Refer to the examples to customize the Tanzu Kubernetes Grid Service with global configuration settings for the container network interface, proxy server, and TLS certificates.

About Configuring the Tanzu Kubernetes Grid Service

You can customize the Tanzu Kubernetes Grid Service by changing the default CNI, adding a global proxy server, and adding trusted certificates. See Configuration Parameters for the Tanzu Kubernetes Grid Service v1alpha1 API.
Caution: Editing the Tanzu Kubernetes Grid Service specification results in global changes to all clusters provisioned by that service, including new clusters and existing clusters that are upgraded manually or automatically.
Note: The TKG v1alpha1 API is deprecated and should not be used to create new TKG clusters. Use the TKG v1alpha2 API instead. See Provisioning Tanzu Kubernetes Clusters Using the TKGS v1alpha2 API.

Prerequisite: Configure Kubectl Editing

To scale a Tanzu Kubernetes cluster, you update the cluster manifest using the command kubectl edit tanzukubernetescluster/CLUSTER-NAME. The kubectl edit command opens the cluster manifest in the text editor defined by your KUBE_EDITOR or EDITOR environment variable. For instructions on setting up the environment variable, see Specify a Default Text Editor for Kubectl.

When you save the specification changes, kubectl reports that the edits were successfully recorded. To cancel, simply close the editor without saving.

Configure the Default CNI

The Tanzu Kubernetes Grid Service provides a default container network interface (CNI) for Tanzu Kubernetes clusters. The default configuration lets you create clusters without the need to specify the CNI. You can change the default CNI by editing the service specification.

The Tanzu Kubernetes Grid Service supports two CNIs: Antrea and Calico, with Antrea being the default. For more information, see Tanzu Kubernetes Grid Service Cluster Networking.

You can override the default CNI by explicitly specifying the CNI to use. Alternatively, you can change the default CNI by editing the TKG Service controller for CNIs.
  1. Authenticate with the Supervisor Cluster. 
    kubectl vsphere login --server=SVC-IP-ADDRESS --vsphere-username USERNAME
  2. Switch context to the target vSphere Namespace.
    kubectl config use-context tkgs-cluster-ns
  3. List the default CNI.
    kubectl get tkgserviceconfigurations
    Example result: 
    NAME                                 DEFAULT CNI
tkg-service-configuration            antrea
  4. Load for editing the Tanzu Kubernetes Grid Service specification.
    kubectl edit tkgserviceconfigurations tkg-service-configuration

    The system opens the tkg-service-configuration specification in the default text editor defined by your KUBE_EDITOR or EDITOR environment variable.

  5. Edit the spec.defaultCNI value.
    For example, change from: 
    spec:
  defaultCNI: antrea
    Change to: 
    spec:
  defaultCNI: calico
  6. To apply the changes, save the file in the text editor. To cancel, close the editor without saving.

    When you save the change in the text editor, kubectl updates the tkg-service-configuration service specification.

  7. Verify that the default CNI is updated.
    kubectl get tkgserviceconfigurations
    The default CNI is updated. Any cluster provisioned with default network settings uses the default CNI. 
    NAME                                 DEFAULT CNI
tkg-service-configuration            calico

Configure a Global Proxy Server

To enable a global proxy server, add the proxy server parameters to the TkgServiceConfiguration. For a description of the required fields, see Configuration Parameters for the Tanzu Kubernetes Grid Service v1alpha1 API.
  1. Authenticate with the Supervisor Cluster. 
    kubectl vsphere login --server=SVC-IP-ADDRESS --vsphere-username USERNAME
  2. Switch context to the target vSphere Namespace.
    kubectl config use-context tkgs-cluster-ns
  3. Get the current configuration.
    kubectl get tkgserviceconfigurations
    Example result: 
    NAME                        DEFAULT CNI
tkg-service-configuration   antrea
  4. Load for editing the Tanzu Kubernetes Grid Service specification.
    kubectl edit tkgserviceconfigurations tkg-service-configuration

    The system opens the tkg-service-configuration specification in the default text editor defined by your KUBE_EDITOR or EDITOR environment variable.

  5. Add the spec.proxy subsection with each required field, including httpProxy, httpsProxy, and noProxy.
    apiVersion: run.tanzu.vmware.com/v1alpha1
kind: TkgServiceConfiguration
metadata:
  ...
  name: tkg-service-configuration-example
  resourceVersion: "44170525"
  selfLink: /apis/run.tanzu.vmware.com/v1alpha1/tkgserviceconfigurations/tkg-service-configuration
  uid: 10347195-5f0f-490e-8ae1-a758a724c0bc
spec:
  defaultCNI: antrea
  proxy:
    httpProxy: http://<user>:<pwd>@<ip>:<port>
    httpsProxy: http://<user>:<pwd>@<ip>:<port>
    noProxy: [SVC-POD-CIDRs, SVC-EGRESS-CIDRs, SVC-INGRESS-CIDRs]
  6. Populate each proxy field with the appropriate values. For a description of each field, see Configuration Parameters for the Tanzu Kubernetes Grid Service v1alpha1 API.

    The required values for the noProxy field come from the Workload Network on the Supervisor Cluster. Refer to the picture at the above topic on where to get these values.

    For example: 
    apiVersion: run.tanzu.vmware.com/v1alpha1
kind: TkgServiceConfiguration
metadata:
  ...
  name: tkg-service-configuration-example
  resourceVersion: "44170525"
  selfLink: /apis/run.tanzu.vmware.com/v1alpha1/tkgserviceconfigurations/tkg-service-configuration
  uid: 10347195-5f0f-490e-8ae1-a758a724c0bc
spec:
  defaultCNI: antrea
  proxy:
    httpProxy: http://user:[email protected]:3128
    httpsProxy: http://user:[email protected]:3128
    noProxy: [10.246.0.0/16,192.168.144.0/20,192.168.128.0/20]
  7. To apply the changes, save the file in the text editor. To cancel, close the editor without saving.

    When you save the changes in the text editor, kubectl updates Tanzu Kubernetes Grid Service with the configuration defined in the tkg-service-configuration service specification.

  8. Verify that the Tanzu Kubernetes Grid Service is updated with the proxy settings.
    kubectl get tkgserviceconfigurations -o yaml
  9. To verify, provision a Tanzu Kubernetes cluster. See Workflow for Provisioning Tanzu Kubernetes Clusters Using the TKGS v1alpha2 API.
    Use the following command to confirm that the cluster is using the proxy. 
    kubectl get tkc CLUSTER-NAME -n NAMESPACE -o yaml

Certificate-Based Proxy Configuration

Using a proxy server to route internet traffic is a hard requirement for some environments. For example, a company in a highly regulated industry such as a financial institution requires all internet traffic go through a corporate proxy.

You can configure the Tanzu Kubernetes Grid Service to provision Tanzu Kubernetes clusters to use a proxy server for outbound HTTP/S traffic. For more information, see Configuration Parameters for the Tanzu Kubernetes Grid Service v1alpha1 API.

As shown in the example, you can add trusted certificates for the proxy server to the TkgServiceConfiguration specification. 
apiVersion: run.tanzu.vmware.com/v1alpha1
kind: TkgServiceConfiguration
metadata:
  name: tkg-service-configuration-example
spec:
  defaultCNI: antrea
  proxy:
    httpProxy: http://user:[email protected]:3128
    httpsProxy: http://user:[email protected]:3128
    noProxy: [10.246.0.0/16,192.168.144.0/20,192.168.128.0/20]
  trust:
    additionalTrustedCAs:
      - name: first-cert-name
        data: base64-encoded string of a PEM encoded public cert 1
      - name: second-cert-name
        data: base64-encoded string of a PEM encoded public cert 2

External Private Registry Configuration

You can configure the Tanzu Kubernetes Grid Service with custom certificates for connecting Tanzu Kubernetes clusters with an external private registry. For more information, see Use an External Container Registry with Tanzu Kubernetes Clusters. 
 
apiVersion: run.tanzu.vmware.com/v1alpha1
kind: TkgServiceConfiguration
metadata:
  name: tkg-service-configuration-example
spec:
  defaultCNI: antrea
  trust:
    additionalTrustedCAs:
      - name: harbor-vm-cert
        data: <<<base64-encoded string of a PEM encoded public cert>>>>