WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud Foundation
  • VKS
  • Homelab
    • Resources
    • Nested Virtualization
  • VMware Nostalgia
  • Apple
You are here: Home / Kubernetes / Tanzu Kubernetes Grid (TKG) Demo Appliance 1.2.1

Tanzu Kubernetes Grid (TKG) Demo Appliance 1.2.1

01.05.2021 by William Lam // 6 Comments

Check out the newest release of the Tanzu Kubernetes Grid (TKG) Demo Appliance Fling which includes the following new features:

  • Support for the latest TKG 1.2.1 release
  • Support for TKG Workload Cluster upgrade workflow from Kubernetes v1.18.10 to v1.19.3
  • Updated embedded Harbor to use self-sign TLS certificate

One of the biggest feature I was excited for in the new TKG 1.2.1 release was support for an external container registry that was configured with a self-signed TLS certificate. Previously, TKG only supported container registries that were configured with a trusted CA signed certificate and that made it difficult for proof of concept/testing but also for environments that were air-gapped.

With previous releases of the TKG Demo Appliance, a valid TLS certificate was acquired from Let's Encrypt (LE) with the help of my good friend Ryan Johnson who owns the domain rainpole.io. The one downside to LE-based certificates is the short expiry period, which is every 90 days. This meant that any TKG Demo Appliance deployed after the expiry would stop functioning due to the certificate no longer being valid. Although I have been able to manage this by updating the appliance roughly every 90 days, usually in-conjunction with new release of TKG, it was less than ideal.

In TKG 1.2.1, users can now configure TKG to use self-signed TLS for external registry by using the following two variables within the TKG config.yaml file:

  • TKG_CUSTOM_IMAGE_REPOSITORY_SKIP_TLS_VERIFY: false
  • TKG_CUSTOM_IMAGE_REPOSITORY_CA_CERTIFICATE: base64 encoding of ca.crt

Note: If you are passing in the base64 encoding of the CA certificate, TKG_CUSTOM_IMAGE_REPOSITORY_SKIP_TLS_VERIFY must be set to false

For those interested in generating the base64 encoding using the command-line, you can use the base64 utility:

Linux:

cat ca.crt | base64 -w 0

macOS:

cat ca.crt | base64

Note: On Linux, it looks like the base64 utility line wraps by default which you need to disable. On macOS, this does not happen.

After deploying the TKG Demo Appliance, you can now see that the embedded Harbor registry is configured with our self-signed TLS certificate which is not set to expire until 2030, that should be plenty of time 😉

Another benefit of the TKG Demo Appliance is that it has been built to be air-gapped out of the box, this is useful for anyone who does not have direct internet access which is required for TKG, unless you setup your own registry, which is already taken care of for you with the appliance.

More from my site

  • Cluster API BYOH Provider on Photon OS (Arm) with Tanzu Community Edition (TCE) and ESXi-Arm
  • Hybrid (x86 and Arm) Kubernetes clusters using Tanzu Community Edition (TCE) and ESXi-Arm
  • Customizing Kubernetes cluster template (Dev/Prod) plans in Tanzu Kubernetes Grid 1.2
  • Tanzu Kubernetes Grid (TKG) Demo Appliance 1.1.3
  • Tanzu Kubernetes Grid (TKG) Demo Appliance for VMC and vSphere

Categories // Kubernetes Tags // Tanzu Kubernetes Grid, TKG

Comments

  1. *protecteddiabolic53 says

    01/06/2021 at 5:30 am

    can't download , get redirected ....

    Reply
  2. *protectedRoy Bales says

    01/22/2021 at 5:46 am

    root@tkg [ ~/.kube-tkg/tmp ] # kubectl describe pods cert-manager-74c876585c-hvx2d -n cert-manager --kubeconfig config_BBDCUjV6
    ...
    Failed to pull image "registry.rainpole.io/library/cert-manager/cert-manager-controller:v0.16.1_vmware.1": rpc error: code = Unknown desc = failed to pull and unpack image "registry.rainpole.io/library/cert-manager/cert-manager-controller:v0.16.1_vmware.1": failed to resolve reference "registry.rainpole.io/library/cert-manager/cert-manager-controller:v0.16.1_vmware.1": get TLSConfig for registry "https://registry.rainpole.io": failed to load CA file: open /etc/containerd/tkg-registry-ca.crt: no such file or directory

    Reply
  3. *protectedRoshan Kamalon says

    01/25/2021 at 5:47 pm

    I faced the same issue as Roy. After setting the below in ~/.tkg/config.yaml it worked

    TKG_CUSTOM_IMAGE_REPOSITORY: your-harbor-fqdn/library
    TKG_CUSTOM_IMAGE_REPOSITORY_SKIP_TLS_VERIFY: true
    TKG_CUSTOM_IMAGE_REPOSITORY_CA_CERTIFICATE: Cg==

    Reply
  4. *protectedRoy Bales says

    01/30/2021 at 7:11 am

    seems all i needed to do was add the second two lines, thanks for the assist Roshan!

    Reply
    • William Lam says

      01/30/2021 at 9:46 am

      How are you folks downloading the TKG Appliance? Content Library or direct? These lines are automatically part of appliance, there’s no need to tweak if you follow instructions per hackmd

      Reply
      • *protectedRoy Bales says

        02/01/2021 at 7:09 am

        content library, and I followed the instructions per the hackmd post

        Reply

Thanks for the comment!Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Thank Author

Author

William is Distinguished Platform Engineering Architect in the VMware Cloud Foundation (VCF) Division at Broadcom. His primary focus is helping customers and partners build, run and operate a modern Private Cloud using the VMware Cloud Foundation (VCF) platform.

Connect

  • Bluesky
  • Email
  • GitHub
  • LinkedIn
  • Mastodon
  • Reddit
  • RSS
  • Twitter
  • Vimeo

Recent

  • Programmatically accessing the Broadcom Compatibility Guide (BCG) 05/06/2025
  • Quick Tip - Validating Broadcom Download Token  05/01/2025
  • Supported chipsets for the USB Network Native Driver for ESXi Fling 04/23/2025
  • vCenter Identity Federation with Authelia 04/16/2025
  • vCenter Server Identity Federation with Kanidm 04/10/2025

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2025

 

Loading Comments...