Install the Tanzu CLI and Other Tools for Use with a vSphere with Tanzu Supervisor

This topic explains how to install and initialize the Tanzu command line interface (CLI) on a bootstrap machine. The bootstrap machine is the laptop, host, or server that you deploy management and workload clusters from and that keeps Tanzu and Kubernetes configuration files for your deployments. The bootstrap machine is typically local, but it can also be a physical machine or VM that you access remotely.

If you are using the vSphere with Tanzu Supervisor on vSphere 8 as a management cluster, after you install the Tanzu CLI, you can connect it to the Supervisor.

Note

The instructions in this topic are specific to installing the Tanzu CLI for use with a vSphere with Tanzu Supervisor on vSphere 8. If you are installing the Tanzu CLI in order to deploy standalone management clusters on vSphere without a Supervisor, or on AWS or Azure, see the corresponding topic in Deploying and Managing Tanzu Kubernetes Grid 2.2 Standalone Management Clusters, Install the Tanzu CLI and Other Tools for Use with Standalone Management Clusters.

The Tanzu CLI communicates with the Supervisor to create and manage workload clusters in vSphere with Tanzu.

Tanzu Kubernetes Grid v2.0, v2.2, and vSphere with Tanzu Supervisor in vSphere 8

Important

The vSphere with Tanzu Supervisor in vSphere 8 runs TKG v2.0. TKG v2.0 was not released as a downloadable product, and allows you to create and manage class-based workload clusters with the Supervisor in vSphere 8 only. Due to the earlier TKG version that is embedded in Supervisor, some of the features of TKG v2.2 are not available if you are using vSphere with Tanzu. TKG v2.2 or later will be embedded in Supervisor in a future vSphere update release. Consequently, the version of TKG embedded in the latest vSphere version at a given time may not be as recent as the latest standalone version of TKG. However, the version of the Tanzu CLI that ships with all TKG v2.x releases is fully supported for use with Supervisor in vSphere 8.

Tanzu Kubernetes Grid v2.2 and vSphere with Tanzu in vSphere 7

Caution

You cannot use the version of the Tanzu CLI that ships with TKG 2.2 to log in to a Supervisor Cluster on vSphere 7. If you are using the Tanzu CLI to log in to a Supervisor Cluster on vSphere 7 and you cannot upgrade to vSphere 8, do not deploy or upgrade to Tanzu Kubernetes Grid version 2.2. You can deploy a management cluster to vSphere 7 if a vSphere with Tanzu Supervisor Cluster is not present.

For more information about the Tanzu CLI, including a command reference, see the VMware Tanzu CLI documentation.

Prerequisites

The bootstrap machine on which you install and run the Tanzu CLI must meet certain requirements. There are further requirements depending on whether you intend to use the Tanzu CLI with a vSphere with Tanzu Supervisor as the management cluster, or deploy standalone management clusters, or both.

To run the Tanzu CLI with Tanzu Kubernetes Grid v2.2, you need a bootstrap machine on which to install and run the Tanzu CLI that has:

• A Linux, Windows, or macOS operating system running on a physical or virtual machine that has the following hardware:
  • At least 8 GB of RAM. VMware recommends 16 GB of RAM.
  • A disk with 50GB of available storage.
  • 2 or 4 2-core CPUs.
• A browser or remote access from a machine with a browser, if you intend to use the Tanzu Kubernetes Grid installer interface to deploy standalone management clusters. You can use the Tanzu CLI without a browser, but for first deployments, it is strongly recommended to use the installer interface.
• System time is synchronized with a Network Time Protocol (NTP) server.
• If your bootstrap machine runs Windows, VMware recommends installing Windows Subsystem for Linux (WSL) with Ubuntu 20.04.4 LTS, which enables you to run Linux commands on Windows. For more information about WSL, see Install WSL in the Microsoft documentation.

To use a Supervisor cluster as the management cluster, you also need:

• A vSphere 8 account with:

  • The vSphere with Tanzu feature enabled and a Supervisor configured.
  • A vSphere with Tanzu DevOps account, as described in vSphere with Tanzu User Roles and Workflows.

• One of the following:

  • (Recommended) an OIDC-compliant external identity provider that is:
    • Registered with the Supervisor as described in Register an External IDP with Supervisor.
    • Configured to grant user and group access to a vSphere namespace as described in Configure vSphere Namespace Permissions for External OIDC Provider Users and Groups.
  • The kubectl vsphere CLI plugin installed on your bootstrap machine, as described in Download and Install the Kubernetes CLI Tools for vSphere.

Download and Unpack the Tanzu CLI

Download the files for the compatible version of the Tanzu CLI from the Tanzu Kubernetes Grid downloads page.

1. Go to VMware Customer Connect and log in with your VMware Customer Connect credentials.

2. Visit the Tanzu Kubernetes Grid downloads page.

3. In the VMware Tanzu Kubernetes Grid row, click Go to Downloads.

4. In the Select Version drop-down, select 2.2.0.

5. Under Product Downloads, scroll to the section labeled VMware Tanzu CLI 2.2.0 CLI.

   macOS

   Locate VMware Tanzu CLI for Mac and click Download Now.

   Linux

   Locate VMware Tanzu CLI for Linux and click Download Now.

   Windows

   Locate VMware Tanzu CLI for Windows and click Download Now.

6. (Optional) Verify that your downloaded files are unaltered from the original. VMware provides a SHA-1, a SHA-256, and an MD5 checksum for each download. To obtain these checksums, click Read More under the entry that you want to download. For more information, see Using Cryptographic Hashes.

7. On your system, create a new directory named tanzu. If you previously unpacked artifacts for previous releases to this folder, delete the folder’s existing contents.

8. In the tanzu folder, unpack the Tanzu CLI bundle file for your operating system. To unpack the bundle file, use the extraction tool of your choice. For example, on Linux or macOS, you can use the tar command.

   macOS

   tar -xvf tanzu-cli-bundle-darwin-amd64.tar.gz
   

   Linux

   tar -xvf tanzu-cli-bundle-linux-amd64.tar.gz
   

   Windows

   Use the Windows extractor tool to unzip tanzu-cli-bundle-windows-amd64.zip.

   After you unpack the bundle file, in your tanzu folder, you will see a cli folder with multiple subfolders and files.

Initialize the Tanzu CLI

After you have downloaded and unpacked the Tanzu CLI on your bootstrap machine, you must make it available to the system.

1. Navigate to the cli subfolder under the tanzu folder that you unpacked in the previous section.

   cd cli
   

2. Make the CLI available to the system:

   macOS

   Install the binary to /usr/local/bin:

   sudo install core/v0.29.0/tanzu-core-darwin_amd64 /usr/local/bin/tanzu
   

   Linux

   Install the binary to /usr/local/bin:

   sudo install core/v0.29.0/tanzu-core-linux_amd64 /usr/local/bin/tanzu
   

   Windows

   1. Create a new Program Files\tanzu folder.
   2. In the unpacked cli folder, locate and copy the core\v0.29.0\tanzu-core-windows_amd64.exe file into the new Program Files\tanzu folder.
   3. Rename tanzu-core-windows_amd64.exe to tanzu.exe.
   4. Right-click the tanzu folder, select Properties > Security, and make sure that your user account has the Full Control permission.
   5. Use Windows Search to search for env.
   6. Select Edit the system environment variables and click the Environment Variables button.
   7. Select the Path row under System variables, and click Edit.
   8. Click New to add a new row and enter the path to the tanzu CLI.

3. At the command line in a new terminal, initialize the Tanzu CLI:

   tanzu init
   

4. Check that the correct version of the CLI is properly installed. The CLI version is the same as the current version of Tanzu Framework, which is included in the Tanzu CLI. Tanzu Kubernetes Grid 2.2 uses Tanzu CLI v0.29.0, which is in Tanzu Framework v0.29.0:

   tanzu version
   

   If you are running on macOS, you might encounter the following error:

   "tanzu" cannot be opened because the developer cannot be verified.
   

   If this happens, you need to create a security exception for the tanzu executable. Locate the tanzu app in Finder, control-click the app, and select Open.

Install the Tanzu CLI Plugins

After you have installed the tanzu core executable, you must install the CLI plugins that enable workload cluster and package operations.

1. (Optional) Remove existing plugins from any previous CLI installations.

   tanzu plugin clean
   

2. Navigate to the tanzu folder that contains the cli folder.

3. Run the following command from the tanzu directory to install all the plugins for this release.

   tanzu plugin sync
   

4. Check plugin installation status.

   tanzu plugin list
   

   If successful, you should see a list of all installed plugins. For example:

   Standalone Plugins
     NAME                DESCRIPTION                                                        TARGET      DISCOVERY  VERSION  STATUS
     isolated-cluster    isolated-cluster operations                                                    default    v0.29.0  installed
     login               Login to the platform                                                          default    v0.29.0  installed
     pinniped-auth       Pinniped authentication operations (usually not directly invoked)              default    v0.29.0  installed
     management-cluster  Kubernetes management-cluster operations                           kubernetes  default    v0.29.0  installed
     package             Tanzu package management                                           kubernetes  default    v0.29.0  installed
     secret              Tanzu secret management                                            kubernetes  default    v0.29.0  installed
     telemetry           Configure cluster-wide telemetry settings                          kubernetes  default    v0.29.0  installed
   

Note

After you have installed the Tanzu CLI but before you have used it to log in to a management cluster, all context-specific CLI command groups (tanzu cluster, tanzu kubernetes-release) are unavailable and not included in Tanzu CLI --help output.

Install the Kubernetes CLI

Download and unpack the Kubernetes CLI, kubectl, on your bootstrap machine, then make it available to your system.

1. Go to VMware Customer Connect and log in with your VMware Customer Connect credentials.

2. Visit the Tanzu Kubernetes Grid downloads page.

3. In the VMware Tanzu Kubernetes Grid row, click Go to Downloads.

4. In the Select Version drop-down, select 2.2.0.

5. Under Product Downloads, scroll to the section labeled Kubectl 1.25.7 for VMware Tanzu Kubernetes Grid 2.2.0.

   macOS

   Locate kubectl cli v1.25.7 for Mac and click Download Now.

   Linux

   Locate kubectl cli v1.25.7 for Linux and click Download Now.

   Windows

   Locate kubectl cli v1.25.7 for Windows and click Download Now.

6. (Optional) Verify that your downloaded files are unaltered from the original. VMware provides a SHA-1, a SHA-256, and an MD5 checksum for each download. To obtain these checksums, click Read More under the entry that you want to download. For more information, see Using Cryptographic Hashes.

7. Navigate to the tanzu directory you created in Download and Unpack the Tanzu CLI above and unpack the kubectl binary for your operating system. To unpack the bundle file, use the extraction tool of your choice. For example, the gunzip command.

   macOS

   gunzip kubectl-mac-v1.25.7+vmware.2.gz
   

   Linux

   gunzip kubectl-linux-v1.25.7+vmware.2.gz
   

   Windows

   Use the Windows extractor tool to unzip kubectl-windows-v1.25.7+vmware.2.exe.gz.

8. Make the CLI available to the system:

   macOS

   1. Make the downloaded file executable:

      chmod ugo+x kubectl-mac-v1.25.7+vmware.2
      

   2. Install the binary to /usr/local/bin:

      sudo install kubectl-mac-v1.25.7+vmware.2 /usr/local/bin/kubectl
      

   3. Run kubectl version to check that the correct version of kubectl is installed and executable.

      kubectl version
      

   Linux

   1. Make the downloaded file executable:

      chmod ugo+x kubectl-linux-v1.25.7+vmware.2
      

   2. Install the binary to /usr/local/bin:

      sudo install kubectl-linux-v1.25.7+vmware.2 /usr/local/bin/kubectl
      

   3. Run kubectl version to check that the correct version of kubectl is installed and executable.

      kubectl version
      

   Windows

   1. Create a new Program Files\kubectl folder.
   2. Locate and copy the kubectl-windows-v1.25.7+vmware.2.exe file into the new Program Files\kubectl folder.
   3. Rename kubectl-windows-v1.25.7+vmware.1.exe to kubectl.exe.
   4. Right-click the kubectl folder, select Properties > Security, and make sure that your user account has the Full Control permission.
   5. Use Windows Search to search for env.
   6. Select Edit the system environment variables and click the Environment Variables button.
   7. Select the Path row under System variables and click Edit.
   8. Click New to add a new row and enter the path to the kubectl CLI.

9. Run kubectl version to check that the correct version of the CLI is properly installed.

Tanzu CLI Help

Run tanzu --help to see the list of commands that the Tanzu CLI provides.

You can view help text for any command group with the --help option to see information about that specific command or command group. For example, tanzu login --help, tanzu management-cluster --help, or tanzu management-cluster create --help.

For more information about the Tanzu CLI, see the Tanzu CLI Command Reference.

Install the Carvel Tools

The Carvel open-source project provides a set of reliable, single-purpose, composable tools that aid in application building, configuration, and deployment to Kubernetes.

Tanzu Kubernetes Grid provides signed binaries for ytt, kapp, kbld, and imgpkg, that are bundled with the Tanzu CLI. The bundle also includes vendir, a Kubernetes directory structure tool, that is not currently required by end users, but is provided for convenience.

Locate the Carvel Tools

1. Navigate to the location on your bootstrap environment machine where you unpacked the Tanzu CLI bundle tar file for your OS.

   For example, the tanzu folder, that you created in the previous procedure.

2. Open the cli folder.

   cd cli
   

Install ytt

ytt is a command-line tool for templating and patching YAML files. You can also use ytt to collect fragments and piles of YAML into modular chunks for easy re-use. Tanzu Kubernetes Grid uses ytt to support overlay-based customization for clusters and cluster plans. You might need ytt to use customization overlays.

Install kapp

kapp is the applications deployment CLI for Kubernetes. It allows you to install, upgrade, and delete multiple Kubernetes resources as one application.

Install kbld

kbld is an image-building and resolution tool.

Install imgpkg

imgpkg is a tool that enables Kubernetes to store configurations and the associated container images as OCI images, and to transfer these images. imgpkg is required for deploying Tanzu Kubernetes Grid in Internet-restricted environments and when building your own machine images. It is also required when configuring the Harbor package.

What to Do Next

Before you can use the Tanzu CLI, kubectl, and Carvel tools to deploy workload clusters and service packages to Tanzu Kubernetes Grid, Connect the Tanzu CLI to the Supervisor as described below.

Connect the Tanzu CLI to the Supervisor

To register the Supervisor with the Tanzu CLI and then log in to the Supervisor, do the following. You need to register the Supervisor with the Tanzu CLI only once. After the Supervisor is registered, you can skip to the tanzu login step.

1. Obtain the IP address of the Supervisor from vCenter:

   1. In the Hosts and Clusters view, select the datacenter that hosts the Supervisor.
   2. Under Namespaces, select the namespace containing or adjacent to the three SupervisorControlPlaneVM instances.
   3. In the main pane, under Summary > Status > Link to CLI Tools, click Copy link and record the URL, for example https://192.168.123.3.

2. No IDP: If you are not using an external identity provider:

   1. (Optional) Install and configure the kubectl vsphere plugin with a trusted certificate as described in Configure Secure Login for vSphere with Tanzu Clusters.

   2. Run kubectl vsphere login to log in to vSphere. For more information about this step, see Connect to Supervisor as a vCenter Single Sign-On User with Kubectl.

      kubectl vsphere login --vsphere-username VSPHERE-USERNAME --server=SUPERVISOR-IP
      

      Where VSPHERE-USERNAME is your vCenter single sign-on (SSO) account username, for example administrator@vsphere.local, and SUPERVISOR-IP is the Supervisor IP address obtained above.

      If you did not configure the kubectl vsphere plugin with a trusted certificate, you can log in insecurely by appending --insecure-skip-tls-verify=true to the command above.

      Caution

      Only use insecure login in a development environment.

   3. Enter the password that you use to log in to vCenter.

      When you successfully log in, the kubectl vsphere login command:

      • Creates or modifies your local kubeconfig file to add a token that authenticates with the Kubernetes API
      • Lists all of the Kubernetes contexts to which you have access. This list should include the Supervisor IP address.

   4. Set the context of kubectl to the Supervisor.

      kubectl config use-context SUPERVISOR-IP
      

      Where SUPERVISOR-IP is the context of the Supervisor; see Get and Use the Supervisor Context in vSphere with Tanzu Services and Workloads.

3. Collect information to run the tanzu login command, which connects to the Supervisor:

   • Decide on a name for the tanzu CLI to use for the Supervisor.
   • The path to the local kubeconfig file, which defaults to ~/.kube/config and is set by the KUBECONFIG environment variable.

4. Run the tanzu login command, passing in the values above, for example:

   No IDP:

   tanzu login --name my-supervisor --kubeconfig ~/.kube/config --context 192.168.123.3
   

   After logging in, the CLI downloads the plugins that are specific to Supervisor.

   ???  successfully logged in to management cluster using the kubeconfig my-supervisor
   Checking for required plugins...
   Installing plugin 'cluster:v0.25' with target 'kubernetes'
   Installing plugin 'feature:v0.25' with target 'kubernetes'
   Installing plugin 'kubernetes-release:v0.25' with target 'kubernetes'
   Installing plugin 'namespaces:v1.0.0' with target 'kubernetes'
   Successfully installed all required plugins
   

   With an IDP:

   tanzu login --endpoint https://10.73.27.32 --name oidc-user
   

   Detected a vSphere Supervisor being used
   Log in by visiting this link:
   ...
   https://10.27.62.33/wcp/pinniped/oauth2/authorize?..
   ...
   Optionally, paste your authorization code: G2TcS145Q4e6A1YKf743n3BJlfQAQ_UdjXy38TtEEIo.ju4QV3PTsUvOigVUtQllZ7AJFU0YnjuLHTRVoNxvdZc
   ...
   ??? successfully logged in to management cluster using the kubeconfig oidc-user
   Checking for required plugins...
   All required plugins are already installed and up-to-date
   

   In the example above, https://10.73.27.32 is the Supervisor control plane IP address. For more information about this step, see Connect to Supervisor Using the Tanzu CLI and an External IDP.

5. Check that the Supervisor was added by running tanzu config server list, for example:

   tanzu config server list
   

   NAME           TYPE               ENDPOINT                   PATH                       CONTEXT
   my-supervisor  managementcluster  https://192.168.123.3:443  /home/vmware/.kube/config  192.168.123.3
   

   tanzu login should now list the Supervisor by the name that you provided:

   tanzu login
   

   ? Select a server  [Use arrows to move, type to filter]
   > my-supervisor  ()
    + new server
   

6. Run tanzu plugin list to see the list of Supervisor specific plugins as well as the core CLI plugins.

   tanzu plugin list
   

   Standalone Plugins
     NAME                DESCRIPTION                                                        TARGET      DISCOVERY  VERSION   STATUS
     isolated-cluster    isolated-cluster operations                                                    default    v0.29.0   installed
     login               Login to the platform                                                          default    v0.29.0   installed
     pinniped-auth       Pinniped authentication operations (usually not directly invoked)              default    v0.29.0   installed
     management-cluster  Kubernetes management-cluster operations                           kubernetes  default    v0.29.0   installed
     package             Tanzu package management                                           kubernetes  default    v0.29.0   installed
     secret              Tanzu secret management                                            kubernetes  default    v0.29.0   installed
     telemetry           Configure cluster-wide telemetry settings                          kubernetes  default    v0.29.0   installed
   
   Plugins from Context:  my-supervisor
     NAME                DESCRIPTION                                                TARGET      VERSION  STATUS
     cluster             Kubernetes cluster operations                              kubernetes  v0.25.0  installed
     feature             Operate on features and featuregates                       kubernetes  v0.25.0  installed
     kubernetes-release  Kubernetes release operations                              kubernetes  v0.25.0  installed
     namespaces          Discover vSphere Supervisor namespaces you have access to  kubernetes  v1.0.0   installed
   

   Note

   In the example above, the standalone plug-ins, for example login and pinniped-auth, that were installed when you installed the Tanzu CLI, are at version v0.29.0. The plugins from the Supervisor context, that were installed when you connected the Tanzu CLI to the Supervisor, for example cluster or kubernetes-release, are at v0.25.0. This is because the Supervisor in vSphere with Tanzu is running TKG 2.0 rather than TKG 2.2. However, the v0.25.0 plugins are fully compatible with and supported by v0.29.0 of the Tanzu CLI and the standalone plugins.

7. (Optional) Proceed to Creating Workload Clusters.