Deploy Management Clusters with the Installer Interface

This topic describes how to use the Tanzu Kubernetes Grid installer interface to deploy a management cluster to vSphere, Amazon Elastic Compute Cloud (Amazon EC2), and Microsoft Azure. The Tanzu Kubernetes Grid installer interface guides you through the deployment of the management cluster, and provides different configurations for you to select or reconfigure. If this is the first time that you are deploying a management cluster to a given infrastructure provider, it is recommended to use the installer interface.

Prerequisites

Before you can deploy a management cluster, you must make sure that your environment meets the requirements for the target infrastructure provider.

General Prerequisites

• Make sure that you have met all of the requirements and followed all of the procedures in Install the Tanzu CLI and Other Tools.
• For production deployments, it is strongly recommended to enable identity management for your clusters. For information about the preparatory steps to perform before you deploy a management cluster, see Enabling Identity Management in Tanzu Kubernetes Grid.
• If you want to register your management cluster with Tanzu Mission Control, follow the procedure in Register Your Management Cluster with Tanzu Mission Control.
• If you are deploying clusters in an internet-restricted environment to either vSphere or Amazon EC2, you must also perform the steps in Deploying Tanzu Kubernetes Grid in an Internet-Restricted Environment.
• Read the Tanzu Kubernetes Grid 1.3.1 Release Notes for updates related to security patches.

vSphere Prerequisites

• Make sure that you have met the all of the requirements listed in Prepare to Deploy Management Clusters to vSphere.
• Note: On vSphere with Tanzu, you do not need to deploy a management cluster. See Add a vSphere with Tanzu Supervisor Cluster as a Management Cluster.

Amazon EC2 Prerequisites

• Make sure that you have met the all of the requirements listed Prepare to Deploy Management Clusters to Amazon EC2.
• For information about the configurations of the different sizes of node instances, for example t3.large, or t3.xlarge, see Amazon EC2 Instance Types.
• For information about when to create a Virtual Private Cloud (VPC) and when to reuse an existing VPC, see Resource Usage in Your Amazon Web Services Account.

Microsoft Azure Prerequisites

• Make sure that you have met the requirements listed in Prepare to Deploy Management Clusters to Microsoft Azure.
• For information about the configurations of the different sizes of node instances for Azure, for example, Standard_D2s_v3 or Standard_D4s_v3, see Sizes for virtual machines in Azure.

Set the TKG_BOM_CUSTOM_IMAGE_TAG

Before you can deploy a management cluster, you must specify the correct BOM file to use as a local environment variable. In the event of a patch release to Tanzu Kubernetes Grid, the BOM file may require an update to coincide with updated base image files.

Note For more information about recent security patch updates to VMware Tanzu Kubernetes Grid v1.3, see the VMware Tanzu Kubernetes Grid v1.3.1 Release Notes and this Knowledgebase Article.

On the machine where you run the Tanzu CLI, perform the following steps:

1. Remove any existing BOM data.

   rm -rf ~/.tanzu/tkg/bom
   

2. Specify the updated BOM to use by setting the following variable.

   export TKG_BOM_CUSTOM_IMAGE_TAG="v1.3.1-patch1"
   

3. Run tanzu management-cluster create command with no additional parameters.

   tanzu management-cluster create
   

   This command produces an error but results in the BOM files being downloaded to ~/.tanzu/tkg/bom.

Start the Installer Interface

Warning: The tanzu management-cluster create command takes time to complete. While tanzu management-cluster create is running, do not run additional invocations of tanzu management-cluster create on the same bootstrap machine to deploy multiple management clusters, change context, or edit ~/.kube-tkg/config.

1. On the machine on which you downloaded and installed the Tanzu CLI, run the tanzu management-cluster create command with the --ui option.

   tanzu management-cluster create --ui
   

   The installer interface launches in a browser and takes you through steps to configure the management cluster.

   • To make the installer interface appear locally if you are SSH-tunneling in to the bootstrap machine or X11-forwarding its display, you may need to run tanzu management-cluster create --ui with the --browser none option described in Installer Interface Options below.

   The tanzu management-cluster create --ui command saves the settings from your installer input in a cluster configuration file. After you confirm your input values on the last pane of the installer interface, the installer saves them to ~/.tanzu/tkg/clusterconfigs with a generated filename of the form UNIQUE-ID.yaml.

   By default Tanzu Kubernetes Grid saves the kubeconfig for all management clusters in the ~/.kube-tkg/config file. If you want to save the kubeconfig file for your management cluster to a different location, set the KUBECONFIG environment variable before running tanzu management-cluster create.

   KUBECONFIG=/path/to/mc-kubeconfig.yaml
   

   If the prerequisites are met, tanzu management-cluster create --ui launches the Tanzu Kubernetes Grid installer interface.

   By default, tanzu management-cluster create --ui opens the installer interface locally, at http://127.0.0.1:8080 in your default browser. The Installer Interface Options section below explains how you can change where the installer interface runs, including running it on a different machine from the tanzu CLI.

2. Click the Deploy button for VMware vSphere, Amazon EC2, or Microsoft Azure.

   

Installer Interface Options

By default, tanzu management-cluster create --ui opens the installer interface locally, at http://127.0.0.1:8080 in your default browser. You can use the --browser and --bind options to control where the installer interface runs:

• --browser specifies the local browser to open the interface in.
  • Supported values are chrome, firefox, safari, ie, edge, or none.
  • Use none with --bind to run the interface on a different machine, as described below.
• --bind specifies the IP address and port to serve the interface from.

Warning: Serving the installer interface from a non-default IP address and port could expose the tanzu CLI to a potential security risk while the interface is running. VMware recommends passing in to the –bind option an IP and port on a secure network.

Use cases for --browser and --bind include:

• If another process is already using http://127.0.0.1:8080, use --bind to serve the interface from a different local port.
• To make the installer interface appear locally if you are SSH-tunneling in to the bootstrap machine or X11-forwarding its display, you may need to use –browser none.
• To run the tanzu CLI and create management clusters on a remote machine, and run the installer interface locally or elsewhere:
  1. On the remote bootstrap machine, run tanzu management-cluster create --ui with the following options and values:
     • --bind: an IP address and port for the remote machine
     • --browser: none

     tanzu management-cluster create --ui --bind 192.168.1.87:5555 --browser none
     

  2. On the local UI machine, browse to the remote machine’s IP address to access the installer interface.

Configure the Infrastructure Provider

The options to configure the infrastructure provider section of the installer interface depend on which provider you are using.

• Configure a vSphere Infrastructure Provider
• Configure an Amazon EC2 Provider
• Configure a Microsoft Azure Infrastructure Provider

Configure a vSphere Infrastructure Provider

1. In the IaaS Provider section, enter the IP address or fully qualified domain name (FQDN) for the vCenter Server instance on which to deploy the management cluster.

   Tanzu Kubernetes Grid does not support IPv6 addresses. This is because upstream Kubernetes only provides alpha support for IPv6. Always provide IPv4 addresses in the procedures in this topic.

2. Enter the vCenter Single Sign On account name and password for a user account that has the required privileges for Tanzu Kubernetes Grid operation, and click Connect.

   • The account name must include the domain, for example tkg-user@vsphere.local.

     

3. Verify the SSL thumbprint of the vCenter Server certificate and click Continue if it is valid.

   For information about how to obtain the vCenter Server certificate thumbprint, see Obtain vSphere Certificate Thumbprints.

   

4. If you are deploying a management cluster to a vSphere 7 instance, confirm whether or not you want to proceed with the deployment.

   On vSphere 7, the vSphere with Tanzu option includes a built-in Supervisor Cluster that works as a management cluster and provides a better experience than a separate management cluster deployed by Tanzu Kubernetes Grid. Deploying a Tanzu Kubernetes Grid management cluster to vSphere 7 when vSphere with Tanzu is not enabled is supported, but the preferred option is to enable vSphere with Tanzu and use the Supervisor Cluster. VMware Cloud on AWS and Azure VMware Solution do not support a Supervisor Cluster, so you need to deploy a management cluster. For information, see Add a vSphere with Tanzu Supervisor Cluster as a Management Cluster.

   To reflect the recommendation to use vSphere with Tanzu when deploying to vSphere 7, the Tanzu Kubernetes Grid installer behaves as follows:

   • If vSphere with Tanzu is enabled, the installer informs you that deploying a management cluster is not possible, and exits.
   • If vSphere with Tanzu is not enabled, the installer informs you that deploying a Tanzu Kubernetes Grid management cluster is possible but not recommended, and presents a choice:
     • Configure vSphere with Tanzu opens the vSphere Client so you can configure your Supervisor Cluster as described in Configuring and Managing a Supervisor Cluster in the vSphere documentation.
     • Deploy TKG Management Cluster allows you to continue deploying a management cluster, against recommendation for vSphere 7, but as required for VMware Cloud on AWS and Azure VMware Solution. When using vSphere 7, the preferred option is to enable vSphere with Tanzu and use the built-in Supervisor Cluster instead of deploying a Tanzu Kubernetes Grid management cluster.

   

5. Select the datacenter in which to deploy the management cluster from the Datacenter drop-down menu.

6. Paste the contents of your SSH public key into the text box and click Next.

   

For the next steps, go to Configure the Management Cluster Settings.

Configure a Amazon EC2 Infrastructure Provider

1. In the IaaS Provider section, enter credentials for your Amazon EC2 account. You have two options:
   • In the AWS Credential Profile drop-down, you can select an already existing AWS credential profile. If you select a profile, the access key and session token information configured for your profile are passed to the Installer without displaying actual values in the UI. For information about setting up credential profiles, see Credential Files and Profiles.
   • Alternately, enter AWS account credentials directly in the Access Key ID and Secret Access Key fields for your Amazon EC2 account. Optionally specify an AWS session token in Session Token if your AWS account is configured to require temporary credentials. For more information on acquiring session tokens, see Using temporary credentials with AWS resources.
2. In Region, select the AWS region in which to deploy the management cluster. If you intend to deploy a production management cluster, this region must have at least three availability zones. This region must also be registered with the SSH key entered in the next field.
3. In SSH Key Name, specify the name of an SSH key that is already registered with your Amazon EC2 account and in the region where you are deploying the management cluster. You may have set this up in Configure AWS Account Credentials and SSH Key.

4. If this is the first time that you are deploying a management cluster, select the Automate creation of AWS CloudFormation Stack checkbox, and click Connect.

   This CloudFormation stack creates the identity and access management (IAM) resources that Tanzu Kubernetes Grid needs to deploy and run clusters on Amazon EC2. For more information, see Permissions Set by Tanzu Kubernetes Grid in Prepare to Deploy Management Clusters to Amazon EC2.

   IMPORTANT: The Automate creation of AWS CloudFormation Stack checkbox replaces the clusterawsadm command line utility that existed in Tanzu Kubernetes Grid v1.1.x and earlier. For existing management and Tanzu Kubernetes clusters initially deployed with v1.1.x or earlier, continue to use the CloudFormation stack that was created by running the clusterawsadm alpha bootstrap create-stack command.

   

5. If the connection is successful, click Next.

6. In the VPC for AWS section, do one of the following:

   • To create a new VPC, select Create new VPC on AWS, check that the pre-filled CIDR block is available, and click Next. If the recommended CIDR block is not available, enter a new IP range in CIDR format for the management cluster to use. The recommended CIDR block for VPC CIDR is 10.0.0.0/16.

     

   • To use an existing VPC, select Select an existing VPC and select the VPC ID from the drop-down menu. The VPC CIDR block is filled in automatically when you select the VPC.

     

For the next steps, go to Configure the Management Cluster Settings.

Configure a Microsoft Azure Infrastructure Provider

IMPORTANT: If this is the first time that you are deploying a management cluster to Azure with a new version of Tanzu Kubernetes Grid, for example v1.3.1, make sure that you have accepted the base image license for that version. For information, see Accept the Base Image License in Prepare to Deploy Management Clusters to Microsoft Azure.

1. In the IaaS Provider section, enter the Tenant ID, Client ID, Client Secret, and Subscription ID for your Azure account and click Connect. You recorded these values when you registered an Azure app and created a secret for it using the Azure Portal.

   

2. Select the Azure region in which to deploy the management cluster.

3. Paste the contents of your SSH public key, such as .ssh/id_rsa.pub, into the text box.

4. Under Resource Group, select either the Select an existing resource group or the Create a new resource group radio button.

   • If you select Select an existing resource group, use the drop-down menu to select the group, then click Next.

     

   • If you select Create a new resource group, enter a name for the new resource group and then click Next.

     

5. In the VNET for Azure section, select either the Create a new VNET on Azure or the Select an existing VNET radio button.

   • If you select Create a new VNET on Azure, use the drop-down menu to select the resource group in which to create the VNET and provide the following:

     • A name and a CIDR block for the VNET. The default is 10.0.0.0/16.
     • A name and a CIDR block for the control plane subnet. The default is 10.0.0.0/24.
     • A name and a CIDR block for the worker node subnet. The default is 10.0.1.0/24.

     

     After configuring these fields, click Next.

   • If you select Select an existing VNET, use the drop-down menus to select the resource group in which the VNET is located, the VNET name, the control plane and worker node subnets, and then click Next.

     

Configure the Management Cluster Settings

This section applies to all infrastructure providers.

1. In the Management Cluster Settings section, select the Development or Production tile.

   • If you select Development, the installer deploys a management cluster with a single control plane node.
   • If you select Production, the installer deploys a highly available management cluster with three control plane nodes.

2. In either of the Development or Production tiles, use the Instance type drop-down menu to select from different combinations of CPU, RAM, and storage for the control plane node VM or VMs.

   Choose the configuration for the control plane node VMs depending on the expected workloads that it will run. For example, some workloads might require a large compute capacity but relatively little storage, while others might require a large amount of storage and less compute capacity. If you select an instance type in the Production tile, the instance type that you selected is automatically selected for the Worker Node Instance Type. If necessary, you can change this.

   If you plan on registering the management cluster with Tanzu Mission Control, ensure that your Tanzu Kubernetes clusters meet the requirements listed in Requirements for Registering a Tanzu Kubernetes Cluster with Tanzu Mission Control in the Tanzu Mission Control documentation.

   • vSphere: Select a size from the predefined CPU, memory, and storage configurations. The minimum configuration is 2 CPUs and 4 GB memory.
   • Amazon EC2: Select an instance size. The drop-down menu lists choices alphabetically, not by size. The minimum configuration is 2 CPUs and 8 GB memory. The list of compatible instance types varies in different regions. For information about the configuration of the different sizes of instances, see Amazon EC2 Instance Types.
   • Microsoft Azure: Select an instance size. The minimum configuration is 2 CPUs and 8 GB memory. The list of compatible instance types varies in different regions. For information about the configurations of the different sizes of node instances for Azure, see Sizes for virtual machines in Azure.

   

3. Optionally enter a name for your management cluster.

   If you do not specify a name, Tanzu Kubernetes Grid automatically generates a unique name. If you do specify a name, that name must end with a letter, not a numeric character, and must be compliant with DNS hostname requirements as outlined in RFC 952 and amended in RFC 1123.

4. Under Worker Node Instance Type, select the configuration for the worker node VM.

5. Deselect the Machine Health Checks checkbox if you want to disable MachineHealthCheck.

   MachineHealthCheck provides node health monitoring and node auto-repair on the clusters that you deploy with this management cluster. You can enable or disable MachineHealthCheck on clusters after deployment by using the CLI. For instructions, see Configure Machine Health Checks for Tanzu Kubernetes Clusters.

6. (Azure Only) If you are deploying the management cluster to Azure, click Next.

   For the next steps for an Azure deployment, go to Configure Metadata.

7. (vSphere Only) Under Control Plane Endpoint, enter a static virtual IP address or FQDN for API requests to the management cluster.

   Ensure that this IP address is not in your DHCP range, but is in the same subnet as the DHCP range. If you mapped an FQDN to the VIP address, you can specify the FQDN instead of the VIP address. For more information, see Static VIPs and Load Balancers for vSphere.

   

8. (Amazon EC2 only) Optionally, disable the Bastion Host checkbox if a bastion host already exists in the availability zone(s) in which you are deploying the management cluster.

   If you leave this option enabled, Tanzu Kubernetes Grid creates a bastion host for you.

9. (Amazon EC2 only) Configure Availability Zones

   1. From the Availability Zone 1 drop-down menu, select an availability zone for the management cluster. You can select only one availability zone in the Development tile. See the image below.

      

      If you selected the Production tile above, use the Availability Zone 1, Availability Zone 2, and Availability Zone 3 drop-down menus to select three unique availability zones for the management cluster. When Tanzu Kubernetes Grid deploys the management cluster, which includes three control plane nodes, it distributes the control plane nodes across these availability zones.

   2. To complete the configuration of the Management Cluster Settings section, do one of the following:

      • If you created a new VPC in the VPC for AWS section, click Next.
      • If you selected an existing VPC in the VPC for AWS section, use the VPC public subnet and VPC private subnet drop-down menus to select existing subnets on the VPC and click Next. The image below shows the Development tile.

      

10. Click Next.

    • If you are deploying the management cluster to vSphere, go to Configure VMware NSX Advanced Load Balancer.
    • If you are deploying the management cluster to Amazon EC2 or Azure, go to Configure Metadata.

(vSphere Only) Configure VMware NSX Advanced Load Balancer

VMware NSX Advanced Load Balancer provides an L4 load balancing solution for vSphere. NSX Advanced Load Balancer includes a Kubernetes operator that integrates with the Kubernetes API to manage the lifecycle of load balancing and ingress resources for workloads. To use NSX Advanced Load Balancer, you must first deploy it in your vSphere environment. For information, see Install VMware NSX Advanced Load Balancer on a vSphere Distributed Switch.

In the optional VMware NSX Advanced Load Balancer section, you can configure Tanzu Kubernetes Grid to use NSX Advanced Load Balancer. By default all workload clusters will use the load balancer.

1. For Controller Host, enter the IP address or FQDN of the Controller VM.
2. Enter the username and password that you set for the Controller host when you deployed it, and click Verify Credentials.

3. Use the Cloud Name drop-down menu to select the cloud that you created in your NSX Advanced Load Balancer deployment.

   For example, Default-Cloud.

4. Use the Service Engine Group Name drop-down menu to select a Service Engine Group.

   For example, Default-Group.

5. For VIP Network Name, use the drop-down menu to select the name of the network where the load balancer floating IP Pool resides.

   The VIP network for NSX Advanced Load Balancer must be present in the same vCenter Server instance as the Kubernetes network that Tanzu Kubernetes Grid uses. This allows NSX Advanced Load Balancer to discover the Kubernetes network in vCenter Server and to deploy and configure Service Engines. The drop-down menu is present in Tanzu Kubernetes Grid v1.3.1 and later. In v1.3.0, you enter the name manually.

   You can see the network in the Infrastructure > Networks view of the NSX Advanced Load Balancer interface.

6. For VIP Network CIDR, use the drop-down menu to select the CIDR of the subnet to use for the load balancer VIP.

   This comes from one of the VIP Network’s configured subnets. You can see the subnet CIDR for a particular network in the Infrastructure > Networks view of the NSX Advanced Load Balancer interface. The drop-down menu is present in Tanzu Kubernetes Grid v1.3.1 and later. In v1.3.0, you enter the CIDR manually.

7. Paste the contents of the Certificate Authority that is used to generate your Controller Certificate into the Controller Certificate Authority text box.

   If you have a self-signed Controller Certificate, the Certificate Authority is the same as the Controller Certificate.

8. In this version of Tanzu Kubernetes Grid, skip the Cluster Labels (Optional) field.

   

9. Click Next to configure metadata.

Configure Metadata

This section applies to all infrastructure providers.

In the optional Metadata section, optionally provide descriptive information about this management cluster.

Any metadata that you specify here applies to the management cluster and to the Tanzu Kubernetes clusters that it manages, and can be accessed by using the cluster management tool of your choice.

• Location: The geographical location in which the clusters run.
• Description: A description of this management cluster. The description has a maximum length of 63 characters and must start and end with a letter. It can contain only lower case letters, numbers, and hyphens, with no spaces.
• Labels: Key/value pairs to help users identify clusters, for example release : beta, environment : staging, or environment : production. For more information, see Labels and Selectors in the Kubernetes documentation.
  You can click Add to apply multiple labels to the clusters.

If you are deploying to vSphere, click Next to go to Configure Resources. If you are deploying to Amazon EC2 or Azure, click Next to go to Configure the Kubernetes Network and Proxies.

(vSphere Only) Configure Resources

1. In the Resources section, select vSphere resources for the management cluster to use, and click Next.

   • Select the VM folder in which to place the management cluster VMs.
   • Select the vSphere datastores for the management cluster to use. The storage policy for the VMs can be specified only when you deploy the management cluster from a configuration file.
   • Select the cluster, host, or resource pool in which to place the management cluster.

   If appropriate resources do not already exist in vSphere, without quitting the Tanzu Kubernetes Grid installer, go to vSphere to create them. Then click the refresh button so that the new resources can be selected.

   

Configure the Kubernetes Network and Proxies

This section applies to all infrastructure providers.

1. In the Kubernetes Network section, configure the networking for Kubernetes services and click Next.

   • (vSphere only) Under Network Name, select a vSphere network to use as the Kubernetes service network.
   • Review the Cluster Service CIDR and Cluster Pod CIDR ranges. If the recommended CIDR ranges of 100.64.0.0/13 and 100.96.0.0/11 are unavailable, update the values under Cluster Service CIDR and Cluster Pod CIDR.

   

2. (Optional) To send outgoing HTTP(S) traffic from the management cluster to a proxy, toggle Enable Proxy Settings and follow the instructions below to enter your proxy information. Tanzu Kubernetes Grid applies these settings to kubelet, containerd, and the control plane.

   You can choose to use one proxy for HTTP traffic and another proxy for HTTPS traffic or to use the same proxy for both HTTP and HTTPS traffic.

   1. To add your HTTP proxy information:

      1. Under HTTP Proxy URL, enter the URL of the proxy that handles HTTP requests. The URL must start with http://. For example, http://myproxy.com:1234.
      2. If the proxy requires authentication, under HTTP Proxy Username and HTTP Proxy Password, enter the username and password to use to connect to your HTTP proxy.

   2. To add your HTTPS proxy information:

      • If you want to use the same URL for both HTTP and HTTPS traffic, select Use the same configuration for https proxy.

      • If you want to use a different URL for HTTPS traffic, do the following:

        1. Under HTTPS Proxy URL, enter the URL of the proxy that handles HTTPS requests. The URL must start with http://. For example, http://myproxy.com:1234.
        2. If the proxy requires authentication, under HTTPS Proxy Username and HTTPS Proxy Password, enter the username and password to use to connect to your HTTPS proxy.

   3. Under No proxy, enter a comma-separated list of network CIDRs or hostnames that must bypass the HTTP(S) proxy.

      For example, noproxy.yourdomain.com,192.168.0.0/24.

      • vSphere: You must enter the CIDR of the vSphere network that you selected under Network Name. The vSphere network CIDR includes the IP address of your Control Plane Endpoint. If you entered an FQDN under Control Plane Endpoint, add both the FQDN and the vSphere network CIDR to No proxy. Internally, Tanzu Kubernetes Grid appends localhost, 127.0.0.1, the values of Cluster Pod CIDR and Cluster Service CIDR, .svc, and .svc.cluster.local to the list that you enter in this field.
      • Amazon EC2: Internally, Tanzu Kubernetes Grid appends localhost, 127.0.0.1, your VPC CIDR, Cluster Pod CIDR, and Cluster Service CIDR, .svc, .svc.cluster.local, and 169.254.0.0/16 to the list that you enter in this field.
      • Azure: Internally, Tanzu Kubernetes Grid appends localhost, 127.0.0.1, your VNET CIDR, Cluster Pod CIDR, and Cluster Service CIDR, .svc, .svc.cluster.local, 169.254.0.0/16, and 168.63.129.16 to the list that you enter in this field.

      Important: If the management cluster VMs need to communicate with external services and infrastructure endpoints in your Tanzu Kubernetes Grid environment, ensure that those endpoints are reachable by the proxies that you configured above or add them to No proxy. Depending on your environment configuration, this may include, but is not limited to, your OIDC or LDAP server, Harbor, and in the case of vSphere, NSX-T and NSX Advanced Load Balancer.

Configure Identity Management

This section applies to all infrastructure providers. For information about how Tanzu Kubernetes Grid implements identity management, see Enabling Identity Management in Tanzu Kubernetes Grid.

1. In the Identity Management section, optionally disable Enable Identity Management Settings .

   

   You can disable identity management for proof-of-concept deployments, but it is strongly recommended to implement identity management in production deployments. If you disable identity management, you can reenable it later. For instructions on how to reenable identity management, see Enable Identity Management After Management Cluster Deployment.

2. If you enable identity management, select OIDC or LDAPS.

   OIDC:

   Provide details of your OIDC provider account, for example, Okta.

   • Issuer URL: The IP or DNS address of your OIDC server.
   • Client ID: The client_id value that you obtain from your OIDC provider. For example, if your provider is Okta, log in to Okta, create a Web application, and select the Client Credentials options in order to get a client_id and secret.
   • Client Secret: The secret value that you obtain from your OIDC provider.
   • Scopes: A comma separated list of additional scopes to request in the token response. For example, openid,groups,email.
   • Username Claim: The name of your username claim. This is used to set a user’s username in the JSON Web Token (JWT) claim. Depending on your provider, enter claims such as user_name, email, or code.
   • Groups Claim: The name of your groups claim. This is used to set a user’s group in the JWT claim. For example, groups.

   

   LDAPS:

   Provide details of your company’s LDAPS server. All settings except for LDAPS Endpoint are optional.

   • LDAPS Endpoint: The IP or DNS address of your LDAPS server. Provide the address and port of the LDAP server, in the form host:port.
   • Bind DN: The DN for an application service account. The connector uses these credentials to search for users and groups. Not required if the LDAP server provides access for anonymous authentication.
   • Bind Password: The password for an application service account, if Bind DN is set.

   Provide the user search attributes.

   • Base DN: The point from which to start the LDAP search. For example, OU=Users,OU=domain,DC=io.
   • Filter: An optional filter to be used by the LDAP search.
   • Username: The LDAP attribute that contains the user ID. For example, uid, sAMAccountName.

   Provide the group search attributes.

   • Base DN: The point from which to start the LDAP search. For example, OU=Groups,OU=domain,DC=io.
   • Filter: An optional filter to be used by the LDAP search.
   • Name Attribute: The LDAP attribute that holds the name of the group. For example, cn.
   • User Attribute: The attribute of the user record that is used as the value of the membership attribute of the group record. For example, distinguishedName, dn.
   • Group Attribute: The attribute of the group record that holds the user/member information. For example, member.

   Paste the contents of the LDAPS server CA certificate into the Root CA text box.

   

3. If you are deploying to vSphere, click Next to go to Select the Base OS Image. If you are deploying to Amazon EC2 or Azure, click Next to go to Register with Tanzu Mission Control.

(vSphere Only) Select the Base OS Image

In the OS Image section, use the drop-down menu to select the OS and Kubernetes version image template to use for deploying Tanzu Kubernetes Grid VMs, and click Next.

The drop-down menu includes all of the image templates that are present in your vSphere instance that meet the criteria for use as Tanzu Kubernetes Grid base images. The image template must include the correct version of Kubernetes for this release of Tanzu Kubernetes Grid. If you have not already imported a suitable image template to vSphere, you can do so now without quitting the Tanzu Kubernetes Grid installer. After you import it, use the Refresh button to make it available in the drop-down menu.

Register with Tanzu Mission Control

This section applies to all infrastructure providers, however the functionality described in this section is being rolled out in Tanzu Mission Control.

Note At time of publication, you can only register Tanzu Kubernetes Grid management clusters on certain infrastructure providers. For a list of currently supported providers, see Requirements for Registering a Tanzu Kubernetes Cluster with Tanzu Mission Control in the Tanzu Mission Control documentation.

You can also register your Tanzu Kubernetes Grid management cluster with Tanzu Mission Control after you deploying the cluster. For more information, see Register Your Management Cluster with Tanzu Mission Control.

1. In the Registration URL field, copy and paste the registration URL you obtained from Tanzu Mission Control.

   

2. If the connection is successful, you can review the configuration YAML retrieved from the URL.

3. Click Next.

Finalize the Deployment

This section applies to all infrastructure providers.

1. In the CEIP Participation section, optionally deselect the check box to opt out of the VMware Customer Experience Improvement Program.

   You can also opt in or out of the program after the deployment of the management cluster. For information about the CEIP, see Managing Participation in CEIP and https://www.vmware.com/solutions/trustvmware/ceip.html.

2. Click Review Configuration to see the details of the management cluster that you have configured.

   The image below shows the configuration for a deployment to vSphere.

   

   When you click Review Configuration, Tanzu Kubernetes Grid populates the cluster configuration file, which is located in the ~/.tanzu/tkg/clusterconfigs subdirectory, with the settings that you specified in the interface. You can optionally copy the cluster configuration file without completing the deployment. You can copy the cluster configuration file to another bootstrap machine and deploy the management cluster from that machine. For example, you might do this so that you can deploy the management cluster from a bootstrap machine that does not have a Web browser.

3. (Optional) Under CLI Command Equivalent, click the Copy button to copy the CLI command for the configuration that you specified.

   Copying the CLI command allows you to reuse the command at the command line to deploy management clusters with the configuration that you specified in the interface. This can be useful if you want to automate management cluster deployment.

4. (Optional) Click Edit Configuration to return to the installer wizard to modify your configuration.

5. Click Deploy Management Cluster.

   Deployment of the management cluster can take several minutes. The first run of tanzu management-cluster create takes longer than subsequent runs because it has to pull the required Docker images into the image store on your bootstrap machine. Subsequent runs do not require this step, so are faster. You can follow the progress of the deployment of the management cluster in the installer interface or in the terminal in which you ran tanzu management-cluster create --ui. If the machine on which you run tanzu management-cluster create shuts down or restarts before the local operations finish, the deployment will fail. If you inadvertently close the browser or browser tab in which the deployment is running before it finishes, the deployment continues in the terminal.

   NOTE: The screen capture below shows the deployment status page in Tanzu Kubernetes Grid v1.3.1.

   

What to Do Next

• The installer saves the configuration of the management cluster to ~/.tanzu/tkg/clusterconfigs with a generated filename of the form UNIQUE-ID.yaml. After the deployment has completed, you can rename the configuration file to something memorable, for example the name that you provided to the management cluster, and save it in a different location for future use.
• If you enabled identity management on the management cluster, you must perform post-deployment configuration steps to allow users to access the management cluster. For more information, see Configure Identity Management After Management Cluster Deployment.
• For information about what happened during the deployment of the management cluster and how to connect kubectl to the management cluster, see Examine the Management Cluster Deployment.
• If you need to deploy more than one management cluster, on any or all of vSphere, Azure, and Amazon EC2, see Manage Your Management Clusters. This topic also provides information about how to add existing management clusters to your CLI instance, obtain credentials, scale and delete management clusters, add namespaces, and how to opt in or out of the CEIP.