CLI-Managed Packages

This topic describes how to use the Tanzu CLI to install packages on Tanzu Kubernetes Grid (TKG) that publish services to workloads running on TKG workload clusters. It also explains how to prepare your TKG environment before installing these CLI-managed packages.

Note: You cannot install Tanzu Standard repository v1.5 packages into Tanzu Kubernetes clusters created by using the Tanzu Kubernetes Grid service.

Packages and Package Repositories

A CLI-managed package is an optional component of a Kubernetes cluster that you can install and manage with the Tanzu Command Line Interface (CLI). These packages are installed after cluster creation.

CLI-managed packages are distributed via package repositories. To install and manage package repositories and the packages they contain, you use the tanzu package plugin of the Tanzu CLI. For information about how to use the tanzu package plugin, see Installing and Managing Packages with the Tanzu CLI.

Tanzu Standard Repository Contents

The built-in tanzu-standard package repository distributed with Tanzu Kubernetes Grid includes the following CLI-managed packages. These packages provide in-cluster and shared services to the Kubernetes workloads running in your Tanzu Kubernetes Grid environment, and are all validated for TKG.

Function Package Package repository
Certificate management cert-manager tanzu-standard
Container networking multus-cni tanzu-standard
Container registry harbor tanzu-standard
Continuous delivery (CD) fluxcd-source-controller
helm-controller
kustomize-controller
tanzu-standard
community-edition
Ingress control contour tanzu-standard
Log forwarding fluent-bit tanzu-standard
Monitoring grafana
prometheus
tanzu-standard
Service discovery external-dns tanzu-standard

Note: Tanzu Kubernetes Grid v1.5.4 uses Tanzu Standard repository v1.5.4, projects.registry.vmware.com/tkg/packages/standard/repo:v1.5.4. TKG v1.5.0 and v1.5.1 both use Tanzu Standard repository v1.5.0.

Tanzu Application Platform Repository

The Tanzu Application Platform (TAP) repository contains CLI-managed packages useful for developers, such as Tanzu Application Platform, Tanzu Build Service, Cloud Native Runtimes, Application Accelerator for VMware Tanzu, and Cartographer.

For a list of packages that the TAP repository contains and how to install them in workload clusters, see Installing the Tanzu Application Platform Package and Profiles in the Tanzu Application Platform documentation.

Tanzu Community Edition Repository

The open-source Tanzu Community Edition (TCE) project contains additional packages, some of which are used by Tanzu Kubernetes Grid and Tanzu Application Platform.

However, some packages in the Tanzu Community Edition (TCE) package repository are unvalidated or incompatible with clusters created by Tanzu Kubernetes Grid, and are not supported for TKG.

For a list of TCE packages, see the addons/packages directory in the TCE repository.

Package Versions

You can run different versions of the CLI-managed packages in different workload clusters. In a workload cluster, you can run either the latest supported version of a CLI-managed package or the versions that are released with the last two Tanzu Kubernetes Grid releases. For example, if the latest supported version of Contour is 1.17.1 and the last two Tanzu Kubernetes Grid releases had the Contour versions 1.12.0 and 1.8.1, you can run version 1.17.1, 1.12.0, or 1.8.1 of Contour in a workload cluster.

Package Locations and Dependencies

In most cases, when you install a CLI-managed package from the tanzu-standard package repository, you install it in a workload or a shared services cluster. If the package depends on other packages in the package repository, you must install them first. After you prepare your Tanzu Kubernetes Grid environment as described above, follow the links in the Installation procedure column. These topics provide step-by-step instructions on how to configure and install each of the packages in the tanzu-standard package repository. For information about how to use the tanzu package plugin, see Packages in Installing and Managing Packages with the Tanzu CLI.

Package Dependencies Installation location Installation procedure
cert-manager n/a Workload or shared services cluster Install Cert Manager
contour Requires cert-manager Workload or shared services cluster Implement Ingress Control with Contour
external-dns Requires cert-manager
Requires external-dns if you want to create DNS records for Contour HTTPProxy resources
Workload or shared services cluster Implement Service Discovery with External DNS
fluent-bit n/a Workload cluster Implement Log Forwarding with Fluent Bit
flux-source-controller n/a Workload cluster flux-source-controller Readme
grafana Requires cert-manager, contour, and prometheus Workload cluster Implement Monitoring with Prometheus and Grafana
harbor Requires cert-manager
Requires contour or NSX ALB for ingress
Recommends external-dns on infrastructure platforms with load balancing such as Amazon EC2, Azure, and vSphere with NSX Advanced Load Balancer, especially in production or other environments in which Harbor availability is important
Workload or shared services cluster Deploy Harbor into a Workload or a Shared Services Cluster
helm-controller Requires flux-source-controller Workload cluster helm-controller Readme
kustomize-controller Requires flux-source-controller Workload cluster kustomize-controller Readme
multus-cni Requires cert-manager Workload cluster Implementing Multiple CNIs with Multus
prometheus Requires cert-manager Workload cluster Implement Monitoring with Prometheus and Grafana

Note: vSphere with Tanzu does not support deploying packages to a shared services cluster. Workload clusters deployed by vSphere with Tanzu can only use packaged services deployed to the workload clusters themselves.

Preparing to Install CLI-Managed Packages

Before installing CLI-managed packages from the tanzu-standard package repository, you must:

Install Cert Manager in Workload Clusters

Cert Manager provides automated certificate management. It already runs by default in management clusters. To install Cert Manager into a workload cluster, see Install Cert Manager.

Create a Shared Services Cluster

For workload clusters managed by a management cluster created with tanzu management-cluster create or tanzu mc create, rather than a vSphere with Tanzu Supervisor Cluster, deploying Harbor or other services enables all of the workload to share a single service instance.

Each Tanzu Kubernetes Grid instance can have only one shared services cluster.

Deploying Harbor to a shared services cluster enables all workload clusters that are managed by the same management cluster to share a single Harbor instance. For instructions on deploying Harbor, See Deploy Harbor into a Workload or a Shared Services Cluster.

To create a shared services cluster:

  1. Create a cluster configuration YAML file for the cluster. We recommend using the prod cluster plan rather than the dev plan. For example:

    INFRASTRUCTURE_PROVIDER: vsphere
    CLUSTER_NAME: YOUR-CLUSTER-NAME
    CLUSTER_PLAN: prod
    

    Where YOUR-CLUSTER-NAME is the name you choose for the cluster. For example, tkg-services.

  2. (vSphere only) If you are using the default Kube-Vip load balancer for cluster’s control plane API, you must specify its endpoint by setting VSPHERE_CONTROL_PLANE_ENDPOINT. Ensure that this VIP address is not in the DHCP range, but is in the same subnet as the DHCP range. If you mapped a fully qualified domain name (FQDN) to the VIP address, you can specify the FQDN instead of the VIP address.
    If you are using NSX Advanced Load Balancer (ALB), do not set VSPHERE_CONTROL_PLANE_ENDPOINT unless you need the control plane endpoint to be specific address. If so, use a static address within the NSX ALB IPAM Profile’s VIP Network range that you have manually added to the Static IP pool, or an FQDN mapped to the static address.

    For example:

    VSPHERE_CONTROL_PLANE_ENDPOINT: 10.10.10.10
    
  3. Deploy the cluster by passing the cluster configuration file to the tanzu cluster create command. For example:

    tanzu cluster create tkg-services --file tkg-services-config.yaml
    

    In this example, tkg-services is the name of the cluster and tkg-services-config.yaml is the name of the cluster configuration file. Throughout the rest of this procedure, the cluster that you just deployed is referred to as the shared services cluster.

  4. Set the context of kubectl to the context of your management cluster. For example:

    kubectl config use-context mgmt-cluster-admin@mgmt-cluster
    

    In this example, mgmt-cluster is the name of the management cluster.

  5. Add the tanzu-services label to the shared services cluster, as its cluster role. This label identifies the shared services cluster to the management cluster and workload clusters. For example:

    kubectl label cluster.cluster.x-k8s.io/tkg-services cluster-role.tkg.tanzu.vmware.com/tanzu-services="" --overwrite=true
    

    In this example, tkg-services is the name of the shared services cluster. You should see the confirmation cluster.cluster.x-k8s.io/tkg-services labeled.

  6. Check that the label has been correctly applied by running the following command:

    tanzu cluster list --include-management-cluster
    

    You should see that your shared services cluster has the tanzu-services role. For example:

    NAME              NAMESPACE   STATUS   CONTROLPLANE  WORKERS  KUBERNETES        ROLES           PLAN
    another-cluster   default     running  1/1           1/1      v1.22.9+vmware.1  <none>          dev
    tkg-services      default     running  3/3           3/3      v1.22.9+vmware.1  tanzu-services  prod
    mgmt-cluster      tkg-system  running  1/1           1/1      v1.22.9+vmware.1  management      dev
    
  7. Get the admin credentials of the shared services cluster. For example:

    tanzu cluster kubeconfig get tkg-services --admin
    
  8. Set the context of kubectl to the shared services cluster. For example:

    kubectl config use-context tkg-services-admin@tkg-services
    

Retrieve the Data Values Template

When you run tanzu package install to install a package in a workload cluster, you can configure the package by passing a data values file in to its --values-file option. Each CLI-managed package includes a sample data values file that you can base your configuration on.

To retrieve this data values template:

  1. If the kubectl context is not already set to the workload cluster where you want to deploy the package, set it:

    1. Get the admin credentials of the cluster:

      tanzu cluster kubeconfig get MY-CLUSTER --admin
      

      Where MY-CLUSTER is the name of the cluster.

    2. Set the context:

      kubectl config use-context MY-CLUSTER-CONTEXT
      

      Where MY-CLUSTER-CONTEXT is the cluster context listed in the admin credentials. It often has the form MY-CLUSTER-admin@MY-CLUSTER.

  2. Confirm that the package is available for the cluster:

    tanzu package available list -A
    
  3. Retrieve the version of the package:

    tanzu package available list PACKAGE-NAME -A
    

    With PACKAGE-NAME as listed in the output of tanzu package available list -A. For example:

    tanzu package available list fluent-bit.tanzu.vmware.com -A
    | Retrieving package versions for fluent-bit.tanzu.vmware.com...
     NAME                           VERSION                          RELEASED-AT           NAMESPACE
     fluent-bit.tanzu.vmware.com    1.7.5+vmware.1-tkg.1             2021-05-13T18:00:00Z  tanzu-package-repo-global
    
  4. Set image_url to the registry path from which to retrieve the package. For example:

    $ image_url=$(kubectl -n tanzu-package-repo-global get packages fluent-bit.tanzu.vmware.com.PACKAGE-VERSION -o jsonpath='{.spec.template.spec.fetch[0].imgpkgBundle.image}')
    

    Where PACKAGE-VERSION is the package version you retrieved above, for example 1.7.5+vmware.1-tkg.1.

  5. Confirm that image_url is a registry path with a sha256 image digest. For example:

    $ echo $image_url
    projects.registry.vmware.com/tkg/packages/standard/fluent-bit@sha256:c83d038c57f244aae2819dd77dc5184bb3e1ec96524d3f6a09fe8a244b7bc9e4
    
  6. Run imgpkg with image_url to retrieve the package image bundle:

    imgpkg pull -b $image_url -o PACKAGE-DIR
    

    Where PACKAGE-DIR is a local directory to save the bundle to. For example:

    $ imgpkg pull -b $image_url -o /tmp/fluentbit
    Pulling bundle 'projects.registry.vmware.com/tkg/packages/standard/fluent-bit@sha256:c83d038c57f244aae2819dd77dc5184bb3e1ec96524d3f6a09fe8a244b7bc9e4'
    Extracting layer 'sha256:48456e4452a35786ed148a3f1a9ede1427f8fccb0079a0eb0904820211b6cebd' (1/1)
    Locating image lock file images...
    One or more images not found in bundle repo; skipping lock file update
    
    Succeeded
    

The data values template is in the bundle, at ./config/values.yaml. To follow the Tanzu Kubernetes Grid documentation more closely, give the file a package-specific name and move it to the current directory, for example:

cp /tmp/fluentbit/config/values.yaml fluent-bit-data-values.yaml
check-circle-line exclamation-circle-line close-line
Scroll to top icon