The following VMware SaaS services provide additional Kubernetes lifecycle management, observability, and service mesh features. This document outlines the configuration needed to set up the VMware SaaS services for Tanzu for Kubernetes Operations.
Tanzu Mission Control (TMC) is a centralized management platform for consistently operating and securing your Kubernetes infrastructure and modern applications across multiple teams and clouds. It provides operators with a single control point to give developers the independence they need to drive business forward, while enabling consistent management and operations across environments for increased security and governance.
We recommended attaching the shared services and workload clusters to Tanzu Mission Control as it enables you to manage your global portfolio of Kubernetes clusters from a centralized a centralized administrative interface.
If the Tanzu Kubernetes Grid clusters are behind a proxy, import the proxy configuration to Tanzu Mission Control and then attach the cluster using Tanzu Mission Control.
Attaching a workload or shared services cluster involves the following:
Before attaching a Tanzu Kubernetes Grid cluster in Tanzu Mission Control, complete the following:
Registering a Tanzu Kubernetes Grid management cluster in Tanzu Mission Control is not supported. However, you can register Tanzu Kubernetes Grid workload clusters for life-cycle management.
In the left navigation pane of the Tanzu Mission Control console, click Clusters > Attach Cluster.
Enter a name for the cluster and select the cluster group in which you want to register the cluster. Optionally, provide a description and one or more labels.
Click Next.
(Optional) Select a proxy configuration for the cluster.
Click to toggle the Set proxy for this cluster option to Yes.
Note: For instructions on the proxy configuration, see Appendix A.
Select the proxy configuration you defined for this cluster.
Click Next.
Tanzu Mission Control generates a YAML manifest specifically for your cluster, and displays the kubectl/tmc command to run the manifest.
Copy the provided command, switch to the bootstrap machine or any other machine which has kubectl/tmc installed and has connectivity to the cluster, and then run the command.
If you attach using a proxy configuration, make sure you have the latest version of the Tanzu Mission Control CLI (tmc) installed, and then run the tmc command, replacing &<kubeconfig>
with the appropriate kubeconfig
for the cluster.
To obtain admin kubeconfig
of a cluster, execute the following command on the bootstrap machine:
tanzu cluster kubeconfig get <cluster-name> --admin --export-file <file-name.yaml>
If you attach without a proxy configuration, connect to the cluster with kubectl
, and then run the kubectl
command.
After the command is applied, wait for all pods to initialize in the namespace vmware-system-tmc
. To monitor the pods status, use the following command:
kubectl get pods -n vmware-system-tmc
In Tanzu Mission Control console, click Verify Connection. You will see the success message.
Click View your Cluster to see the cluster details.
Do the following steps to create a proxy configuration object in Tanzu Mission Control.
Tanzu Observability (TO) delivers full-stack observability across containerized cloud applications, Kubernetes health, and cloud infrastructure. The solution is consumed through a software-as-a-Service (SaaS) subscription model managed by VMware. This SaaS model allows the solution to scale to meet your metrics requirements without the need to maintain the solution itself.
This setup for monitoring Tanzu Kubernetes Grid clusters with Tanzu Observability is done on Tanzu Mission Control. Tanzu Mission Control provides a common management layer across Kubernetes clusters to configure multiple policies. Tanzu Mission Control also enables the integration of the Kubernetes clusters with other SaaS solutions Tanzu Service Mesh.
Before doing the setup, ensure the following:
To integrate Tanzu Observability on a cluster attached to Tanzu Mission Control, do the following:
Create a service account in Tanzu Observability (TO) to enable communication between Tanzu Observability and Tanzu Mission Control.
Enable Tanzu Observability in Tanzu Mission Control.
Enter the following and click Create:
On the Tanzu Mission Control console, click Clusters on the left navigation pane.
Select the Tanzu Observability credentials and click Confirm.
The Tanzu Mission Control adapter for Tanzu Observability appears in an unhealthy state for a few minutes because the required objects are being created on the cluster.
On the target cluster, you will see a new namespace, tanzu-observability-saas
and the required objects being created.
Click on the Tanzu Observability link provided in Tanzu Mission Control or Log in to your Tanzu Observability instance (<instance_name>.wavefront.com) to ensure that the metrics are being collected in Tanzu Observability.
VMware Tanzu Service Mesh (TSM) is an enterprise-class service mesh solution that provides consistent control and security for microservices, end-users, and data across all your clusters and clouds in the most demanding multi-cluster and multi-cloud environments.
You can onboard Tanzu Service Mesh with or without Tanzu Mission Control.
Do the following to onboard a cluster to Tanzu Service Mesh without Tanzu Mission Control integration.
Login to Tanzu Mission Control via VMware Cloud Services page.
In the upper-left corner of the Tanzu Service Mesh console, click Add New and then Onboard New Cluster to open the Onboard Clusters panel.
Note: If you’re onboarding your first cluster to Tanzu Service Mesh, the Onboard Clusters panel appears automatically when you log in to Tanzu Service Mesh console.
In the Onboard Clusters panel, enter a name for the cluster that you want to onboard.
If the cluster that’s being onboarded has to connect to Tanzu Service Mesh through a proxy server, select the Configure a proxy to connect this cluster check box and provide the required proxy details and pass the certificate of the proxy server.
Note: If your proxy server uses a globally trusted certificate, you don’t need to provide the proxy configuration in Tanzu Service Mesh. Deselect the Configure a proxy to connect this cluster check box.
This article does not make use of proxy settings for demonstration purposes.
Click Generate Security Token to generate a security token. You are provided two kubectl
commands:
operator-deployment.yaml
file to create the required Tanzu Service Mesh objects, such as Namespace, Service Account, RoleBinding, deployments, and secret on the target clusterThe second one creates the required secret named generic
under the namespace vmware-system-tsm
Connect to the target Tanzu Kubernetes Cluster and execute the commands obtained from previous step. A new namespace vmware-system-tsm
is created on the target cluster.
# kubectl get pods -n vmware-system-tsm
NAME READY STATUS RESTARTS AGE
allspark-ws-proxy-6d58bb4665-5q998 1/1 Running 1 24m
installer-job-7jjqr 0/1 Completed 0 22m
k8s-cluster-manager-7b446cd99b-v2jk8 1/1 Running 1 24m
operator-ecr-read-only--renew-token-6nd5f 0/1 Completed 0 25m
telegraf-istio-75b8547675-nmzkr 1/1 Running 0 15m
tsm-agent-operator-548f8997c9-5l67z 1/1 Running 0 25m
After all the required objects are created on the cluster, the Tanzu Service Mesh console prompts you to Install Tanzu Service Mesh on the cluster. For this deployment, Tanzu Service Mesh is installed on all namespaces.
Note:
When the installation is complete, Successfully Onboarded appears next to the cluster name.
The Tanzu Service Mesh console displays information about the infrastructure of the onboarded cluster and any microservices deployed on the cluster. Tanzu Service Mesh also starts monitoring and collecting infrastructure and service metrics, such as the number of nodes and services, requests per second, latency, and CPU usage, from the cluster. The Home page of the Tanzu Service Mesh console provides summary information about the cluster’s infrastructure, a topology view of the services in the cluster, and key metrics.
If you have a multi-cluster or hybrid-cloud application, you can connect, secure, and manage the services in the application across the clusters with a global namespace. For more information, see Connect Services with a Global Namespace.
Do the following to onboard a Tanzu Kubernetes Cluster to Tanzu Service Mesh using Tanzu Mission Control:
Click on the Target Cluster name, under integration click on Add Integrations, and select Tanzu Service Mesh.
Note: You don’t need to provide proxy configuration settings for clusters managed by Tanzu Mission Control in Tanzu Service Mesh. If you attached a cluster that is running behind a proxy server to Tanzu Mission Control and enabled Tanzu Service Mesh on that cluster, Tanzu Mission Control automatically forwards the proxy configuration to Tanzu Service Mesh. The Tanzu Service Mesh agent on the cluster uses the proxy configuration to connect the cluster to Tanzu Service Mesh through the proxy server.
In Add Tanzu Service Mesh integration you can choose to install Tanzu Service mesh on all namespaces or exclude specific namespaces.
In this deployment, Tanzu Service Mesh is installed on all namespaces.
Note:
To install Tanzu Service Mesh in all the namespaces, select “Enable Tanzu Service Mesh on all Namespaces”. The system namespaces on the cluster, such as kube-system, kube-public, and istio-system, are excluded from Tanzu Service Mesh by default.
To exclude a specific namespace from Tanzu Service Mesh, choose Exclude Namespaces, select “Is Exactly” from the left drop-down menu under Exclude Namespaces, and then enter or select the name of the namespace from the right drop-down menu.
You can also specify the name of a namespace that you plan to create in the cluster at some point in the future.
Click Confirm. The Tanzu Mission Control adapter for Tanzu Observability appears in an unhealthy state for a few minutes because the required objects are being created on the cluster.
On the target cluster, you will see a new namespace vmware-system-tsm
and required objects being created.
To view the status of the Tanzu Service Mesh installation, log in to the Tanzu Service Mesh portal.
After all the required objects and dependencies are created, the Tanzu Service Mesh integration status for the cluster in Tanzu Mission Control console changes to healthy.
In the Tanzu Service Mesh console, go to Cluster Overview to validate the status of the cluster onboarding.
If you have a multi-cluster or hybrid-cloud application, you can connect, secure, and manage the services in the application across the clusters with a global namespace. For more information, see Connect Services with a Global Namespace.