This is the third article in my “a first look at Tanzu Basic” series. First read part 1 and part 2 if you’re new to Tanzu Basic. In this article I will walk you through the steps to enable workload management in the vSphere WebClient. In the previous article we’ve succesfully deployed HA proxy, that is required if you want to use the vCenter networking option. HA Proxy will act as a load balancer for your Tanzu Kubernetes Grid clusters and SuperVisor control plane.
Configure and Enable Workload Management
With vSphere 7.0 update 1 a free trial of Tanzu is baked into the solution. Enter your details to get started with Tanzu.
After clicking Get Started we have to select the vCenter Server Network option:
Also take note of the warning message that HA proxy is required, that was deployed in the previous step.
Although the minimum requirement is 3 hosts for a SuperVisor cluster (and thus for Tanzu Kubernetes), for testing purposes you can run Tanzu Basic perfectly fine with just one ESXi host:
A Tiny control plane will to do the trick for my test setup, this is configured in the next step in the wizard.
Also create and choose a storage policy for your Kubernetes control plane VMs and containers.
Now let’s setup the Load Balancer, this is HA Proxy is this scenario:
Important settings are:
- The data plane API addresse(s): the management IP of HA proxy, don’t forget to add port 5556;
- The IP address ranges for virtual servers: this is the load balancer IP address range configured at option 3.1 in your HA proxy;
- The Server Certificate Authority, you can download this information from your HA proxy appliance. The information is available in /etc/haproxy/ca.crt.
In the next step we will have to configure the Management Network:
These settings are all pretty straight forward. Remember that three IP addresses are consumed starting at 192.168.178.170, these IP addresses are used for the control plane.
In next step we have to configure the Workload Network, in my case this is the 172.16.102.0/24 network:
Provide a name for the Workload Network, select the correct portgroup/VLAN and setup gateway, subnet and the IP range to be used. Also set the correct DNS server that is available for your Workload Network (in my case 172.16.102.1).
Now add a subscribed content library that contains TKG installation files. Refer to “Create a Subscribed Content Library” in this article that explains how to create a content library.
Click next and then Finish. Sit back and relax and see how your vSphere environment is configured for Tanzu Basic.
Create and connect to your namespace
After the deployment and configuration of the SuperVisor cluster finishes, you have the option to create a new namespace. A namespace is an isolated piece in your vSphere environment with a CPU/Memory/Storage quota.
After you’ve created a namespace, you can connect to it (and download the CLI tools) through the “Link to CLI Tools”. In my case the namespace is available on 172.16.102.9.
Within a namespace you can deploy one or more TKG cluster(s), you can read this article to learn more on how to deploy a TKG cluster.
After you’ve deployed your first TKG cluster, it is interesting to have a closer look at the HA Proxy configuration. HA proxy is taking care about the access to your supervisor cluster, namespace(s) and TKG clusters. The proxy configuration is available in /etc/haproxy/haproxy.cfg:
frontend domain-c1007:ca9468eb-b1e2-4fe1-ae80-7dd230a196cf-kube-system-kube-apiserver-lb-svc mode tcp bind 172.16.101.129:443 name domain-c1007:ca9468eb-b1e2-4fe1-ae80-7dd230a196cf-kube-system-kube-apiserver-lb-svc-172.16.101.129:nginx bind 172.16.101.129:6443 name domain-c1007:ca9468eb-b1e2-4fe1-ae80-7dd230a196cf-kube-system-kube-apiserver-lb-svc-172.16.101.129:kube-apiserver log-tag domain-c1007:ca9468eb-b1e2-4fe1-ae80-7dd230a196cf-kube-system-kube-apiserver-lb-svc option tcplog use_backend domain-c1007:ca9468eb-b1e2-4fe1-ae80-7dd230a196cf-kube-system-kube-apiserver-lb-svc-nginx if { dst_port 443 } use_backend domain-c1007:ca9468eb-b1e2-4fe1-ae80-7dd230a196cf-kube-system-kube-apiserver-lb-svc-kube-apiserver if { dst_port 6443 } frontend domain-c1007:ca9468eb-b1e2-4fe1-ae80-7dd230a196cf-viktorious01-tkg-cluster-1-control-plane-service mode tcp bind 172.16.101.130:6443 name domain-c1007:ca9468eb-b1e2-4fe1-ae80-7dd230a196cf-viktorious01-tkg-cluster-1-control-plane-service-172.16.101.130:apiserver log-tag domain-c1007:ca9468eb-b1e2-4fe1-ae80-7dd230a196cf-viktorious01-tkg-cluster-1-control-plane-service option tcplog use_backend domain-c1007:ca9468eb-b1e2-4fe1-ae80-7dd230a196cf-viktorious01-tkg-cluster-1-control-plane-service-apiserver if { dst_port 6443 } backend domain-c1007:ca9468eb-b1e2-4fe1-ae80-7dd230a196cf-kube-system-kube-apiserver-lb-svc-kube-apiserver mode tcp balance roundrobin option tcp-check log-tag domain-c1007:ca9468eb-b1e2-4fe1-ae80-7dd230a196cf-kube-system-kube-apiserver-lb-svc-kube-apiserver server domain-c1007:ca9468eb-b1e2-4fe1-ae80-7dd230a196cf-kube-system-kube-apiserver-lb-svc-172.16.102.10:6443 172.16.102.10:6443 check-ssl weight 100 verify none server domain-c1007:ca9468eb-b1e2-4fe1-ae80-7dd230a196cf-kube-system-kube-apiserver-lb-svc-172.16.102.11:6443 172.16.102.11:6443 check-ssl weight 100 verify none server domain-c1007:ca9468eb-b1e2-4fe1-ae80-7dd230a196cf-kube-system-kube-apiserver-lb-svc-172.16.102.12:6443 172.16.102.12:6443 check-ssl weight 100 verify none backend domain-c1007:ca9468eb-b1e2-4fe1-ae80-7dd230a196cf-kube-system-kube-apiserver-lb-svc-nginx mode tcp balance roundrobin option tcp-check log-tag domain-c1007:ca9468eb-b1e2-4fe1-ae80-7dd230a196cf-kube-system-kube-apiserver-lb-svc-nginx server domain-c1007:ca9468eb-b1e2-4fe1-ae80-7dd230a196cf-kube-system-kube-apiserver-lb-svc-172.16.102.10:443 172.16.102.10:443 check-ssl weight 100 verify none server domain-c1007:ca9468eb-b1e2-4fe1-ae80-7dd230a196cf-kube-system-kube-apiserver-lb-svc-172.16.102.11:443 172.16.102.11:443 check-ssl weight 100 verify none server domain-c1007:ca9468eb-b1e2-4fe1-ae80-7dd230a196cf-kube-system-kube-apiserver-lb-svc-172.16.102.12:443 172.16.102.12:443 check-ssl weight 100 verify none backend domain-c1007:ca9468eb-b1e2-4fe1-ae80-7dd230a196cf-viktorious01-tkg-cluster-1-control-plane-service-apiserver mode tcp balance roundrobin option tcp-check log-tag domain-c1007:ca9468eb-b1e2-4fe1-ae80-7dd230a196cf-viktorious01-tkg-cluster-1-control-plane-service-apiserver server domain-c1007:ca9468eb-b1e2-4fe1-ae80-7dd230a196cf-viktorious01-tkg-cluster-1-control-plane-service-172.16.102.13:6443 172.16.102.13:6443 check-ssl weight 100 verify none
The configuration file show the IP addresses of the new namespace, TKG cluster as well as the SuperVisor cluster.
I hope this was helpful, stay tuned for more content on this topic.