When deploying additional vSphere Supervisor Services including the new Data Services Operator enabling Database-as-a-Service (DBaaS), the container images that are used are hosted on Broadcom's container registry (projects.packages.broadcom.com).
For air-gapped deployments where you need to use an internal container registry, there is a process to relocate the Broadcom's container images into your own container registry, which has been possible since vSphere 8.0 Update 3.
While the validation error message was clear on why the installation will fail, it did not provide any details on how to actually add the trust the self-signed TLS certificate from my container registry.
After checking internally with a few folks, I was able to resolve this, but it took several attempts. I have already made a request to improve the official documentation to make these steps clearer.
Step 1 - Install the imgpkg utility on your local desktop that will have network connectivity to the Broadcom's public container registry, please refer to the Broadcom documentation HERE for more details.
Step 2 - Use the imgpkg utility to download the desired container image and save that locally as a tar file. The example below will download the latest DSM Operator Service:
imgpkg copy -b projects.packages.broadcom.com/dsm-consumption-operator/dsm-consumption-operator-supervisor:9.0.0.0.24665381 --to-tar dsm-consumption-operator-supervisor:9.0.0.0.24665381.tar --cosign-signatures imgpkg copy -b projects.packages.broadcom.com/dsm-consumption-operator/consumption-operator:9.0.0.0.24665381 --to-tar consumption-operator:9.0.0.0.24665381.tar --cosign-signatures imgpkg copy -b projects.packages.broadcom.com/dsm-consumption-operator/kube-webhook-certgen:9.0.0.0.24665381 --to-tar kube-webhook-certgen:9.0.0.0.24665381.tar --cosign-signatures
Step 3 - To import the container image tar file into your container registry, you will need credentials from your registry that will allow you to import the container. Since I am using Harbor as my container registry, I needed to also create a new Harbor Project which I have named dsm and I am using the default admin credentials. In addition, we also need a copy of the root CA certificate of your container registry, which you can retrieve as part of your initial setup.
Note: While there are some references to the Harbor Systeminfo API that can return the Root CA (e.g. https://registry.vcf.lab/api/v2.0/systeminfo/getcert), but that did not work for me and I recieved cert not found in path: /etc/core/ca/ca.crt error.
The following command will defined two imgpkg environmental variables that contains your container registry for uploading our DSM Operator service tar and the command to perform the actual copy, which will require the root CA certificate of your container registry:
export IMGPKG_PASSWORD=FILL_ME_IN imgpkg copy --tar dsm-consumption-operator-supervisor:9.0.0.0.24665381.tar --to-repo registry.vcf.lab/dsm/dsm-consumption-operator-supervisor --cosign-signatures --registry-ca-cert-path harbor-ca.crt imgpkg copy --tar consumption-operator:9.0.0.0.24665381.tar --to-repo registry.vcf.lab/dsm/consumption-operator--cosign-signatures --registry-ca-cert-path harbor-ca.crt imgpkg copy --tar kube-webhook-certgen:9.0.0.0.24665381.tar --to-repo registry.vcf.lab/dsm/kube-webhook-certgen --cosign-signatures --registry-ca-cert-path harbor-ca.crt
Step 4 - Finally, for a vSphere Supervisor to trust a container registry that has a self-signed TLS certificate, we need to add the container registry information including the root CA certificate. To do so, navigate to Supervisor Management->Supervisors->(select Supervisor)->Container Registries and click Add Registry and provide all required inputs.
If your container registry requires credentials to download a container, you will need to provide that information as shown in the example below.
Once your container registry has been added, when you go and deploy and configure a vSphere Supervisor Service where the container is hosted in your own container registry that contains a self-signed TLS certificate, it will automatically trust the certificate and proceed with the installation.
Thanks for the doc.
It took me a weekend to install supervisor service from my private harbor after I fetch different information from different official document.
Yes, I believe that we need to optimize our document.
Thanks William