CLI-Managed Packages

This topic describes how to use the Tanzu CLI to install packages on Tanzu Kubernetes Grid (TKG) that publish services to workloads running on TKG workload clusters. It also explains how to prepare your TKG environment before installing these CLI-managed packages.

Packages and Package Repositories

A CLI-managed package is an optional component of a Kubernetes cluster that you can install and manage with the Tanzu Command Line Interface (CLI). These packages are installed after cluster creation.

CLI-managed packages are distributed via package repositories. To install and manage package repositories and the packages they contain, you use the tanzu package plugin of the Tanzu CLI. For information about how to use the tanzu package plugin, see Installing and Managing Packages with the Tanzu CLI.


VMware provides support for Prometheus, Grafana, Fluent Bit, External DNS, and Multus when used with Tanzu Kubernetes Grid (TKG). Custom configurations and modifications/updates are beyond the current scope of VMware’s support.

Tanzu Standard Repository Contents

The built-in tanzu-standard package repository distributed with Tanzu Kubernetes Grid includes the following CLI-managed packages. These packages provide in-cluster and shared services to the Kubernetes workloads running in your Tanzu Kubernetes Grid environment, and are all validated for TKG.

Function Package Package repository
Certificate management cert-manager tanzu-standard
Container networking multus-cni tanzu-standard
Container networking whereabouts tanzu-standard
Container registry harbor tanzu-standard
Continuous delivery (CD) fluxcd-source-controller
Ingress control contour tanzu-standard
Log forwarding fluent-bit tanzu-standard
Monitoring grafana
Service discovery external-dns tanzu-standard

Tanzu Application Platform Repository

The Tanzu Application Platform (TAP) repository contains CLI-managed packages useful for developers, such as Tanzu Application Platform, Tanzu Build Service, Cloud Native Runtimes, Application Accelerator for VMware Tanzu, and Cartographer.

For a list of packages that the TAP repository contains and how to install them in workload clusters, see the topics that cover package installation under Install Tanzu Application Platform in the Tanzu Application Platform documentation.

Tanzu Community Edition Repository

The open-source Tanzu Community Edition (TCE) project contains additional packages, some of which are used by Tanzu Kubernetes Grid and Tanzu Application Platform.

However, some packages in the Tanzu Community Edition (TCE) package repository are unvalidated or incompatible with clusters created by Tanzu Kubernetes Grid, and are not supported for TKG.

For a list of TCE packages, see the addons/packages directory in the TCE repository.

Package Versions

You can run different versions of the CLI-managed packages in different workload clusters. In a workload cluster, you can run either the latest supported version of a CLI-managed package or the versions that are released with the last two Tanzu Kubernetes Grid releases. For example, if the latest supported version of Contour is 1.17.1 and the last two Tanzu Kubernetes Grid releases had the Contour versions 1.12.0 and 1.8.1, you can run version 1.17.1, 1.12.0, or 1.8.1 of Contour in a workload cluster.

Package Locations and Dependencies

In most cases, when you install a CLI-managed package from the tanzu-standard package repository, you install it in a workload or a shared services cluster. If the package depends on other packages in the package repository, you must install them first. After you prepare your Tanzu Kubernetes Grid environment as described in Preparing to Install CLI-Managed Packages below, follow the links in the Installation procedure column. These topics provide step-by-step instructions on how to configure and install each of the packages in the tanzu-standard package repository. For information about how to use the tanzu package plugin, see Packages in Installing and Managing Packages with the Tanzu CLI.

Package Dependencies Installation location Installation procedure
cert-manager n/a Workload or shared services cluster Install cert-manager
contour Requires cert-manager Workload or shared services cluster Implement Ingress Control with Contour
external-dns Requires cert-manager
Requires external-dns if you want to create DNS records for Contour HTTPProxy resources
Workload or shared services cluster Implement Service Discovery with External DNS
fluent-bit n/a Workload cluster Implement Log Forwarding with Fluent Bit
flux-source-controller n/a Workload cluster flux-source-controller Readme
grafana Requires cert-manager, contour, and prometheus Workload cluster Implement Monitoring with Prometheus and Grafana
harbor Requires cert-manager
Requires contour or NSX ALB for ingress
Recommends external-dns on infrastructure platforms with load balancing such as AWS, Azure, and vSphere with NSX Advanced Load Balancer, especially in production or other environments in which Harbor availability is important
Workload or shared services cluster Deploy Harbor into a Workload or a Shared Services Cluster
helm-controller Requires flux-source-controller Workload cluster helm-controller Readme
kustomize-controller Requires flux-source-controller Workload cluster kustomize-controller Readme
multus-cni Requires cert-manager Workload cluster Deploy Multus on Tanzu Kubernetes Cluster
prometheus Requires cert-manager Workload cluster Implement Monitoring with Prometheus and Grafana
whereabouts Requires multus-cni Workload cluster Deploy Multus with Whereabouts on Tanzu Kubernetes Cluster


vSphere with Tanzu does not support deploying packages to a shared services cluster. Workload clusters deployed by vSphere with Tanzu can only use packaged services deployed to the workload clusters themselves.

Preparing to Install CLI-Managed Packages

Before installing CLI-managed packages from the tanzu-standard package repository, you must:

Install cert-manager in Workload Clusters

cert-manager provides automated certificate management. It already runs by default in management clusters. To install cert-manager into a workload cluster, see Install cert-manager.

Create a Shared Services Cluster

For workload clusters managed by a management cluster created with tanzu management-cluster create or tanzu mc create, rather than a vSphere with Tanzu Supervisor Cluster, deploying Harbor or other services enables all of the workload to share a single service instance.

Each Tanzu Kubernetes Grid instance can have only one shared services cluster.

Deploying Harbor to a shared services cluster enables all workload clusters that are managed by the same management cluster to share a single Harbor instance. For instructions on deploying Harbor, See Deploy Harbor into a Workload or a Shared Services Cluster.

To create a shared services cluster:

  1. Create a cluster configuration YAML file for the cluster. We recommend using the prod cluster plan rather than the dev plan. For example:

    CLUSTER_PLAN: prod

    Where YOUR-CLUSTER-NAME is the name you choose for the cluster. For example, tkg-services.

  2. (vSphere only) If you are using the default Kube-Vip load balancer for cluster’s control plane API, you must specify its endpoint by setting VSPHERE_CONTROL_PLANE_ENDPOINT. Ensure that this VIP address is not in the DHCP range, but is in the same subnet as the DHCP range. If you mapped a fully qualified domain name (FQDN) to the VIP address, you can specify the FQDN instead of the VIP address.
    If you are using NSX Advanced Load Balancer (ALB), do not set VSPHERE_CONTROL_PLANE_ENDPOINT unless you need the control plane endpoint to be specific address. If so, use a static address within the NSX ALB IPAM Profile’s VIP Network range that you have manually added to the Static IP pool, or an FQDN mapped to the static address.

    For example:

  3. Deploy the cluster by passing the cluster configuration file to the tanzu cluster create command. For example:

    tanzu cluster create tkg-services --file tkg-services-config.yaml

    In this example, tkg-services is the name of the cluster and tkg-services-config.yaml is the name of the cluster configuration file. Throughout the rest of this procedure, the cluster that you just deployed is referred to as the shared services cluster.

  4. Set the context of kubectl to the context of your management cluster. For example:

    kubectl config use-context mgmt-cluster-admin@mgmt-cluster

    In this example, mgmt-cluster is the name of the management cluster.

  5. Add the tanzu-services label to the shared services cluster, as its cluster role. This label identifies the shared services cluster to the management cluster and workload clusters. For example:

    kubectl label"" --overwrite=true

    In this example, tkg-services is the name of the shared services cluster. You should see the confirmation labeled.

  6. Check that the label has been correctly applied by running the following command:

    tanzu cluster list --include-management-cluster

    You should see that your shared services cluster has the tanzu-services role. For example:

    another-cluster   default     running  1/1           1/1      v1.23.5+vmware.1  <none>          dev    v1.23.5---vmware.1-tkg
    tkg-services      default     running  3/3           3/3      v1.23.5+vmware.1  tanzu-services  prod   v1.23.5---vmware.1-tkg
    mgmt-cluster      tkg-system  running  1/1           1/1      v1.23.5+vmware.1  management      dev    v1.23.5---vmware.1-tkg
  7. Get the admin credentials of the shared services cluster. For example:

    tanzu cluster kubeconfig get tkg-services --admin
  8. Set the context of kubectl to the shared services cluster. For example:

    kubectl config use-context tkg-services-admin@tkg-services
check-circle-line exclamation-circle-line close-line
Scroll to top icon