Install and Deploy the vSphere PVCSI Webhook

Install and deploy the vSphere PVCSI webhook in a TKG Service cluster. The vSphere PVCSI webhook is a component with call-back that responds to CSI admission requests. It is responsible for validation of Kubernetes objects, such as Persistent Volume Claims, Persistent Volumes, Storage Classes and so on.

The vSphere PVCSI webhook installs automatically in Supervisor. This topic applies only to TKG Service clusters.

Prerequisites

You have a running Supervisor.
You have installed the Tanzu CLI and kubectl. For information, see Installing CLI Tools for TKG Service Clusters.
You have logged in to the TKG cluster. For information, see Connecting to TKG Service Clusters Using vCenter SSO Authentication.

Prepare a TKG Service Cluster for Installation of vSphere PVCSI Webhook

Follow these steps to prepare the your TKG Service cluster for installation of the vSphere PVCSI webhook.

Procedure

Get the admin credentials of the TKG cluster where you want to deploy the vSphere PVCSI webhook.
```
tanzu cluster kubeconfig get my-cluster --admin
```
Switch context to the vSphere Namespace where the target TKG cluster is provisioned.
```
kubectl config use-context my-cluster-admin@my-cluster
```
If the cluster does not have a package repository with vsphere-pv-csi-webhook package installed, such as the tanzu-standard repository, install one.
You can skip this step if your target cluster is a legacy plan-based cluster. For plan-based clusters, the tanzu-standard package repository is automatically enabled in the tanzu-package-repo-global namespace.
```
tanzu package repository add PACKAGE-REPO-NAME --url PACKAGE-REPO-ENDPOINT --namespace tkg-system
```
- PACKAGE-REPO-NAME is the name of the package repository, such as tanzu-standard, or the name of a private image registry configured with ADDITIONAL_IMAGE_REGISTRY variables.
- PACKAGE-REPO-ENDPOINT is the URL of the package repository.
If you have not already done so, install the cert-manager.
For information, see Install Cert Manager.

Results

You can now deploy the vSphere PVCSI webhook.

Deploy vSphere PVCSI Webhook

Follow these steps to deploy the vSphere PVCSI webhook on a TKG Service cluster.

Procedure

Confirm that the vSphere PVCSI webhook package is available in the cluster.
```
tanzu package available list -A
```
If the package not available, make sure package repository containing the required vSphere PVCSI webhook package is installed correctly. For instructions, see Step 3 of Prepare a TKG Service Cluster for Installation of vSphere PVCSI Webhook.

Obtain the version of the available package.

tanzu package available list vsphere-pv-csi-webhook.tanzu.vmware.com -A

Install the package with appropriate available version.
```
tanzu package install vsphere-pv-csi-webhook --package vsphere-pv-csi-webhook.tanzu.vmware.com --version AVAILABLE-PACKAGE-VERSION --namespace TARGET-NAMESPACE
```
- TARGET-NAMESPACE specifies the namespace where you want to install the vsphere-pv-csi-webhook package.
  Note: TARGET-NAMESPACE has to be the same as the namespace where vsphere-pv-csi package is installed.
  If you don't specify the --namespace flag, the Tanzu CLI installs the package and its resources in the default namespace, such as vmware-system-csi for vsphere-pv-csi-webhook package. The specified namespace must already exist, for example, from running kubectl create namespace vmware-system-csi.
- AVAILABLE-PACKAGE-VERSION specifies the package version that you obtained in Step 2.
Confirm that the vSphere PVCSI webhook package has been installed.
```
tanzu package installed list -A
```
To see more details about the package, you can also run the following command:
```
tanzu package installed get vsphere-pv-csi-webhook --namespace TARGET-NAMESPACE
```
Confirm that the vsphere-pv-csi-webhook app has been successfully reconciled in your TARGET-NAMESPACE.
```
kubectl get apps -A
```
If the status is not Reconcile Succeeded, view the full status details of the vsphere-pv-csi-webhook app. Viewing the full status can help you troubleshoot the problem.
```
kubectl get app vsphere-pv-csi-webhook --namespace TARGET-NAMESPACE -o yaml
```
If troubleshooting does not help you solve the problem, uninstall the package using the following command before installing it again.
```
tanzu package installed delete vsphere-pv-csi-webhook --namespace TARGET-NAMESPACE
```
Confirm that the vsphere-pv-csi-webhook is running by listing all pods in the cluster.
```
kubectl get pods -A
```
Verify that vsphere-pv-csi-webhook pods are created in the vmware-system-csi OR TARGET-NAMESPACE.