigMap beneath the existing Supervisor certificate.

      Do not change the Supervisor certificate.

      apiVersion: v1
      data:
        ca-bundle: |-
          -----BEGIN CERTIFICATE-----
          MIIC/jCCAeagAwIBAgIBADANBgkqhkiG9w0BAQsFADAVMRMwEQYDVQQDEwprdWJl
          ...
          qB72tWi8M5++h2RGcVash0P1CUZOHkpHxGdUGYv1Z97Wl89dT2OTn3iXqn8d1JAK
          aF8=
          -----END CERTIFICATE-----
          -----BEGIN CERTIFICATE-----
          MIIDKDCCAhCgAwIBAgIQBbUsj7mqXXC5XRhqqU3GiDANBgkqhkiG9w0BAQsFADAU
          ...
          5q7y87vOLTr7+0MG4O01zK0dJYx2jVhZlsuduMYpfqRLLewVl0eGu/6vr2M=
          -----END CERTIFICATE-----    
      kind: ConfigMap
      metadata:
        creationTimestamp: "2023-03-15T14:28:34Z"
        name: image-fetcher-ca-bundle
        namespace: kube-system
        resourceVersion: "713"
        uid: 6b7611a0-25fa-40f7-b4f5-e2a13bd0afe3
    4. Save your edits.

  3. kubectl shows the following output.

    configmap/image-fetcher-ca-bundle edited

Configure vSphere Host and VM Groups and Rules for Stretched vSAN Cluster for Developer Ready Infrastructure for VMware Cloud Foundation

To ensure the Supervisor virtual machines stay together in the correct availability zone, they must be grouped together and assigned to a site.

You complete this procedure if you are using a stretched vSAN cluster.

Procedure

  1. Log in to the VI workload domain vCenter Server at https://<vi_workload_vcenter_server_fqdn>/ui with a user assigned the Administrator role.
  2. In the Hosts and clusters inventory, expand the workload domain vCenter Server tree and expand the workload domain data center.
  3. Select the default workload domain cluster and click the Configure tab.
  4. In the left pane, navigate to Configuration > VM/Host Groups and click Add.
  5. In the Create VM/Host rule dialog box, enter a name for the VM group, from the Type drop-down menu, select Keep virtual machines together.
  6. In the Members section, click Add, and, in the Add group member, select the the Supervisor Control Plane node virtual machines and click OK.
  7. In the Create VM/Host rule dialog box, click OK.
  8. In the left pane, navigate to Configuration > VM/Host Rules.
  9. On the VM/Host rule page, select the sfo-w01-cl01_primary-az-vmgroup VM rule and click Edit.
  10. In the Edit VM/Host rule dialog, from the drop-down menu, select Should run on hosts in group, from the Host group drop-down menu, select the primary host group for the workload domain, and click OK.

Repeat this procedure for the Tanzu Kubernetes Grid Service Cluster Control Plane VMs.