CLI-Managed Packages

This topic describes how to use the Tanzu CLI to install packages on Tanzu Kubernetes Grid (TKG) that publish services to workloads running on TKG workload clusters. It also explains how to prepare your TKG environment before installing these CLI-managed packages.

Packages and Package Repositories

A CLI-managed package is an optional component of a Kubernetes cluster that you can install and manage with the Tanzu Command Line Interface (CLI). These packages are installed after cluster creation.

CLI-managed packages are distributed via package repositories. To install and manage package repositories and the packages they contain, you use the tanzu package plugin of the Tanzu CLI. For information about how to use the tanzu package plugin, see Installing and Managing Packages with the Tanzu CLI.

Tanzu Standard Repository Contents

The built-in tanzu-standard package repository distributed with Tanzu Kubernetes Grid includes the following CLI-managed packages. These packages provide in-cluster and shared services to the Kubernetes clusters that are running in your Tanzu Kubernetes Grid environment.

Function Package Package repository
Certificate management cert-manager tanzu-standard
Container networking multus-cni tanzu-standard
Container registry harbor tanzu-standard
Ingress control contour tanzu-standard
Log forwarding fluent-bit tanzu-standard
Monitoring grafana tanzu-standard
Monitoring prometheus tanzu-standard
Service discovery external-dns tanzu-standard

Each CLI-managed package has only one version available in the tanzu-standard package repository.

Preparing to Install the CLI-Managed Packages

Before installing packages from the tanzu-standard package repository, you must prepare your Tanzu Kubernetes Grid environment. To prepare your environment:

Locations and Dependencies

In most cases, when you install a CLI-managed package from the tanzu-standard package repository, you install it in a workload or a shared services cluster. If the package depends on other packages in the package repository, you must install them first. After you prepare your Tanzu Kubernetes Grid environment as described above, follow the links in the Installation procedure column. These topics provide step-by-step instructions on how to configure and install each of the packages in the tanzu-standard package repository. For information about how to use the tanzu package plugin, see Packages in Installing and Managing Packages with the Tanzu CLI.


Package Dependencies Installation location Installation procedure
cert-manager Required by contour, external-dns, harbor, multus-cni, and prometheus and grafana. Workload or shared services cluster Install Cert Manager
contour Required by harbor, external-dns if you want to create DNS records for Contour HTTPProxy resources, and grafana. Workload or shared services cluster Implement Ingress Control with Contour
external-dns Recommended for harbor on infrastructure platforms with load balancing such as Amazon EC2, Azure, and vSphere with NSX Advanced Load Balancer, especially in production or other environments in which Harbor availability is important. Workload or shared services cluster Implement Service Discovery with External DNS
fluent-bit n/a Workload cluster Implement Log Forwarding with Fluent Bit
grafana n/a Workload cluster Implement Monitoring with Prometheus and Grafana
harbor n/a Shared services cluster Deploy Harbor Registry as a Shared Service
multus-cni n/a Workload cluster Implementing Multiple CNIs with Multus
prometheus Required by grafana. Workload cluster Implement Monitoring with Prometheus and Grafana

Note: vSphere with Tanzu does not support deploying packages to a shared services cluster. Workload clusters deployed by vSphere with Tanzu can only use packaged services deployed to the workload clusters themselves.

Install Cert Manager in Workload Clusters

Cert Manager provides automated certificate management. It already runs by default in management clusters. To install Cert Manager into a workload cluster, see Install Cert Manager.

Create a Shared Services Cluster

Each Tanzu Kubernetes Grid instance can have only one shared services cluster. Create a shared services cluster if you intend to deploy Harbor.

To create a shared services cluster:

  1. Create a cluster configuration YAML file for the cluster. We recommend using the prod cluster plan rather than the dev plan. For example:

    INFRASTRUCTURE_PROVIDER: vsphere
    CLUSTER_NAME: YOUR-CLUSTER-NAME
    CLUSTER_PLAN: prod
    

    Where YOUR-CLUSTER-NAME is the name you choose for the cluster. For example, tkg-services.

  2. (vSphere only) If you are using the default Kube-Vip load balancer for cluster’s control plane API, you must specify its endpoint by setting VSPHERE_CONTROL_PLANE_ENDPOINT. Ensure that this VIP address is not in the DHCP range, but is in the same subnet as the DHCP range. If you mapped a fully qualified domain name (FQDN) to the VIP address, you can specify the FQDN instead of the VIP address.
    If you are using NSX Advanced Load Balancer (ALB), do not set VSPHERE_CONTROL_PLANE_ENDPOINT unless you need the control plane endpoint to be specific address. If so, use a static address within the NSX ALB IPAM Profile’s VIP Network range that you have manually added to the Static IP pool, or an FQDN mapped to the static address.

    For example:

    VSPHERE_CONTROL_PLANE_ENDPOINT: 10.10.10.10
    
  3. Deploy the cluster by passing the cluster configuration file to the tanzu cluster create command. For example:

    tanzu cluster create tkg-services --file tkg-services-config.yaml
    

    In this example, tkg-services is the name of the cluster and tkg-services-config.yaml is the name of the cluster configuration file. Throughout the rest of this procedure, the cluster that you just deployed is referred to as the shared services cluster.

  4. Set the context of kubectl to the context of your management cluster. For example:

    kubectl config use-context mgmt-cluster-admin@mgmt-cluster
    

    In this example, mgmt-cluster is the name of the management cluster.

  5. Add the tanzu-services label to the shared services cluster, as its cluster role. This label identifies the shared services cluster to the management cluster and workload clusters. For example:

    kubectl label cluster.cluster.x-k8s.io/tkg-services cluster-role.tkg.tanzu.vmware.com/tanzu-services="" --overwrite=true
    

    In this example, tkg-services is the name of the shared services cluster. You should see the confirmation cluster.cluster.x-k8s.io/tkg-services labeled.

  6. Check that the label has been correctly applied by running the following command:

    tanzu cluster list --include-management-cluster
    

    You should see that your shared services cluster has the tanzu-services role. For example:

    NAME              NAMESPACE   STATUS   CONTROLPLANE  WORKERS  KUBERNETES        ROLES           PLAN
    another-cluster   default     running  1/1           1/1      v1.21.8+vmware.1  <none>          dev
    tkg-services      default     running  3/3           3/3      v1.21.8+vmware.1  tanzu-services  prod
    mgmt-cluster      tkg-system  running  1/1           1/1      v1.21.8+vmware.1  management      dev
    
  7. Get the admin credentials of the shared services cluster. For example:

    tanzu cluster kubeconfig get tkg-services --admin
    
  8. Set the context of kubectl to the shared services cluster. For example:

    kubectl config use-context tkg-services-admin@tkg-services
    

Retrieve the Data Values Template

When you run tanzu package install to install a package in a workload cluster, you can configure the package by passing a data values file in to its --values-file option. Each CLI-managed package includes a sample data values file that you can base your configuration on.

To retrieve this data values template:

  1. If the kubectl context is not already set to the workload cluster where you want to deploy the package, set it:

    1. Get the admin credentials of the cluster:

      tanzu cluster kubeconfig get MY-CLUSTER --admin
      

      Where MY-CLUSTER is the name of the cluster.

    2. Set the context:

      kubectl config use-context MY-CLUSTER-CONTEXT
      

      Where MY-CLUSTER-CONTEXT is the cluster context listed in the admin credentials. It often has the form MY-CLUSTER-admin@MY-CLUSTER.

  2. Confirm that the package is available for the cluster:

    tanzu package available list -A
    
  3. Retrieve the version of the package:

    tanzu package available list PACKAGE-NAME -A
    

    With PACKAGE-NAME as listed in the output of tanzu package available list -A. For example:

    tanzu package available list fluent-bit.tanzu.vmware.com -A
    | Retrieving package versions for fluent-bit.tanzu.vmware.com...
     NAME                           VERSION                          RELEASED-AT           NAMESPACE
     fluent-bit.tanzu.vmware.com    1.7.5+vmware.1-tkg.1             2021-05-13T18:00:00Z  tanzu-package-repo-global
    
  4. Set image_url to the registry path from which to retrieve the package. For example:

    $ image_url=$(kubectl -n tanzu-package-repo-global get packages fluent-bit.tanzu.vmware.com/PACKAGE-VERSION -o jsonpath='{.spec.template.spec.fetch[0].imgpkgBundle.image}')
    

    Where PACKAGE-VERSION is the package version you retrieved above, for example 1.7.5+vmware.1-tkg.1.

  5. Confirm that image_url is a registry path with a sha256 image digest. For example:

    $ echo $image_url
    projects.registry.vmware.com/tkg/packages/standard/fluent-bit@sha256:c83d038c57f244aae2819dd77dc5184bb3e1ec96524d3f6a09fe8a244b7bc9e4
    
  6. Run imgpkg with image_url to retrieve the package image bundle:

    imgpkg pull -b $image_url -o PACKAGE-DIR
    

    Where PACKAGE-DIR is a local directory to save the bundle to. For example:

    $ imgpkg pull -b $image_url -o /tmp/fluentbit
    Pulling bundle 'projects.registry.vmware.com/tkg/packages/standard/fluent-bit@sha256:c83d038c57f244aae2819dd77dc5184bb3e1ec96524d3f6a09fe8a244b7bc9e4'
    Extracting layer 'sha256:48456e4452a35786ed148a3f1a9ede1427f8fccb0079a0eb0904820211b6cebd' (1/1)
    Locating image lock file images...
    One or more images not found in bundle repo; skipping lock file update
    
    Succeeded
    

The data values template is in the bundle, at ./config/values.yaml. To follow the Tanzu Kubernetes Grid documentation more closely, give the file a package-specific name and move it to the current directory, for example:

```sh
cp /tmp/fluentbit/config/values.yaml fluent-bit-data-values.yaml
```
check-circle-line exclamation-circle-line close-line
Scroll to top icon