Check out the newest release of the Tanzu Kubernetes Grid (TKG) Demo Appliance Fling which includes the following new features:
- Support for the latest TKG 1.2.1 release
-
Support for TKG Workload Cluster upgrade workflow from Kubernetes v1.18.10 to v1.19.3
-
Updated embedded Harbor to use self-sign TLS certificate
One of the biggest feature I was excited for in the new TKG 1.2.1 release was support for an external container registry that was configured with a self-signed TLS certificate. Previously, TKG only supported container registries that were configured with a trusted CA signed certificate and that made it difficult for proof of concept/testing but also for environments that were air-gapped.
With previous releases of the TKG Demo Appliance, a valid TLS certificate was acquired from Let's Encrypt (LE) with the help of my good friend Ryan Johnson who owns the domain rainpole.io. The one downside to LE-based certificates is the short expiry period, which is every 90 days. This meant that any TKG Demo Appliance deployed after the expiry would stop functioning due to the certificate no longer being valid. Although I have been able to manage this by updating the appliance roughly every 90 days, usually in-conjunction with new release of TKG, it was less than ideal.
In TKG 1.2.1, users can now configure TKG to use self-signed TLS for external registry by using the following two variables within the TKG config.yaml file:
- TKG_CUSTOM_IMAGE_REPOSITORY_SKIP_TLS_VERIFY: false
- TKG_CUSTOM_IMAGE_REPOSITORY_CA_CERTIFICATE: base64 encoding of ca.crt
Note: If you are passing in the base64 encoding of the CA certificate, TKG_CUSTOM_IMAGE_REPOSITORY_SKIP_TLS_VERIFY must be set to false
For those interested in generating the base64 encoding using the command-line, you can use the base64 utility:
Linux:
cat ca.crt | base64 -w 0
macOS:
cat ca.crt | base64
Note: On Linux, it looks like the base64 utility line wraps by default which you need to disable. On macOS, this does not happen.
After deploying the TKG Demo Appliance, you can now see that the embedded Harbor registry is configured with our self-signed TLS certificate which is not set to expire until 2030, that should be plenty of time 😉
Another benefit of the TKG Demo Appliance is that it has been built to be air-gapped out of the box, this is useful for anyone who does not have direct internet access which is required for TKG, unless you setup your own registry, which is already taken care of for you with the appliance.
diabolic53 says
can't download , get redirected ....
Roy Bales says
root@tkg [ ~/.kube-tkg/tmp ] # kubectl describe pods cert-manager-74c876585c-hvx2d -n cert-manager --kubeconfig config_BBDCUjV6
...
Failed to pull image "registry.rainpole.io/library/cert-manager/cert-manager-controller:v0.16.1_vmware.1": rpc error: code = Unknown desc = failed to pull and unpack image "registry.rainpole.io/library/cert-manager/cert-manager-controller:v0.16.1_vmware.1": failed to resolve reference "registry.rainpole.io/library/cert-manager/cert-manager-controller:v0.16.1_vmware.1": get TLSConfig for registry "https://registry.rainpole.io": failed to load CA file: open /etc/containerd/tkg-registry-ca.crt: no such file or directory
Roshan Kamalon says
I faced the same issue as Roy. After setting the below in ~/.tkg/config.yaml it worked
TKG_CUSTOM_IMAGE_REPOSITORY: your-harbor-fqdn/library
TKG_CUSTOM_IMAGE_REPOSITORY_SKIP_TLS_VERIFY: true
TKG_CUSTOM_IMAGE_REPOSITORY_CA_CERTIFICATE: Cg==
Roy Bales says
seems all i needed to do was add the second two lines, thanks for the assist Roshan!
William Lam says
How are you folks downloading the TKG Appliance? Content Library or direct? These lines are automatically part of appliance, there’s no need to tweak if you follow instructions per hackmd
Roy Bales says
content library, and I followed the instructions per the hackmd post