• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

virtuallyGhetto

  • About
  • Privacy
  • VMware Cloud
  • Home Lab
  • Nested Virtualization
  • Automation
    • VMware Kickstart
    • VMware API/SDK/CLI
    • VMware vMA/VIMA
    • VMware OVF / OVFTOOL
  • Apple Mac
  • VCSA
  • VSAN
You are here: Home / Kubernetes / Tanzu Kubernetes Grid (TKG) Demo Appliance 1.2.1

Tanzu Kubernetes Grid (TKG) Demo Appliance 1.2.1

01/05/2021 by William Lam 2 Comments

Check out the newest release of the Tanzu Kubernetes Grid (TKG) Demo Appliance Fling which includes the following new features:

  • Support for the latest TKG 1.2.1 release
  • Support for TKG Workload Cluster upgrade workflow from Kubernetes v1.18.10 to v1.19.3
  • Updated embedded Harbor to use self-sign TLS certificate

One of the biggest feature I was excited for in the new TKG 1.2.1 release was support for an external container registry that was configured with a self-signed TLS certificate. Previously, TKG only supported container registries that were configured with a trusted CA signed certificate and that made it difficult for proof of concept/testing but also for environments that were air-gapped.

With previous releases of the TKG Demo Appliance, a valid TLS certificate was acquired from Let's Encrypt (LE) with the help of my good friend Ryan Johnson who owns the domain rainpole.io. The one downside to LE-based certificates is the short expiry period, which is every 90 days. This meant that any TKG Demo Appliance deployed after the expiry would stop functioning due to the certificate no longer being valid. Although I have been able to manage this by updating the appliance roughly every 90 days, usually in-conjunction with new release of TKG, it was less than ideal.

In TKG 1.2.1, users can now configure TKG to use self-signed TLS for external registry by using the following two variables within the TKG config.yaml file:

  • TKG_CUSTOM_IMAGE_REPOSITORY_SKIP_TLS_VERIFY: false
  • TKG_CUSTOM_IMAGE_REPOSITORY_CA_CERTIFICATE: base64 encoding of ca.crt

Note: If you are passing in the base64 encoding of the CA certificate, TKG_CUSTOM_IMAGE_REPOSITORY_SKIP_TLS_VERIFY must be set to false

For those interested in generating the base64 encoding using the command-line, you can use the base64 utility:

Linux:

cat ca.crt | base64 -w 0

macOS:

cat ca.crt | base64

Note: On Linux, it looks like the base64 utility line wraps by default which you need to disable. On macOS, this does not happen.

After deploying the TKG Demo Appliance, you can now see that the embedded Harbor registry is configured with our self-signed TLS certificate which is not set to expire until 2030, that should be plenty of time 😉

Another benefit of the TKG Demo Appliance is that it has been built to be air-gapped out of the box, this is useful for anyone who does not have direct internet access which is required for TKG, unless you setup your own registry, which is already taken care of for you with the appliance.

More from my site

  • Customizing Kubernetes cluster template (Dev/Prod) plans in Tanzu Kubernetes Grid 1.2
  • Tanzu Kubernetes Grid (TKG) Demo Appliance 1.1.3
  • Tanzu Kubernetes Grid (TKG) Demo Appliance for VMC and vSphere
  • Configure non-secure Harbor registry with Tanzu Kubernetes Grid (TKG)
  • Deploy Harbor in an Air-Gapped environment for Tanzu Kubernetes Grid (TKG)
Share this...
  • Twitter
  • Facebook
  • Linkedin
  • Reddit
  • Pinterest

Filed Under: Kubernetes Tagged With: Tanzu Kubernetes Grid, TKG

Reader Interactions

Comments

  1. diabolic53 says

    01/06/2021 at 5:30 am

    can’t download , get redirected ….

    Reply
  2. Roy Bales says

    01/22/2021 at 5:46 am

    [email protected] [ ~/.kube-tkg/tmp ] # kubectl describe pods cert-manager-74c876585c-hvx2d -n cert-manager –kubeconfig config_BBDCUjV6
    …
    Failed to pull image “registry.rainpole.io/library/cert-manager/cert-manager-controller:v0.16.1_vmware.1”: rpc error: code = Unknown desc = failed to pull and unpack image “registry.rainpole.io/library/cert-manager/cert-manager-controller:v0.16.1_vmware.1”: failed to resolve reference “registry.rainpole.io/library/cert-manager/cert-manager-controller:v0.16.1_vmware.1”: get TLSConfig for registry “https://registry.rainpole.io”: failed to load CA file: open /etc/containerd/tkg-registry-ca.crt: no such file or directory

    Reply

Thanks for the comment! Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Primary Sidebar

Author

William Lam is a Senior Staff Solution Architect working in the VMware Cloud team within the Cloud Services Business Unit (CSBU) at VMware. He focuses on Automation, Integration and Operation for the VMware Cloud Software Defined Datacenters (SDDC)

  • Email
  • GitHub
  • LinkedIn
  • RSS
  • Twitter
  • Vimeo

Sponsors

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy