CLI-Managed Packages

This topic describes how to use the Tanzu CLI to install packages on Tanzu Kubernetes Grid (TKG) that publish services to workloads running on TKG workload clusters. It also explains how to prepare your TKG environment before installing these CLI-managed packages.

Packages and Package Repositories

A CLI-managed package is an optional component of a Kubernetes cluster that you can install and manage with the Tanzu Command Line Interface (CLI). These packages are installed after cluster creation.

CLI-managed packages are distributed via package repositories. To install and manage package repositories and the packages they contain, you use the tanzu package plugin of the Tanzu CLI. For information about how to use the tanzu package plugin, see Installing and Managing Packages with the Tanzu CLI.

Note
VMware provides support for Prometheus, Grafana, Fluent Bit, External DNS, and Multus when used with Tanzu Kubernetes Grid (TKG). Custom configurations and modifications/updates are beyond the current scope of VMware’s support.

Tanzu Standard Repository Contents

The built-in tanzu-standard package repository distributed with Tanzu Kubernetes Grid includes the following CLI-managed packages. These packages provide in-cluster and shared services to the Kubernetes workloads running in your Tanzu Kubernetes Grid environment, and are all validated for TKG.

Function	Package	Package repository
Certificate management	`cert-manager`	`tanzu-standard`
Container networking	`multus-cni`	`tanzu-standard`
Container networking	`whereabouts`	`tanzu-standard` `community-edition`
Container registry	`harbor`	`tanzu-standard`
Continuous delivery (CD)	`fluxcd-source-controller` `helm-controller` `kustomize-controller`	`tanzu-standard` `community-edition`
Ingress control	`contour`	`tanzu-standard`
Log forwarding	`fluent-bit`	`tanzu-standard`
Monitoring	`grafana` `prometheus`	`tanzu-standard`
Service discovery	`external-dns`	`tanzu-standard`

Tanzu Application Platform Repository

The Tanzu Application Platform (TAP) repository contains CLI-managed packages useful for developers, such as Tanzu Application Platform, Tanzu Build Service, Cloud Native Runtimes, Application Accelerator for VMware Tanzu, and Cartographer.

For a list of packages that the TAP repository contains and how to install them in workload clusters, see the topics that cover package installation under Install Tanzu Application Platform in the Tanzu Application Platform documentation.

Tanzu Community Edition Repository

The open-source Tanzu Community Edition (TCE) project contains additional packages, some of which are used by Tanzu Kubernetes Grid and Tanzu Application Platform.

However, some packages in the Tanzu Community Edition (TCE) package repository are unvalidated or incompatible with clusters created by Tanzu Kubernetes Grid, and are not supported for TKG.

For a list of TCE packages, see the addons/packages directory in the TCE repository.

Package Versions

You can run different versions of the CLI-managed packages in different workload clusters. In a workload cluster, you can run either the latest supported version of a CLI-managed package or the versions that are released with the last two Tanzu Kubernetes Grid releases. For example, if the latest supported version of Contour is 1.17.1 and the last two Tanzu Kubernetes Grid releases had the Contour versions 1.12.0 and 1.8.1, you can run version 1.17.1, 1.12.0, or 1.8.1 of Contour in a workload cluster.

Package Locations and Dependencies

In most cases, when you install a CLI-managed package from the tanzu-standard package repository, you install it in a workload or a shared services cluster. If the package depends on other packages in the package repository, you must install them first. After you prepare your Tanzu Kubernetes Grid environment as described in Preparing to Install CLI-Managed Packages below, follow the links in the Installation procedure column. These topics provide step-by-step instructions on how to configure and install each of the packages in the tanzu-standard package repository. For information about how to use the tanzu package plugin, see Packages in Installing and Managing Packages with the Tanzu CLI.

Package	Dependencies	Installation location	Installation procedure
`cert-manager`	n/a	Workload or shared services cluster	Install cert-manager
`contour`	Requires `cert-manager`	Workload or shared services cluster	Implement Ingress Control with Contour
`external-dns`	Requires `cert-manager` Requires `external-dns` if you want to create DNS records for Contour HTTPProxy resources	Workload or shared services cluster	Implement Service Discovery with External DNS
`fluent-bit`	n/a	Workload cluster	Implement Log Forwarding with Fluent Bit
`flux-source-controller`	n/a	Workload cluster	flux-source-controller Readme
`grafana`	Requires `cert-manager`, `contour`, and `prometheus`	Workload cluster	Implement Monitoring with Prometheus and Grafana
`harbor`	Requires `cert-manager` Requires `contour` or NSX ALB for ingress Recommends `external-dns` on infrastructure platforms with load balancing such as AWS, Azure, and vSphere with NSX Advanced Load Balancer, especially in production or other environments in which Harbor availability is important	Workload or shared services cluster	Deploy Harbor into a Workload or a Shared Services Cluster
`helm-controller`	Requires `flux-source-controller`	Workload cluster	helm-controller Readme
`kustomize-controller`	Requires `flux-source-controller`	Workload cluster	kustomize-controller Readme
`multus-cni`	Requires `cert-manager`	Workload cluster	Deploy Multus on Tanzu Kubernetes Cluster
`prometheus`	Requires `cert-manager`	Workload cluster	Implement Monitoring with Prometheus and Grafana
`whereabouts`	Requires `multus-cni`	Workload cluster	Deploy Multus with Whereabouts on Tanzu Kubernetes Cluster

Note
vSphere with Tanzu does not support deploying packages to a shared services cluster. Workload clusters deployed by vSphere with Tanzu can only use packaged services deployed to the workload clusters themselves.

Preparing to Install CLI-Managed Packages

Before installing CLI-managed packages from the tanzu-standard package repository, you must:

Install the Tanzu CLI
Update the Package Repository
Review Package Locations and Dependencies.
Install cert-manager in Workload Clusters.
Create a Shared Services Cluster, if you intend to install Harbor or other packages to a shared services cluster.
vSphere 7: To install packages into a workload cluster created by using vSphere with Tanzu, follow Prepare a Workload Cluster Created by Using vSphere with Tanzu to Run Packages before continuing below.

Install cert-manager in Workload Clusters

cert-manager provides automated certificate management. It already runs by default in management clusters. To install cert-manager into a workload cluster, see Install cert-manager.

Create a Shared Services Cluster

For workload clusters managed by a management cluster created with tanzu management-cluster create or tanzu mc create, rather than a vSphere with Tanzu Supervisor Cluster, deploying Harbor or other services enables all of the workload to share a single service instance.

Each Tanzu Kubernetes Grid instance can have only one shared services cluster.

Deploying Harbor to a shared services cluster enables all workload clusters that are managed by the same management cluster to share a single Harbor instance. For instructions on deploying Harbor, See Deploy Harbor into a Workload or a Shared Services Cluster.

To create a shared services cluster:

Create a cluster configuration YAML file for the cluster. We recommend using the prod cluster plan rather than the dev plan. For example:
```
INFRASTRUCTURE_PROVIDER: vsphere
CLUSTER_NAME: YOUR-CLUSTER-NAME
CLUSTER_PLAN: prod
```
Where YOUR-CLUSTER-NAME is the name you choose for the cluster. For example, tkg-services.
(vSphere only) If you are using the default Kube-Vip load balancer for cluster’s control plane API, you must specify its endpoint by setting VSPHERE_CONTROL_PLANE_ENDPOINT. Ensure that this VIP address is not in the DHCP range, but is in the same subnet as the DHCP range. If you mapped a fully qualified domain name (FQDN) to the VIP address, you can specify the FQDN instead of the VIP address.
If you are using NSX Advanced Load Balancer (ALB), do not set VSPHERE_CONTROL_PLANE_ENDPOINT unless you need the control plane endpoint to be specific address. If so, use a static address within the NSX ALB IPAM Profile’s VIP Network range that you have manually added to the Static IP pool, or an FQDN mapped to the static address.

For example:
```
VSPHERE_CONTROL_PLANE_ENDPOINT: 10.10.10.10
```
Deploy the cluster by passing the cluster configuration file to the tanzu cluster create command. For example:
```
tanzu cluster create tkg-services --file tkg-services-config.yaml
```
In this example, tkg-services is the name of the cluster and tkg-services-config.yaml is the name of the cluster configuration file. Throughout the rest of this procedure, the cluster that you just deployed is referred to as the shared services cluster.
Set the context of kubectl to the context of your management cluster. For example:
```
kubectl config use-context mgmt-cluster-admin@mgmt-cluster
```
In this example, mgmt-cluster is the name of the management cluster.
Add the tanzu-services label to the shared services cluster, as its cluster role. This label identifies the shared services cluster to the management cluster and workload clusters. For example:
```
kubectl label cluster.cluster.x-k8s.io/tkg-services cluster-role.tkg.tanzu.vmware.com/tanzu-services="" --overwrite=true
```
In this example, tkg-services is the name of the shared services cluster. You should see the confirmation cluster.cluster.x-k8s.io/tkg-services labeled.

Check that the label has been correctly applied by running the following command:

tanzu cluster list --include-management-cluster

You should see that your shared services cluster has the tanzu-services role. For example:

NAME              NAMESPACE   STATUS   CONTROLPLANE  WORKERS  KUBERNETES        ROLES           PLAN   TKR
another-cluster   default     running  1/1           1/1      v1.23.5+vmware.1  <none>          dev    v1.23.5---vmware.1-tkg
tkg-services      default     running  3/3           3/3      v1.23.5+vmware.1  tanzu-services  prod   v1.23.5---vmware.1-tkg
mgmt-cluster      tkg-system  running  1/1           1/1      v1.23.5+vmware.1  management      dev    v1.23.5---vmware.1-tkg

Get the admin credentials of the shared services cluster. For example:
```
tanzu cluster kubeconfig get tkg-services --admin
```
Set the context of kubectl to the shared services cluster. For example:
```
kubectl config use-context tkg-services-admin@tkg-services
```