WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud
  • Tanzu
    • Application Modernization
    • Tanzu services
    • Tanzu Community Edition
    • Tanzu Kubernetes Grid
    • vSphere with Tanzu
  • Home Lab
  • Nested Virtualization
  • Apple
You are here: Home / Kubernetes / Tanzu Kubernetes Grid (TKG) Demo Appliance 1.2.1

Tanzu Kubernetes Grid (TKG) Demo Appliance 1.2.1

01.05.2021 by William Lam // 6 Comments

Check out the newest release of the Tanzu Kubernetes Grid (TKG) Demo Appliance Fling which includes the following new features:

  • Support for the latest TKG 1.2.1 release
  • Support for TKG Workload Cluster upgrade workflow from Kubernetes v1.18.10 to v1.19.3
  • Updated embedded Harbor to use self-sign TLS certificate

One of the biggest feature I was excited for in the new TKG 1.2.1 release was support for an external container registry that was configured with a self-signed TLS certificate. Previously, TKG only supported container registries that were configured with a trusted CA signed certificate and that made it difficult for proof of concept/testing but also for environments that were air-gapped.

With previous releases of the TKG Demo Appliance, a valid TLS certificate was acquired from Let's Encrypt (LE) with the help of my good friend Ryan Johnson who owns the domain rainpole.io. The one downside to LE-based certificates is the short expiry period, which is every 90 days. This meant that any TKG Demo Appliance deployed after the expiry would stop functioning due to the certificate no longer being valid. Although I have been able to manage this by updating the appliance roughly every 90 days, usually in-conjunction with new release of TKG, it was less than ideal.

In TKG 1.2.1, users can now configure TKG to use self-signed TLS for external registry by using the following two variables within the TKG config.yaml file:

  • TKG_CUSTOM_IMAGE_REPOSITORY_SKIP_TLS_VERIFY: false
  • TKG_CUSTOM_IMAGE_REPOSITORY_CA_CERTIFICATE: base64 encoding of ca.crt

Note: If you are passing in the base64 encoding of the CA certificate, TKG_CUSTOM_IMAGE_REPOSITORY_SKIP_TLS_VERIFY must be set to false

For those interested in generating the base64 encoding using the command-line, you can use the base64 utility:

Linux:

cat ca.crt | base64 -w 0

macOS:

cat ca.crt | base64

Note: On Linux, it looks like the base64 utility line wraps by default which you need to disable. On macOS, this does not happen.

After deploying the TKG Demo Appliance, you can now see that the embedded Harbor registry is configured with our self-signed TLS certificate which is not set to expire until 2030, that should be plenty of time 😉

Another benefit of the TKG Demo Appliance is that it has been built to be air-gapped out of the box, this is useful for anyone who does not have direct internet access which is required for TKG, unless you setup your own registry, which is already taken care of for you with the appliance.

More from my site

  • Cluster API BYOH Provider on Photon OS (Arm) with Tanzu Community Edition (TCE) and ESXi-Arm
  • Hybrid (x86 and Arm) Kubernetes clusters using Tanzu Community Edition (TCE) and ESXi-Arm
  • Customizing Kubernetes cluster template (Dev/Prod) plans in Tanzu Kubernetes Grid 1.2
  • Tanzu Kubernetes Grid (TKG) Demo Appliance 1.1.3
  • Tanzu Kubernetes Grid (TKG) Demo Appliance for VMC and vSphere

Categories // Kubernetes Tags // Tanzu Kubernetes Grid, TKG

Comments

  1. diabolic53 says

    01/06/2021 at 5:30 am

    can't download , get redirected ....

    Reply
  2. Roy Bales says

    01/22/2021 at 5:46 am

    [email protected] [ ~/.kube-tkg/tmp ] # kubectl describe pods cert-manager-74c876585c-hvx2d -n cert-manager --kubeconfig config_BBDCUjV6
    ...
    Failed to pull image "registry.rainpole.io/library/cert-manager/cert-manager-controller:v0.16.1_vmware.1": rpc error: code = Unknown desc = failed to pull and unpack image "registry.rainpole.io/library/cert-manager/cert-manager-controller:v0.16.1_vmware.1": failed to resolve reference "registry.rainpole.io/library/cert-manager/cert-manager-controller:v0.16.1_vmware.1": get TLSConfig for registry "https://registry.rainpole.io": failed to load CA file: open /etc/containerd/tkg-registry-ca.crt: no such file or directory

    Reply
  3. Roshan Kamalon says

    01/25/2021 at 5:47 pm

    I faced the same issue as Roy. After setting the below in ~/.tkg/config.yaml it worked

    TKG_CUSTOM_IMAGE_REPOSITORY: your-harbor-fqdn/library
    TKG_CUSTOM_IMAGE_REPOSITORY_SKIP_TLS_VERIFY: true
    TKG_CUSTOM_IMAGE_REPOSITORY_CA_CERTIFICATE: Cg==

    Reply
  4. Roy Bales says

    01/30/2021 at 7:11 am

    seems all i needed to do was add the second two lines, thanks for the assist Roshan!

    Reply
    • William Lam says

      01/30/2021 at 9:46 am

      How are you folks downloading the TKG Appliance? Content Library or direct? These lines are automatically part of appliance, there’s no need to tweak if you follow instructions per hackmd

      Reply
      • Roy Bales says

        02/01/2021 at 7:09 am

        content library, and I followed the instructions per the hackmd post

        Reply

Thanks for the comment! Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Author

William Lam is a Senior Staff Solution Architect working in the VMware Cloud team within the Cloud Infrastructure Business Group (CIBG) at VMware. He focuses on Cloud Native technologies, Automation, Integration and Operation for the VMware Cloud based Software Defined Datacenters (SDDC)

Connect

  • Email
  • GitHub
  • LinkedIn
  • RSS
  • Twitter
  • Vimeo

Recent

  • vSphere with Tanzu using Intel Arc GPU 01/26/2023
  • Quick Tip - Automating allowed and not allowed Datastores for use with vSphere Cluster Services (vCLS) 01/25/2023
  • ESXi with Intel Arc 750 / 770 GPU 01/24/2023
  • How to bootstrap vSAN Express Storage Architecture (ESA) on unsupported hardware? 01/19/2023
  • Automating Virtual Machine screenshots in vSphere 01/18/2023

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2023

 

Loading Comments...