VMware SaaS services for Tanzu for Kubernetes Operations (informally known as TKO) provide additional Kubernetes lifecycle management, observability, and service mesh features. This document outlines the configuration needed to set up the following VMware SaaS services.
Tanzu Mission Control (TMC) is a centralized management platform for operating and securing your Kubernetes infrastructure and modern applications across multiple teams and clouds.
You can manage your global portfolio of Kubernetes clusters from a centralized administrative interface by performing the following Tanzu Mission Control operations. * Registering Tanzu Kubernetes Grid management cluster * Attaching the shared services and workload clusters
NoteIf the Tanzu Kubernetes Grid clusters are behind a proxy server, you’ll need to import the proxy configuration object to Tanzu Mission Control before attaching the cluster.
Managing Tanzu Kubernetes Clusters lifecycle from Tanzu Mission Control involves the following:
Before managing Tanzu Kubernetes Grid clusters lifecycle from Tanzu Mission Control, complete the following:
After deploying your management cluster through the Tanzu Kubernetes Grid installer interface or the Tanzu CLI, follow these instructions in Tanzu Mission Control.
Log in to Tanzu Mission Control from VMware Cloud Services.
In the left navigation pane of the Tanzu Mission Control console, click Administration > Management clusters > Register Management Cluster and select Tanzu Kubernetes Grid.
Enter a name for the cluster and select the cluster group in which you want to register the cluster. Optionally, provide a description and one or more labels.
(Optional) If you are using a proxy to connect to the internet, you can configure the proxy settings by toggling the Set proxy option to yes, otherwise leave it disabled.
For information on registering a cluster that is behind a proxy with Tanzu Mission Control, please see the Create a Proxy Configuration Object in Tanzu Mission Control
On the Register page, Tanzu Mission Control generates a URL and a YAML file that defines how the management cluster connects to Tanzu Mission Control for registration. The credential provided in the YAML expires after 48 hours.
Copy the provided command, switch to the bootstrap machine or any other machine which has kubectl/tmc installed and has connectivity to the management cluster, and then run the command.
To obtain admin kubeconfig
of a cluster, execute the following command on the bootstrap machine:
tanzu cluster kubeconfig get <cluster-name> -n <namespace> --admin
Example:
tanzu cluster kubeconfig get tkg-mgmt -n tkg-system --admin
Credentials of cluster 'tkg-mgmt' have been saved
You can now access the cluster by running 'kubectl config use-context tkg-mgmt-admin@tkg-mgmt'
Switch to the management cluster context
kubectl config use-context tkg-mgmt-admin@tkg-mgmt
Register the management cluster with Tanzu Mission Control
kubectl apply -f "<TMC-Generated-URL>"
This command creates a namespace vmware-system-tmc
and installs a set of cluster agent extensions, custom resource definitions, role bindings, services & deployments, etc into your cluster, which enables cluster communication with the Tanzu Mission Control.
After the command is applied, wait for all pods to initialize in the namespace vmware-system-tmc
. To monitor the pods status, use the following command:
kubectl get pods -n vmware-system-tmc
In Tanzu Mission Control console, click View Management Cluster.
Click on the Verify Connection button to validate that connection between the Workload cluster and Tanzu Mission Control portal has been established.
After the connection is verified, the management cluster details page is displayed. It might take a few minutes for Tanzu Mission Control to start receiving health information from the management cluster.
(Optional) After you successfully register a management cluster, you can add any of the existing Tanzu Kubernetes Grid clusters that it manages to Tanzu Mission Control.
You can register Tanzu Kubernetes Grid workload clusters for lifecycle management. Follow these steps to attach a workload cluster:
Log in to Tanzu Mission Control from VMware Cloud Services.
In the left navigation pane of the Tanzu Mission Control console, click Clusters > Attach Cluster.
Enter a name for the cluster and select the cluster group in which you want to register the cluster. Optionally, provide a description and one or more labels.
Click Next.
(Conditionally required) Select a proxy configuration object for the cluster. You’ll need to communicate through a proxy configuration object if the clusters are behind a proxy server.
NoteFor instructions on configuring the proxy, see Create a Proxy Configuration Object in Tanzu Mission Control
This document does not make use of proxy for workload clusters.
Click to toggle the Set proxy for this cluster option to No.
Click Next.
Tanzu Mission Control generates a YAML manifest specifically for your cluster and displays the kubectl/tmc command to run the manifest.
Copy the provided command, switch to the bootstrap machine or any other machine that has kubectl/tmc installed and has connectivity to the cluster, and then run the command.
If you attach using a proxy configuration object, make sure you have the latest version of the Tanzu Mission Control CLI (tmc) installed. Then run the tmc
command, replacing &<kubeconfig>
with the appropriate kubeconfig
for the cluster.
To obtain the admin kubeconfig
of a cluster, execute the following command on the bootstrap machine:
tanzu cluster kubeconfig get <cluster-name> --admin --export-file <file-name.yaml>
After executing the command, wait for all pods to initialize in the namespace vmware-system-tmc
. To monitor the status of the pods, run the following command:
kubectl get pods -n vmware-system-tmc
In Tanzu Mission Control console, click Verify Connection. You’ll see a message confirming that the cluster was connection successfully.
Click View your Cluster to see the cluster details.
If your Kubernetes clusters are behind a proxy server, you’ll need a proxy configuration object to communicate with them. To create a proxy configuration object in Tanzu Mission Control, follow these steps:
Tanzu Observability (TO) delivers full-stack observability across containerized cloud applications, Kubernetes health, and cloud infrastructure through a Software-as-a-Service (SaaS) subscription model managed by VMware. The SaaS delivery model allows the solution to scale to meet your metrics requirements without the need to maintain the solution itself.
Setting up Tanzu Observability to monitor Tanzu Kubernetes Grid clusters is done through Tanzu Mission Control. Tanzu Mission Control provides a common management layer across Kubernetes clusters to configure multiple policies and make it possible to integrate the Kubernetes clusters with other SaaS solutions such as Tanzu Service Mesh.
Before setting up Tanzu Observability, ensure that:
To integrate Tanzu Observability on a cluster attached to Tanzu Mission Control, do the following:
Create a service account in Tanzu Observability (TO) to enable communication between Tanzu Observability and Tanzu Mission Control.
Enable Tanzu Observability in Tanzu Mission Control.
Enter the following and click Create:
On the Tanzu Mission Control console, click Clusters on the left navigation pane.
Click the cluster you want to add to Tanzu Observability.
On the cluster page, click Add Integration, and select Tanzu Observability.
Select the Tanzu Observability credentials and click Confirm.
The Tanzu Mission Control adapter for Tanzu Observability appears in an unhealthy state for a few minutes while the required objects are being created on the cluster.
On the target cluster, you will see a new namespace, tanzu-observability-saas
, and the required objects being created.
Wait for all the pods to successfully initialize.
After all the pods are initialized, the Tanzu Mission Control adapter in the Tanzu Mission Control console appears in a healthy state.
This confirms that the integration is completed and the cluster can be monitored with Tanzu Observability.
Click the Tanzu Observability link provided in Tanzu Mission Control or log in to your Tanzu Observability instance (<instance_name>.wavefront.com) to ensure that the metrics are being collected in Tanzu Observability.
Tanzu Observability provides various out-of-the-box dashboards. You can customize the dashboards for your particular deployment. For information on how to customize Tanzu Observability dashboards for Tanzu for Kubernetes Operations, see Customize Tanzu Observability Dashboard for Tanzu for Kubernetes Operations.
VMware Tanzu Service Mesh (TSM) is an enterprise-class service mesh solution that provides consistent control and security for microservices, end-users, and data across all your clusters and clouds in multi-cluster and multi-cloud environments.
You can onboard Tanzu Service Mesh with or without Tanzu Mission Control.
If you are installing user-managed packages, install them before onboarding your cluster in Tanzu Service Mesh or there may be issues with reconciling. Make sure to exclude the namespaces where you will be installing user-managed packages and other namespaces where you don’t need istio injection by Tanzu Service Mesh.
Do the following to onboard a Tanzu Kubernetes Cluster to Tanzu Service Mesh using Tanzu Mission Control:
Click on the Target Cluster name, under integration click on Add Integrations, and select Tanzu Service Mesh.
NoteYou don’t need to provide proxy configuration settings for clusters managed by Tanzu Mission Control in Tanzu Service Mesh. If you attached a cluster that is running behind a proxy server to Tanzu Mission Control and enabled Tanzu Service Mesh on that cluster, Tanzu Mission Control automatically forwards the proxy configuration to Tanzu Service Mesh. The Tanzu Service Mesh agent on the cluster uses the proxy configuration to connect the cluster to Tanzu Service Mesh through the proxy server.
In Add Tanzu Service Mesh integration you can choose to install Tanzu Service mesh on all namespaces or exclude specific namespaces.
Note- To install Tanzu Service Mesh in all the namespaces, select
Enable Tanzu Service Mesh on all Namespaces
. The system namespaces on the cluster, such as kube-system, kube-public, and istio-system, are excluded from Tanzu Service Mesh by default. - To exclude a specific namespace from Tanzu Service Mesh, choose Exclude Namespaces, select “Is Exactly” from the left drop-down menu under Exclude Namespaces, and then enter or select the name of the namespace from the right drop-down menu. - You can also specify the name of a namespace that you plan to create in the cluster at some point in the future.
Click Confirm.
In the Tanzu Service Mesh console, go to Cluster Overview to validate the status of the cluster onboarding.
The Tanzu Service Mesh console displays information about the infrastructure of the onboarded cluster and any microservices deployed on the cluster. Tanzu Service Mesh also starts monitoring and collecting infrastructure and service metrics, such as the number of nodes and services, requests per second, latency, and CPU usage, from the cluster. The Home page of the Tanzu Service Mesh console provides summary information about the cluster’s infrastructure, a topology view of the services in the cluster, and key metrics.
If you have a multi-cluster or hybrid-cloud application, you can connect, secure, and manage the services in the application across the clusters with a global namespace. For more information, see Connect Services with a Global Namespace.