Before registering an Antrea container cluster to an NSX-T Data Center, you must complete several prerequisite tasks.

You can register multiple Antrea container clusters to a single NSX-T Data Center deployment.

Deploy Antrea Container Clusters

Persona: Kubernetes platform administrator

A Kubernetes cluster with Antrea network plug-in must be up and ready.

For example, to integrate clusters in a Tanzu Kubernetes Grid instance with NSX-T Data Center, ensure that the following tasks are completed:
  • Tanzu management clusters are deployed and the clusters are in running state.
  • Tanzu Kubernetes clusters are deployed and the clusters are in running state.
  • Tanzu command line interface (CLI) is installed.

For a detailed information about these tasks, see the Tanzu Kubernetes Grid documentation at https://docs.vmware.com/en/VMware-Tanzu-Kubernetes-Grid/index.html.

When you deploy a management cluster, networking with Antrea is automatically enabled in the management cluster.

Add an Appropriate License in NSX-T Data Center

Persona: NSX administrator

Ensure that your NSX-T Data Center environment has one of these licenses:
  • NSX Data Center Advanced
  • NSX Data Center Enterprise Plus
  • Antrea Enterprise Standalone
To add a license:
  1. In NSX Manager, navigate to System > Licenses > Add Licenses.
  2. Enter a license key.

Create a Self-Signed Security Certificate

Persona: NSX administrator

A self-signed security certificate is required to create a principal identity user account in NSX-T, which is explained later in this topic.

Using OpenSSL commands, create a self-signed security certificate for each Antrea container cluster that you want register to NSX-T.

For example, assume that you want to create a self-signed OpenSSL certificate of length 2048 bits for an Antrea container cluster called cluster-sales. The following OpenSSL commands generate a private key file, a certificate signing request file, and a self-signed certificate file for this cluster.

openssl genrsa -out cluster-sales-private.key 2048
openssl req -new -key cluster-sales-private.key -out cluster-sales.csr -subj "/C=US/ST=CA/L=Palo Alto/O=VMware/OU=Antrea Cluster/CN=cluster-sales"
openssl x509 -req -days 3650 -sha256 -in cluster-sales.csr -signkey cluster-sales-private.key -out cluster-sales.crt
Note: In the openssl req command that you use to create the .csr file, ensure that the Common Name (CN) is different for each Antrea container cluster.

Create a Principal Identity User

Persona: NSX administrator

The Management Plane Adapter and Central Control Plane Adapter use the principal identity (PI) user account to authenticate with an NSX Manager and identify themselves as the principal identity. The PI user owns the inventory resources that are reported by the adapters. NSX-T prevents other users from accidentally overwriting the inventory resources.

Create a principal identity user in NSX-T with the self-signed certificate that you created in the previous step. Assign this principal identity user an Enterprise Admin role. The principal identity user is unique to an Antrea container cluster.

To create a principal identity user:
  1. In the NSX Manager UI, click the System tab.
  2. Under Settings, navigate to User Management > User Role Assignment.
  3. Click Add > Principal Identity with Role.
  4. Enter a name for the principal identity user. For example, enter cluster-sales.
    Important: Ensure that you specify the same name for the NSX principal identity user, certificate CN, and the clusterName argument in the bootstrap-config.yaml file.

    For more information about the bootstrap configuration file, see Edit the Bootstrap Configuration File.

  5. Select the role as Enterprise Admin.
  6. In the Node Id text box, enter a name for the Antrea container cluster. This name must be unique across all container clusters that you are registering to NSX-T. For example, enter cluster-sales.
  7. In the Certificate PEM text area, past the complete self-signed certificate, which you created earlier. Ensure that the -----BEGIN CERTIFICATE---- and ------END CERTIFICATE----- lines are also pasted in this text box.
  8. Click Save.
  9. From the left navigation pane, under Settings, click Certificates. Verify that the self-signed certificate of the Antrea container cluster is shown.

Download the ZIP File

Persona: Kubernetes platform administrator

Complete the following steps to download the antrea-interworking-version.zip file:
  1. In a Web browser, open the Download VMware Antrea page, and log in with your VMware ID.
  2. Ensure that you are in the Product Downloads tab.
  3. Next to the VMware Container Networking with Antrea version, click Go to Downloads.
  4. In the Web page that opens, locate the VMware Container Networking with Antrea, NSX Interworking connector and deployment manifests file, and click Download Now.
Extract the ZIP file. It contains the following files.
File Name Description
interworking.yaml YAML deployment manifest file to register an Antrea container cluster to NSX-T.
bootstrap-config.yaml YAML file where you can specify the following details for registration: Antrea container cluster name, NSX Manager IP addresses, TLS certificate of the container cluster, and the private key of the container cluster.
deregisterjob.yaml YAML manifest file to deregister an Antrea container cluster from NSX-T.
ns-label-webhook.yaml Webhook definitions for automatically adding labels to newly created Kubernetes namespaces. This YAML file is used only when Kubernetes version is ≤ 1.20.
interworking-version.tar Archive file for the container images of Management Plane Adapter and Central Control Plane Adapter.

Import the Container Images to Container Registry

Persona: Kubernetes platform administrator

There are two approaches for doing this prerequisite task.

Approach 1 (Recommended): Pull images from VMware Harbor Registry

VMware has hosted the container images on VMware Harbor Registry.

Image locations are as follows:
  • projects.registry.vmware.com/antreainterworking/interworking-debian:version
  • projects.registry.vmware.com/antreainterworking/interworking-ubuntu:version
  • projects.registry.vmware.com/antreainterworking/interworking-photon:version

For version information, see the VMware Container Networking with Antrea release notes at https://docs.vmware.com/en/VMware-Container-Networking-with-Antrea/index.html.

Open the interworking.yaml and deregisterjob.yaml files in any text editor of your choice, and replace all image URLs with any one of these image locations.

The advantage of this approach is that when you submit the .yaml files to the Kubernetes API server for registering the container cluster, Kubernetes can pull the container images automatically from VMware Harbor Registry.

Approach 2: Manually copy images to Kubernetes worker nodes and control plane nodes

If your Kubernetes infrastructure has no Internet connectivity, or connectivity is too slow, use this manual approach.

Extract the container images from the interworking-version.tar file and copy them to the Kubernetes worker nodes and control plane node of each Antrea container cluster that you want to register to NSX-T.

For example, at the Tanzu CLI, run the following command for each Kubernetes worker node IP and control plane node IP to copy the .tar and .yaml files:
scp -o StrictHostKeyChecking=no interworking* capv@{node-ip}:/home/capv

Import the images to the local Kubernetes registry, which is managed by the container runtime engine. Alternatively, if your organization has a private container registry, you can import the container images to the private container registry.

For example, at the Tanzu CLI, run the following command for each Kubernetes worker node IP and control plane node IP to import the container images to the local Kubernetes registry:

ssh capv@{node-ip} sudo ctr -n=k8s.io i import interworking-{version-id}.tar