The Oct 31st release notes of Tanzu Mission Control showed an intriguing feature: the ability to install Tanzu Application Platform (TAP) through Tanzu Mission Control (TMC).
If you’ve been following my blog, you’re likely aware of the various methods for TAP installation. You can opt for a manual installation, a scripted installation, or even choose a GitOps-based installation. The latest addition is the option to install TAP via TMC, offering a user-friendly, UI-based installation process. Currently, this method supports single-cluster deployment, making it ideal for quickly setting up proof of concepts, tests, or lab environments.
In this blogpost I will guide you through the installation process and I will also share some tips & tricks. Our focus will be on installing TAP on a 1.26.5 based vSphere /w Tanzu cluster, running Ubuntu images.
Prerequisites and deploying the TKG cluster
Before installing TAP, you will need to deploy a TKG cluster that will run your TAP installation and the additional workloads you are deploying. Some of the specific prerequisites for TAP 1.6.4 (used in this blogpost) are:
- vSphere with Tanzu v8.0.1 and (Tanzu) Kubernetes version v1.25, v1.26 or v1.27.
- Currently a TAP deployment using TMC only supports deploying the “full” profile ,this means you would need:
- 8 GB of RAM available per node to Tanzu Application Platform (best practice: use at least the best-effort-large vmclass on the TKG cluster).
- 16 vCPUs available across all nodes to Tanzu Application Platform.
- 100 GB of disk space available per node.
- Install kubectl and tanzu cli on your workstation, also install the TAP plugins for Tanzu CLI.
All the prerequisites are documented here.
Update 15/11/2023: I’ve also completed a successful deployment of TAP 1.7.0 using this method.
Of course you can use TMC to deploy this TKG cluster. I’m using the Ubuntu image and Kubernetes version 1.26.5 (v.1.26.5+vmware.2-fips.1-tkg.1). Bear a mind that TAP has some specific storage requirements for both the /var/lib/kubelet and /var/lib/containerd mountpoint. These storage requirements should be configured for both the controller and workload nodes (otherwise the check that TMC is doing before the installation of TAP starts will fail).
I would recommend to deploy at least 3 Kubernetes workernodes with a minimum size of best-effort-large (or even best-effort-2xlarge).
Pod Security Admission and TAP
On a v1.26 Kubernetes cluster on TKGs you might run into some Pod Security Admission (PSA) issues preventing you to successfully install TAP. Because we’re talking about a lab environment here, I would recommend disable PSA on the namespaces used by TAP by setting two labels:
pod-security.kubernetes.io/enforce: privileged pod-security.kubernetes.io/enforce-version: latest
You can use TMC Mutation Policies to automatically configure these labels on each newly created namespace. An example for the pod-security.kubernetes.io/enforce-version: latest label is provided below.
Kubernetes v1.25 is less restrictive and might also be an option to use for your TAP installation.
After the cluster is available in TMC, it’s now time to deploy TAP. The installation option is available under Catalog->Solutions. Currently only a Single Cluster setup is available.
Click “Install Tanzu Application Platform” and walk through the wizard. Give your installation a name and then setup the profile. You have to provide the details of your Ingress Domain, the type of supply chain you want to use and provide the credentials of the registry you want to attach to your TAP installation. For me the profile look likes this:
I am using an Azure registry for my installation, but you’re of course free to use other registries including Harbor. The secret configuration for my registry looks like this:
The secret will automatically be distributed across the namespaces that require access to this secret.
The advanced configuration will show the YAML version of your profile and allow you to setup additional advanced configuration options that are not covered in this blogpost (a follow up blogpost will follow soon):
Now it’s time to install TAP.
Monitor installation progress
You can monitor the installation progress of your TAP installation by navigating to the Kubernetes cluster you’re installing to and executing the following command:
k get packageinstalls.packaging.carvel.dev -n tap-install -w
Any errors will pop-up in this overview. You can use the following command to examine any installation errors:
k describe packageinstalls.packaging.carvel.dev <package-name> -n tap-install
Depending on the error you can examine if pods are successfully deployed in their respective namespaces.
Solving eventing package issue
Update 15/11/2023: The eventing package (that’s running in the vmware-sources namespace) has been removed in TAP 1.7.0. With that, this issue is also solved.
I faced an error with the eventing package, additional examination resulted in some pods not being started in the vmware-sources namespace. After examining the namespace
k get ns vmware-sources -o yaml
it looks the pod-security labels discussed earlier were for some reason no applied to the namespace. Adding the labels manually and deleting the replicasets in this namespace results in a successful deployment of the required replicasets and pods.
k edit ns vmware-sources
metadata: labels: pod-security.kubernetes.io/enforce: privileged pod-security.kubernetes.io/enforce-version: latest
Delete the replicasets:
k delete rs horizon-source-controller-<id> k delete rs horizon-source-webhook-<id> k delete rs vsphere-source-webhool-<id>
The event package now reconcile successfully.
Access your TAP installation
Now it’s time to access TAP. First retrieve the tap-gui IP address:
k get service envoy -n tanzu-system-ingress
Write down the external-ip and setup your DNS accordingly. Now you’re ready to access your freshly installed environment and get started with Tanzu Application Platform!
I hope this was useful, you can leave your comments and questions below.