Refer to the examples to customize the Tanzu Kubernetes Grid Service with global configuration settings for the container network interface, proxy server, and TLS certificates.
About Configuring the Tanzu Kubernetes Grid Service
Prerequisite: Configure Kubectl Editing
To scale a Tanzu Kubernetes cluster, you update the cluster manifest using the command kubectl edit tanzukubernetescluster/CLUSTER-NAME
. The kubectl edit command opens the cluster manifest in the text editor defined by your KUBE_EDITOR or EDITOR environment variable. For instructions on setting up the environment variable, see Specify a Default Text Editor for Kubectl.
When you save the specification changes, kubectl
reports that the edits were successfully recorded. To cancel, simply close the editor without saving.
Configure the Default CNI
The Tanzu Kubernetes Grid Service provides a default container network interface (CNI) for Tanzu Kubernetes clusters. The default configuration lets you create clusters without the need to specify the CNI. You can change the default CNI by editing the service specification.
The Tanzu Kubernetes Grid Service supports two CNIs: Antrea and Calico, with Antrea being the default. For more information, see Tanzu Kubernetes Grid Service Cluster Networking.
- Authenticate with the Supervisor Cluster.
kubectl vsphere login --server=SVC-IP-ADDRESS --vsphere-username USERNAME
- Switch context to the target vSphere Namespace.
kubectl config use-context tkgs-cluster-ns
- List the default CNI.
kubectl get tkgserviceconfigurations
Example result:NAME DEFAULT CNI tkg-service-configuration antrea
- Load for editing the Tanzu Kubernetes Grid Service specification.
kubectl edit tkgserviceconfigurations tkg-service-configuration
The system opens the
tkg-service-configuration
specification in the default text editor defined by your KUBE_EDITOR or EDITOR environment variable. - Edit the
spec.defaultCNI
value.For example, change from:spec: defaultCNI: antrea
Change to:spec: defaultCNI: calico
- To apply the changes, save the file in the text editor. To cancel, close the editor without saving.
When you save the change in the text editor, kubectl updates the
tkg-service-configuration
service specification. - Verify that the default CNI is updated.
kubectl get tkgserviceconfigurations
The default CNI is updated. Any cluster provisioned with default network settings uses the default CNI.NAME DEFAULT CNI tkg-service-configuration calico
Configure a Global Proxy Server
TkgServiceConfiguration
. For a description of the required fields, see
Configuration Parameters for the Tanzu Kubernetes Grid Service v1alpha1 API.
- Authenticate with the Supervisor Cluster.
kubectl vsphere login --server=SVC-IP-ADDRESS --vsphere-username USERNAME
- Switch context to the target vSphere Namespace.
kubectl config use-context tkgs-cluster-ns
- Get the current configuration.
kubectl get tkgserviceconfigurations
Example result:NAME DEFAULT CNI tkg-service-configuration antrea
- Load for editing the Tanzu Kubernetes Grid Service specification.
kubectl edit tkgserviceconfigurations tkg-service-configuration
The system opens the
tkg-service-configuration
specification in the default text editor defined by your KUBE_EDITOR or EDITOR environment variable. - Add the
spec.proxy
subsection with each required field, includinghttpProxy
,httpsProxy
, andnoProxy
.apiVersion: run.tanzu.vmware.com/v1alpha1 kind: TkgServiceConfiguration metadata: ... name: tkg-service-configuration-example resourceVersion: "44170525" selfLink: /apis/run.tanzu.vmware.com/v1alpha1/tkgserviceconfigurations/tkg-service-configuration uid: 10347195-5f0f-490e-8ae1-a758a724c0bc spec: defaultCNI: antrea proxy: httpProxy: http://<user>:<pwd>@<ip>:<port> httpsProxy: http://<user>:<pwd>@<ip>:<port> noProxy: [SVC-POD-CIDRs, SVC-EGRESS-CIDRs, SVC-INGRESS-CIDRs]
- Populate each proxy field with the appropriate values. For a description of each field, see Configuration Parameters for the Tanzu Kubernetes Grid Service v1alpha1 API.
The required values for the
noProxy
field come from the Workload Network on the Supervisor Cluster. Refer to the picture at the above topic on where to get these values.For example:apiVersion: run.tanzu.vmware.com/v1alpha1 kind: TkgServiceConfiguration metadata: ... name: tkg-service-configuration-example resourceVersion: "44170525" selfLink: /apis/run.tanzu.vmware.com/v1alpha1/tkgserviceconfigurations/tkg-service-configuration uid: 10347195-5f0f-490e-8ae1-a758a724c0bc spec: defaultCNI: antrea proxy: httpProxy: http://user:[email protected]:3128 httpsProxy: http://user:[email protected]:3128 noProxy: [10.246.0.0/16,192.168.144.0/20,192.168.128.0/20]
- To apply the changes, save the file in the text editor. To cancel, close the editor without saving.
When you save the changes in the text editor, kubectl updates Tanzu Kubernetes Grid Service with the configuration defined in the
tkg-service-configuration
service specification. - Verify that the Tanzu Kubernetes Grid Service is updated with the proxy settings.
kubectl get tkgserviceconfigurations -o yaml
- To verify, provision a Tanzu Kubernetes cluster. See Workflow for Provisioning Tanzu Kubernetes Clusters Using the TKGS v1alpha2 API.
Use the following command to confirm that the cluster is using the proxy.
kubectl get tkc CLUSTER-NAME -n NAMESPACE -o yaml
Certificate-Based Proxy Configuration
Using a proxy server to route internet traffic is a hard requirement for some environments. For example, a company in a highly regulated industry such as a financial institution requires all internet traffic go through a corporate proxy.
You can configure the Tanzu Kubernetes Grid Service to provision Tanzu Kubernetes clusters to use a proxy server for outbound HTTP/S traffic. For more information, see Configuration Parameters for the Tanzu Kubernetes Grid Service v1alpha1 API.
TkgServiceConfiguration
specification.
apiVersion: run.tanzu.vmware.com/v1alpha1 kind: TkgServiceConfiguration metadata: name: tkg-service-configuration-example spec: defaultCNI: antrea proxy: httpProxy: http://user:[email protected]:3128 httpsProxy: http://user:[email protected]:3128 noProxy: [10.246.0.0/16,192.168.144.0/20,192.168.128.0/20] trust: additionalTrustedCAs: - name: first-cert-name data: base64-encoded string of a PEM encoded public cert 1 - name: second-cert-name data: base64-encoded string of a PEM encoded public cert 2
External Private Registry Configuration
apiVersion: run.tanzu.vmware.com/v1alpha1 kind: TkgServiceConfiguration metadata: name: tkg-service-configuration-example spec: defaultCNI: antrea trust: additionalTrustedCAs: - name: harbor-vm-cert data: <<<base64-encoded string of a PEM encoded public cert>>>>