You can configure the Tanzu Kubernetes Grid Service instance with global settings for key features, including the container network interface (CNI), a proxy server, and trust certificates.
TkgServiceConfiguration Specification
The
TkgServiceConfiguration
specification provides fields for configuring the
Tanzu Kubernetes Grid Service instance.
apiVersion: run.tanzu.vmware.com/v1alpha1 kind: TkgServiceConfiguration metadata: name: tkg-service-configuration-example spec: defaultCNI: antrea (default) or calico proxy: httpProxy: http://<user>:<pwd>@<ip>:<port> httpsProxy: http://<user>:<pwd>@<ip>:<port> noProxy: POD-CIDRs, EGRESS-CIDRs, INGRESS-CIDRs trust: additionalTrustedCAs: - name: first-cert-name data: base64-encoded string of a PEM encoded public cert 1 - name: second-cert-name data: base64-encoded string of a PEM encoded public cert 2
TkgServiceConfiguration Parameters
The table lists and describes each of the proxy fields .
Field | Value | Description |
---|---|---|
defaultCNI |
antrea |
Default CNI for clusters to use. The other supported option is calico . |
proxy |
Section marker for proxy parameters. |
The proxy parameters are httpProxy , httpsProxy , and noProxy . All parameters are required. If any proxy parameter is missing, you cannot create Tanzu Kubernetes clusters. |
httpProxy |
URI in the form http://<user>:<pwd>@<ip>:<port> |
Does not allow the https protocol. If https is used, you cannot create Tanzu Kubernetes clusters. |
httpsProxy |
URI in the form http://<user>:<pwd>@<ip>:<port> |
Does not allow the https protocol. If https is used, you cannot create Tanzu Kubernetes clusters. |
noProxy |
Array of IP addresses and CIDR blocks that cannot be proxied. | You must include from the Workload Network the Pod CIDRs, Ingress CIDRs, and Egress CIDRs. Both localhost and 127.0.0.1 are automatically not proxied so you don't need to add them. |
trust |
Section marker for trust parameters. |
Accepts no data. |
additionalTrustedCAs |
Accepts an array of certificates with name and data for each. |
Accepts no data. |
name |
String | The name of the TLS certificate. |
data |
String | The base64-encoded string of a PEM encoded public certificate. |
Important Considerations When Editing the TkgServiceConfiguration Specification
The TkgServiceConfiguration
is a global specification that impacts all Tanzu Kubernetes clusters provisioned by the Tanzu Kubernetes Grid Service instance.
Before editing the
TkgServiceConfiguration
specification, be aware of the per-cluster alternatives that might satisfy your use case instead of a global configuration.
Setting | Global Option | Per-Cluster Option |
---|---|---|
Default CNI | Edit the TkgServiceConfiguration spec. See Configure the Default CNI for Tanzu Kubernetes Clusters. |
Specify the CNI in the cluster specification. For example, Antrea is the default CNI. To use Calico, specify it in the cluster YAML. See Example YAML for Provisioning a Tanzu Kubernetes Cluster with a Custom Calico Network |
Proxy Server | Edit the TkgServiceConfiguration spec. See Configure the Tanzu Kubernetes Grid Service to Use a Global Proxy Server for Tanzu Kubernetes Clusters. |
Include the proxy server configuration parameters in the cluster spec. See Example YAML for Provisioning an Individual Tanzu Kubernetes Cluster with a Proxy Server. |
Trust Certificates | Edit the TkgServiceConfiguration spec. There are two use cases: configuring an external container registry (see Using an External Container Registry with Tanzu Kubernetes Clusters) and certificate-based proxy configuration (see Supported Methods for Provisioning Tanzu Kubernetes Clusters with a Proxy Server). |
Yes, you can override the globally-set trust settings in the cluster specification. |
Before editing the TkgServiceConfiguration
specification, be aware of the ramifications of applying the setting at the global level.
Field | Applied | Impact on Existing Clusters If Added/Changed | Per-Cluster Overriding on Cluster Creation | Per-Cluster Overriding on Cluster Update |
---|---|---|---|---|
defaultCNI |
Globally | None | Yes, you can override the global setting on cluster creation | No, you cannot change the CNI for an existing cluster; if you used the globally set default CNI on cluster creation, it cannot be changed |
proxy |
Globally | None | Yes, you can override the global setting on cluster creation | Yes, with U2+, you can override the global setting on cluster update |
trust |
Globally | None | Yes, you can override the global setting on cluster creation | Yes, with U2+, you can override the global setting on cluster update |