You can configure the Tanzu Kubernetes Grid Service instance with global settings for key features, including the container network interface (CNI), a proxy server, and trust certificates.

TkgServiceConfiguration Specification

The TkgServiceConfiguration specification provides fields for configuring the Tanzu Kubernetes Grid Service instance.
apiVersion: run.tanzu.vmware.com/v1alpha1
kind: TkgServiceConfiguration
metadata:
  name: tkg-service-configuration-example
spec:
  defaultCNI: antrea (default) or calico
  proxy:
    httpProxy: http://<user>:<pwd>@<ip>:<port>
    httpsProxy: http://<user>:<pwd>@<ip>:<port>
    noProxy: POD-CIDRs, EGRESS-CIDRs, INGRESS-CIDRs
  trust:
    additionalTrustedCAs:
      - name: first-cert-name
        data: base64-encoded string of a PEM encoded public cert 1
      - name: second-cert-name
        data: base64-encoded string of a PEM encoded public cert 2

TkgServiceConfiguration Parameters

The table lists and describes each of the proxy fields .
Field Value Description
defaultCNI antrea Default CNI for clusters to use. The other supported option is calico.
proxy Section marker for proxy parameters. The proxy parameters are httpProxy, httpsProxy, and noProxy. All parameters are required. If any proxy parameter is missing, you cannot create Tanzu Kubernetes clusters.
httpProxy URI in the form http://<user>:<pwd>@<ip>:<port> Does not allow the https protocol. If https is used, you cannot create Tanzu Kubernetes clusters.
httpsProxy URI in the form http://<user>:<pwd>@<ip>:<port> Does not allow the https protocol. If https is used, you cannot create Tanzu Kubernetes clusters.
noProxy Array of IP addresses and CIDR blocks that cannot be proxied. You must include from the Workload Network the Pod CIDRs, Ingress CIDRs, and Egress CIDRs. Both localhost and 127.0.0.1 are automatically not proxied so you don't need to add them.
trust Section marker for trust parameters. Accepts no data.
additionalTrustedCAs Accepts an array of certificates with name and data for each. Accepts no data.
name String The name of the TLS certificate.
data String The base64-encoded string of a PEM encoded public certificate.

Important Considerations When Editing the TkgServiceConfiguration Specification

The TkgServiceConfiguration is a global specification that impacts all Tanzu Kubernetes clusters provisioned by the Tanzu Kubernetes Grid Service instance.

Before editing the TkgServiceConfiguration specification, be aware of the per-cluster alternatives that might satisfy your use case instead of a global configuration.
Table 1. Per-Cluster Configuration Options
Setting Global Option Per-Cluster Option
Default CNI Edit the TkgServiceConfiguration spec. See Configure the Default CNI for Tanzu Kubernetes Clusters. Specify the CNI in the cluster specification. For example, Antrea is the default CNI. To use Calico, specify it in the cluster YAML. See Example YAML for Provisioning a Tanzu Kubernetes Cluster with a Custom Calico Network
Proxy Server Edit the TkgServiceConfiguration spec. See Configure the Tanzu Kubernetes Grid Service to Use a Global Proxy Server for Tanzu Kubernetes Clusters. Include the proxy server configuration parameters in the cluster spec. See Example YAML for Provisioning an Individual Tanzu Kubernetes Cluster with a Proxy Server.
Trust Certificates Edit the TkgServiceConfiguration spec. There are two use cases: configuring an external container registry (see Using an External Container Registry with Tanzu Kubernetes Clusters) and certificate-based proxy configuration (see Supported Methods for Provisioning Tanzu Kubernetes Clusters with a Proxy Server). Yes, you can override the globally-set trust settings in the cluster specification.

Before editing the TkgServiceConfiguration specification, be aware of the ramifications of applying the setting at the global level.

Field Applied Impact on Existing Clusters If Added/Changed Per-Cluster Overriding on Cluster Creation Per-Cluster Overriding on Cluster Update
defaultCNI Globally None Yes, you can override the global setting on cluster creation No, you cannot change the CNI for an existing cluster; if you used the globally set default CNI on cluster creation, it cannot be changed
proxy Globally None Yes, you can override the global setting on cluster creation Yes, with U2+, you can override the global setting on cluster update
trust Globally None Yes, you can override the global setting on cluster creation Yes, with U2+, you can override the global setting on cluster update