A Primer to throw a POC Party

1. 1
VMware Tanzu!
A Primer to throw a POC Party
Tanzu Basic:
vSphere7 Kubernetes with vDS
Vino Alex
Staff Cloud Native Architect
valex@vmware.com
linkedin.com/vinoalex

2. 2
Isolated Workloads Network
A WCP Cluster
● Can have multiple Workload Networks
● Needs to have at least One Workload Network
● The workload network to which Supervisor Cluster connected is called as “Supervisor Primary Workload
Network”
● Needs One Load Balancer
A WCP Namespace
● Needs to be assigned a Workload Network
● All Guest Clusters deployed to this Namespace will be connect to the DVPG referenced by this Workload
Network
● Draw IPs from this Workload Network’s Address Ranges
● Will be assigned the Supervisor Primary Workload Network if none specified.

3. 3
High Level Architecture

4. 4
Components & Roles
TKG Controller
● Performs TKC Cluster Config management
● Translate TanzuKubernetesCluster(TKC) specifications into Clusters and Machine resources that Core
Cluster API (CAPI) and Cluster API Provider WCP (CAPW) understands
CAPI & CAPW
● Perform Guest Cluster lifecycle management
● Break down Cluster and machine specifications into IaaS-layer resources that VM-Operator and
net-Operator understand.
● Dynamically selects network for Virtual Machines,Influenced by network assigned to WCP Namespace
spec.
VM-Operator
● Perform IaaS Resource Lifecycle Management(LCM)
● Actuates on CAPW Virtual Machine specifications to manage lifecycle of Virtual Machines on hosts.
● Requests a Network Interface for the Virtual Machine on the Network selected by CAPW.

5. 5
Key Network Components
net-operator
● New component in Supervisor that introduces declarative kubernetes APIs to create
provider-/vendor-agnostic networks and network interfaces,
● Manage provider-/vendor-agnostic loadbalancer virtual servers.
lbapi-operator
● New component in Supervisor. vendor-specific loadbalancer adapter. Manages HAProxy virtual server
configurations for the Supervisor & Guest Clusters.
● Actuates on the lb-vendor-agnostic resources that net-operator creates (derivative of
sigs.k8s.io/service-apis) into HAProxy virtual server configurations.
● Communicates with HAProxy DataPlane using credentials provided in the WCP LoadBalancer spec.

6. 6
Lab Network HLD

7. 7
vSphere Cluster Prerequisite

8. 8
Configure vSphere HA for the Cluster

9. 9
Enable vSphere DRS in the Cluster

10. 10
vDS PortGroup Configuration
frontend-pg - LB VIP Segment
(k8s user access)
wrkld-pg - Workload NW ( In this
case acting as Primary NW)
mgmt-pg - Management NW

11. 11
Configure Storage Policy

12. 12
Select Storage Configuration Option from the Menu

13. 13
Select the Datastore to Configure the Storage Policy and click
`Assign`

14. 14
Provide the Name for the Tag and Select the Storage Category

15. 15
VDS and PortGroup Configuration

16. 16
Enable Tag based Placement Rules

17. 17
Select the Tag based Placement and Browse for the
Assigned Tag

18. 18
Choose the `Assigned Tag`

19. 19
Select the Compatible Storage from the list

20. 20
Review the Configuration and Finish

21. 21
Choose `Policies and Profiles` Configuration from the Menu

22. 22
Select `VM Storage Policies`

23. 23
HAProxy Load Balancer Deployment & Configuration

24. 24
Download URL:
https://github.com/haproxytech/vmware-haproxy#download
Download the HAProxy OVA File

25. 25
Create a Content Library to Store HAProxy OVA

26. 26
Name the Content Library and Select the VC

27. 27
Configure as Local Content Library

28. 28
Select Storage for the Content Library

29. 29
Review the Configuration and Finish

30. 30
Import the Content to the Library

31. 31
Select the OVA file to Import

32. 32
Select `New Virtual Machine` option

33. 33
Choose Deploy from template

34. 34
Select the Template from the Content Library

35. 35
Name the haproxy VM

36. 36
Select the target vSphere Cluster

37. 37
Review the Compute Resource Details

38. 38
Accept the EULA

39. 39
Select the Network Deployment Configuration

40. 40
Select the Storage for haproxy VM

41. 41
Select the PortGroup for the LB Networks

42. 42
Provide the Credentials for the VM

43. 43
Management and Workload IP CIDR

44. 44
Provide Frontend Interface IP,GW, and Dataplane API Port
(Ref. Next slide for config 3.1 )

45. 45
Provide LB VIPs and Dataplane Access Creds

46. 46
Review the NW Parameters

47. 47
Post Deployment Power On the haproxy VM

48. 48
Linux AnyIP
In the deployment haproxy VM appliance is using Linux feature AnyIP to configure the Load
Balancer VIPs. The haproxy Appliance will consume all the IPs in VIP CIDR after the haproxy
VM Deployment.
After Power on the haproxy VM, you should be able to do ICMP Ping to all IPs in LB VIP CIDR.
( As per the ref. lab LB VIP CIDR is specified as 192.168.77.28/25. If you follow the guide, you
should be able to `ping` to any of the IPs in the range `192.168.77.129-192.168.77.254`.
Linux Kernel AnyIP
● The AnyIP feature of the Linux kernel allows you to bind a complete IPv4 or IPv6 subnet to your
system.
● Instead of adding all addresses manually to the kernel you can tell it to bind a complete subnet.
eg:IPv4:ip -4 route add local 192.168.77.28/25 dev lo

49. 49
Workload Management

50. 50
Select Workload Management from the VCenter Menu

51. 51
Start the Workload Configuration Workflow

52. 52
Select the VC and Network Type

53. 53
Select the Compatible vSphere Cluster

54. 54
Pick the Compute Resource Requirements for the Control
Plane VMs

55. 55
Select the Datastore Policy to Deploy Supervisor Control
Plane VMs

56. 56
Input the LB Type, Data Plane Config. Creds, LB VIP Range
and LB Certificate Authority
To get the Server Certificate
Authority, SSH into the `haproxy`
appliance using the `root`
credentials and run the command
`cat /etc/haproxy/ca.crt`.
LB VIP range

57. 57
Provide the Management NW Config, and Starting IP for the
Supervisor Control Plane VMs Management Network
Please note , Supervisor Control
Plane VMs, consume Five
Consecutive IPs start from the
Starting IP Address allocate to its
Management Network Interfaces.
You may plan the `Starting IP`
accordingly.

58. 58
Input IP CIDR for the Supervisor Cluster Component
Services,DNS Servers and Click to add Workload NW

59. 59
Name the Network, Configure IPs for the Virtual Servers
(Supervisor Cluster Workload NIC and TKC Nodes)

60. 60
Validate the Workload Network

61. 61
Add Content Library for the Workload Node Templates

62. 62
Choose the Content Library For the TKC Cluster Nodes
You may note that, in the lab
scenario the Content Library
for the TKC Nodes is not yet
configured. You may choose
the Content Library for
`haproxy` (as a
placeholder)and modify it
later while configuring the
Namespaces. You could also
Create a Content Library and
Subscribe the TKC Node
OVA templates prior to this
step. (Ref. TKC Deploy
Session)

63. 63
Review the Workload Configuration

64. 64
Watch the Provisioning Progress of the Supervisor
Cluster

65. 65
Once Config. Status becomes `Running`, note the Control Plane
Node IP.

66. 66
Login & Verify the Cluster

67. 67
Access the Controller Node IP [https://<controller node ip>]
& Download the Kubernetes CLI Tools

68. 68
Extract the CLI Tools (kubectl and kubectl-vsphere plugin)
and Place in the Executable Path of the Workstation.

69. 69
Log into the Supervisor Cluster using VCenter SSO Credentials

70. 70
Switch to the Cluster Context

71. 71
Verify the Nodes and Pods of the WCP Cluster

72. 72
Verify the Nodes and Pods of the Cluster

73. 73
Deploy TKG Cluster

74. 74
Create a New Content Library for TKC Node Templates

75. 75
Subscribe the OVA Contents for TKC Nodes

76. 76
Select the Storage for the Contents Library

77. 77
Finish & Wait for the Contents to Sync.

78. 78
Create a Namespace in the Cluster to Deploy TKC

79. 79
Select the Cluster to Create the Namespace

80. 80
Add User,Identity Source and Permissions to the
Namespace
You could also define the
Resources for the
Namespace. It is the most
important `value proposition`
of the Namespace Object of
the WCP Cluster. The
Namespace helps vSphere
admins to enforce the
desired Resource Quote as
well as Security Model and
allocate it to the Dev. users.

81. 81
Select the Storage Policy for the Namespace

82. 82
Manage the Content Library for the Namespace

83. 83
Verify the Virtual Machine Classes & Storage Class

84. 84
Prepare the Tanzu Kubernetes Cluster (TKC) Manifest

85. 85
Create Tanzu Kubernetes Cluster

86. 86
Watch the Events in the Name Space

87. 87
Wait till the TKC Status Change to `running`

88. 88
Workload Cluster ‘vds’ Topology

89. 89
Log into the TKC Using the vSphere SSO Credentials

90. 90
Switch to the TKC Context

91. 91
Create a Namespace,ClusterRoleBinding,Deployment
and Service in the TKC

92. 92
Identify the External IP for the Service and the Port

93. 93
Check the Test App (Access it using the External IP and Port)

94. 94
review the LB Configuration. `cat
/etc/haproxy/haproxy.cfg`

95. VMware Tanzu
#buildthefuture
9
5
Thank You
BUILD THE FUTURE