In this blogpost I want to share my installation experience with Tanzu Mission Control – Self Managed, the installable version of Tanzu Mission Control SaaS. My goal is to have a running TMC instance, using signed certificates and available to be used. For this I need:
- TMC installation files that can be downloaded here (you will need a VMware Customer Connect account, these are the files for TMC-SM 1.2 – currently the latest version of the product).
- A Harbor registry with a public repository that will hold TMC-SM installation files, I’m using an Ubuntu VM for this.
- A configurable DNS server, in my case I’m using AWS Route53.
- I’m using Let’s Encrypt for certificate requests.
Installing Harbor
You need Harbor to host the TMC-SM container images. You can choose to run Harbor on a VM (using Docker) or on Kubernetes. In this (lab) scenario I’m using a Ubuntu VM with Docker. I’m installing Docker using an apt repository as described here. Add the Docker app repository first:
# Add Docker's official GPG key: sudo apt-get update sudo apt-get install ca-certificates curl sudo install -m 0755 -d /etc/apt/keyrings sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc sudo chmod a+r /etc/apt/keyrings/docker.asc # Add the repository to Apt sources: echo \ "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \ $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \ sudo tee /etc/apt/sources.list.d/docker.list > /dev/null sudo apt-get update
Now install Docker and provide Docker access to regular users (optional):
sudo apt-get update sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin docker-compose sudo groupadd docker sudo usermod -aG docker $USER newgrp docker
Now we’re going to install certbot for certificate requests with Let’s Encrypt (other options for certificate requests are available, I’m prefer this one in this scenario):
sudo snap install --classic certbot sudo ln -s /snap/bin/certbot /usr/bin/certbot
Next step is to make sure your VM is internet-accessible on the FQDN where you’re planning to run Harbor on (e.g. harbor.<your-domain>). Both port 80 and 443 should be available for Harbor, but also for Let’s Encrypt certificate requests. If port 80 is open and available, you can request a certificate:
sudo certbot certonly --standalone -d harbor.<your-domain>
Certbot will spin up a temporary webserver that will serve authentication purposes for Let’s Encrypt. The private key and certificate will be saved to your system to /etc/live/harbor.<your-domain>/fullchain.pem and /etc/live/harbor.<your-domain>/privkey.pem. You will need these values later in the process.
Now download the Harbor installation files to your system and extract the installer (check the Harbor release page for the current latest version):
wget https://github.com/goharbor/harbor/releases/download/v2.10.2/harbor-online-installer-v2.10.2.tgz tar xvzf harbor-online-installer-v2.10.2.tgz
Now we need to configure the harbor.yml with some settings:
hostname: harbor.<your-domain> https.certificate: /etc/live/harbor.<your-domain>/fullchain.pem https.private_key: /etc/live/harbor.<your-domain>/privkey.pem harbor_admin_password: 2@W2b5v#D7U&pewXqw^K #think of a strong password and change it after logging on database.password: b$&Bi326rHmW%wVXPnm2 #think of a strong password yourself
We’ll keep defaults in this example for the remaining settings.
Now start Harbor using:
sudo docker-compose up -d
Harbor should now be available at the URL you’ve configured. Logon on using the password in your harbor.yml file, and update your initial password immediately.
Create a public repository and upload TMC-SM files
Next step is to create a public repository (project) on your Harbor registry:
Note: my repo is called tmc-sm and not tmc-self-managed.
Now download the TMC-SM from the VMware website, the installation are available on Customer Connect.
You will need a Linux jumphost to extract the files and upload the files the Harbor. Extract the downloaded file:
mkdir tanzumc tar -xf tmc-self-managed-1.2.0.tar -C ./tanzumc
Now it’s time to push the files to the Harbor instance:
tanzumc/tmc-sm push-images harbor --project harbor.<your-domain>/tmc-sm --username admin --password '<your-harbor-password>'
The upload might take a while depending on your internet connection speed. The result in Harbor will look similar like:
Deploy a TKG cluster, install Cert-Manager and setup DNS
You will need a TKG based K8S cluster to run TMC-SM, exact cluster requirements are documented here. vSphere 7 & 8 with Tanzu will works, as well as TKG 1.6 or 2.1 or newer. You need to install cert-manager to the Kubernetes cluster. I’ve deployed TMC-SM on K8S 1.26 using cert-manager 1.14 succesfully. Deploying the TKG Kubernetes cluster and installing cert-manager is out of scope for this blogpost.
On the Kubernetes cluster create the tmc-local namespace:
kubectl create ns tmc-local
Also, if you’re running Kubernetes 1.26 or newer you should create a privileged pod security policy:
kubectl label ns tmc-local pod-security.kubernetes.io/enforce=privileged
In regards to DNS configuration you can setup all required records, or configure the following DNS (wildcard) rules:
- A record: tmc.<your-domain>
- A wildcard record: *.tmc.<your-domain>
I’ve setup these two records for my setup.
Setup Okta as an identity provider
You will need an identity provider to manage authentication & authorisation. There are several options available, including OIDC, AD and OpenLDAP. Configuration of Okta is out of scope for this blogpost, but I recommend to check out this post that elaborates on the configuration of OKTA. An OKTA developer account is available for free for testing and demoing purposes.
Setup TLS
For setting signed TLS certificates you have two options:
- Using a Cluster Issuer on cert-manager
- Importing certificates
Although using a Cluster Issuer is the simpler way, I am importing the certificates (because I am not able to use a AWS Route53 based Cluster Issuer in my environment).
To request certificates for TMC-SM I am using the same method as for the Harbor certificates (certbot). Because wildcard certificates are required, we need to use DNS based authentication with Let’s Encrypt. This requires certbot to interact with Route53 DNS, this can be done through installing the Route53 plugin for certbot:
sudo snap set certbot trust-plugin-with-root=ok sudo snap install certbot-dns-route53
We need to setup an access key and necessary permissions following this documentation. The result you have a AWS Access Key + Secret, linked to a user in AWS that is able to interact with Route53. The Access Key and Secret should be made accessible to certbot, for example through a the file /root/.aws/config (as described in the documentation).
[default] aws_access_key_id=AKIAIOSFODNN7EXAMPLE aws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Now request the certificate with
sudo certbot certonly --dns-route53
The required domain names you should enter are:
tmc.<yourdomain> *.tmc.<yourdomain> *.s3.tmc.<yourdomain>
The certificates are saved to /etc/live/tmc.<your-domain>/fullchain.pem and /etc/live/tmc.<your-domain>/privkey.pem
You will need the contents of these certificates to create the following secrets on the K8S cluster where you’re installing TMC-SM to:
kubectl create secret tls server-tls --key=privkey.pem --cert=fullchain.pem -n tmc-local kubectl create secret tls landing-service-tls --key=privkey.pem --cert=fullchain.pem -n tmc-local kubectl create secret tls minio-tls --key=privkey.pem --cert=fullchain.pem -n tmc-local kubectl create secret tls pinniped-supervisor-server-tls --key=privkey.pem --cert=fullchain.pem -n tmc-local kubectl create secret tls stack-tls --key=privkey.pem --cert=fullchain.pem -n tmc-local kubectl create secret tls tenancy-service-tls --key=privkey.pem --cert=fullchain.pem -n tmc-local
These secrets are created in the tmc-local namespace you’ve created previously.
Now we need to configure the values.yaml for the TMC-SM installation. For this specific situation, the file will look like this. Important parts are:
- certificateImport: true
- Put the (Let’s Encrypt) CA certificate under trustedCAs.my-ca.pem
Now it’s time to first add your Harbor repository to the tmc-local namespace:
tanzu package repository add tanzu-mission-control-packages --url "harbor.<your-domain>/tmc-sm/package-repository:1.2.0" --namespace tmc-local
And then install TMC-SM (finally!):
tanzu package install tanzu-mission-control -p "tmc.tanzu.vmware.com" --version "1.2.0" --values-file "values.yaml" --namespace tmc-local
Now run
kubectl get service -n tmc-local contour-envoy
To learn the IP address where TMC-SM is available and update your DNS records (tmc.<your-domain> *.tmc.<your-domain>).
Now wait and sit while TMC-SM installs. If everything goes as expected you have an instance TMC-SM available ready for use :).
Good luck, I hope this was useful!