Tanzu Mission Control & VMware Cloud Director Tech Preview Community

 View Only

Terminal commands from the Installation Guide 

Jul 17, 2023 08:15 PM

Introduction

The Installation Guide includes console commands to install prerequisites, prepare clusters and install Tanzu Mission Control Self-Managed. Some of these commands are lengthy and are not easy to copy-paste out of the PDF document. This article provides a duplicate form of these commands so it is easier to follow along with the Installation Guide.

This article does not include every step. Be sure to follow the Installation Guide and refer back to this article for complex commands.

Deploy Installer VM

# tdnf install -y git jq openssl-c_rehash tar unzip
# curl -L --output /usr/local/bin/kubectl \
https://dl.k8s.io/release/v1.23.10/bin/linux/amd64/kubectl && chmod +x /usr/local/bin/kubectl
# curl -L https://github.com/carvel-dev/kapp-controller/releases/download/v0.46.1/kctrl-linux-amd64 -o /tmp/kctrl && install /tmp/kctrl /usr/local/bin && rm /tmp/kctrl

Increase the capacity of /tmp to hold images prior to upload
# umount /tmp && mount -t tmpfs -o size=10G tmpfs /tmp

Mount the solution ISO to the Installer VM
# sed -i '/\/mnt\/cdrom/d' /etc/fstab
# mount /dev/sr0 /mnt/cdrom -t udf -o ro

Create a self-signed certificate authority

# openssl req -x509 -sha256 -days 1825 -newkey rsa:2048 \
-keyout $HOME/rootCA.key -out $HOME/rootCA.crt \
-nodes -extensions v3_ca \
-subj "/C=US/ST=CA/L=Palo Alto/O=CompanyName/OU=OrgName/CN=TMC-SM VCD Tech Preview Issuing CA"

# ls rootCA.*

Deploy Harbor

Configure certificates
# export KUBECONFIG=$PWD/kubeconfig-harbor.txt

# kubectl create secret tls -n cert-manager selfsigned-ca-pair \
--cert=$HOME/rootCA.crt --key=$HOME/rootCA.key

# cat <<EOF | kubectl apply -f -

{
"apiVersion": "cert-manager.io/v1",
"kind": "ClusterIssuer",
"metadata": {
"name": "selfsigned-ca-clusterissuer"
},
"spec": {
"ca": {
"secretName": "selfsigned-ca-pair"
}
}
}
EOF
Deploy Contour and Harbor
1. Set environment variables with configuration values.
# IP address to associate with the Load Balancer for Harbor
export HARBOR_LOAD_BALANCER_IP="10.11.12.13"

# Desired hostname for the Harbor service. This must be configured to point to the IP
# address above.
export HARBOR_HOSTNAME="harbor.${HARBOR_LOAD_BALANCER_IP}.**bleep**.io"

# This will be used as the initial password for the “admin” user
export HARBOR_ADMIN_PASSWORD="AdminPassword"
2. Prepare a values file for the Contour installation
# cat <<EOF > contour-packageinstall-values.yaml
envoy:
service:
type: LoadBalancer
loadBalancerIP: ${HARBOR_LOAD_BALANCER_IP}
EOF
3. Deploy Contour using the Tanzu package
# kctrl package install \
-i contour \
-n tanzu-system \
--package contour.tanzu.vmware.com \
--version 1.20.2+vmware.2-tkg.1 \
--values-file contour-packageinstall-values.yaml
4. Create a certificate for the Harbor services using the ClusterIssuer resource
# kubectl create ns tanzu-system-registry

# cat <<EOF | kubectl apply -f -
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: ${HARBOR_HOSTNAME}
namespace: tanzu-system-registry
spec:
secretName: ${HARBOR_HOSTNAME}-tls

duration: 8760h # 365d
renewBefore: 720h # 30d
subject:
organizations:
- MyOrgName
isCA: false
privateKey:
algorithm: RSA
encoding: PKCS1
size: 2048
usages:
- server auth
- client auth
dnsNames:
- ${HARBOR_HOSTNAME}
ipAddresses:
- ${HARBOR_LOAD_BALANCER_IP}
issuerRef:
name: selfsigned-ca-clusterissuer
kind: ClusterIssuer
group: cert-manager.io
EOF
5. Prepare a values file for the Harbor installation
# cat <<EOF > harbor-packageinstall-values.yaml
secretKey: $(head -1 /dev/random | base64 | head -c 16)
core:
secret: $(head -1 /dev/random | base64 | head -c 16)
xsrfKey: $(head -1 /dev/random | base64 | head -c 32)
jobservice:
secret: $(head -1 /dev/random | base64 | head -c 16)
registry:
secret: $(head -1 /dev/random | base64 | head -c 16)
database:
password: $(head -1 /dev/random | base64 | head -c 16)
hostname: ${HARBOR_HOSTNAME}
harborAdminPassword: ${HARBOR_ADMIN_PASSWORD}
tlsCertificateSecretName: ${HARBOR_HOSTNAME}-tls
notary:
enabled: false
persistence:
persistentVolumeClaim:
registry:
size: 128Gi
EOF
6. Deploy Harbor using the Tanzu package
# kctrl package install \
-i harbor \
-n tanzu-system \
--package harbor.tanzu.vmware.com \
--version 2.6.1+vmware.1-tkg.1 \
--values-file harbor-packageinstall-values.yaml

Deploy TMC-SM for VCD

Configure certificates
# export KUBECONFIG=$PWD/kubeconfig-tmc.txt

# kubectl create secret tls -n cert-manager selfsigned-ca-pair \
--cert=$HOME/rootCA.crt --key=$HOME/rootCA.key

# cat <<EOF | kubectl apply -f -

{
"apiVersion": "cert-manager.io/v1",
"kind": "ClusterIssuer",
"metadata": {
"name": "selfsigned-ca-clusterissuer"
},
"spec": {
"ca": {
"secretName": "selfsigned-ca-pair"
}
}
}
EOF
Install the Solution Add-On
1. Set environment variables with the desired configuration settings.
export VCD_HOSTNAME=vcd.example.com
export VCD_USERNAME=administrator
export VCD_EXT_PASSWORD=password

export TMC_SM_INSTANCE_NAME=VALUE_REQUIRED
export TMC_SM_ENCRYPTION_KEY=MySuperSecretKeyThatIRemember

# Provide the Kubernetes cluster name for TMC deployment,
# e.g., tkgm-tmc-cluster
export TMC_SM_KUBE_CLUSTER_NAME=VALUE_REQUIRED

# Provide DNS zone to configure TMC endpoints, i.e., tmc.mydomain.com
export TMC_SM_DNS_ZONE=VALUE_REQUIRED

# Provide the Load balancer IP of Contour Envoy, i.e., 10.11.12.23. TMC DNS
# Zone should be mapped to this IP.
export TMC_SM_LOAD_BALANCER_IP=VALUE_REQUIRED

# Provide Harbor project path for pushing/pulling TMC packages during
# installation, i.e., harbor.mydomain.com/myproject
export TMC_SM_HARBOR_URL=harbor.slz.vcd.local/tmc

# Provide Harbor username for Basic authentication
export TMC_SM_HARBOR_USERNAME=robot\$tmc

# Provide Harbor password for Basic authentication
export VCD_EXT_INPUT_HARBOR_PASSWORD=VALUE_REQUIRED

# Provide the base64 encoded CA bundle in PEM format of the Harbor server.
# It is required if the Harbor server certificate is not signed by a
# well-known certificate authority.
export VCD_EXT_INPUT_HARBOR_CA_BUNDLE=$(cat $HOME/rootCA.crt | base64 -w0)

############
# Optional Settings
############

# Set MinIO root user name. Defaults to minioadmin.
export VCD_EXT_INPUT_MINIO_ROOT_USERNAME=

# Set MinIO root user password. If left blank, a random password will be
# generated. Format: no less than 8 chars, at least 1 digit, at least 1
# special char(@$!%*#.,-_=*), at least 1 letter, i.e., P@ssw0rd
export VCD_EXT_INPUT_MINIO_ROOT_PASSWORD=

# Set TMC's PostgreSQL password. If left blank, a random password will be
# generated. Format: no less than 8 chars, at least 1 digit, at least 1
# special char(@$!%*#.,-_=*), at least 1 letter, i.e., P@ssw0rd
export VCD_EXT_INPUT_POSTGRES_PASSWORD=S3cretPGP@ssw0rd

# Set the default Grafana admin user name. Defaults to admin.
export VCD_EXT_INPUT_GRAFANA_ADMIN_USERNAME=

# Set the default Grafana admin user password. If left blank, a random
# password will be generated. Format: no less than 8 chars, at least 1 digit,
# at least 1 special char(@$!%*#.,-_=*), at least 1 letter, i.e., P@ssw0rd
export VCD_EXT_INPUT_GRAFANA_ADMIN_PASSWORD=

# Sets the timeout in seconds for TMC installation. Defaults to 3600.
export VCD_EXT_INPUT_DEPLOY_TIMEOUT=3600
2. Load Harbor rootCA.crt
# cp $HOME/rootCA.crt /etc/ssl/certs/harbor.pem && rehash_ca_certificates.sh

# timeout 1 openssl s_client -quiet -verify_return_error ${HARBOR_HOSTNAME}:443
3. Download the VCD certificate to a file.
# /mnt/cdrom/linux.run get certificates --host $VCD_HOSTNAME \
--output /tmp/vcd.pem \
--accept
4. Configure VCD to trust the TMC-SM VCD Integration Solution Add-On.
# /mnt/cdrom/linux.run trust --host $VCD_HOSTNAME \
--username $VCD_USERNAME \
--certificate-file /tmp/vcd.pem \
--accept
5. Create the solution add-on instance.
# /mnt/cdrom/linux.run create instance --name $TMC_SM_INSTANCE_NAME \
--host $VCD_HOSTNAME \
--username $VCD_USERNAME \
--certificate-file /tmp/vcd.pem \
--encryption-key ${TMC_SM_ENCRYPTION_KEY} \
--input-kube-cluster-name=${TMC_SM_KUBE_CLUSTER_NAME} \
--input-cert-provider=cluster-issuer \
--input-cert-cluster-issuer-name=selfsigned-ca-clusterissuer \
--input-dns-zone=${TMC_SM_DNS_ZONE} \
--input-contour-envoy-load-balancer-ip=${TMC_SM_LOAD_BALANCER_IP} \
--input-harbor-url=${TMC_SM_HARBOR_URL} \
--input-harbor-username=${TMC_SM_HARBOR_USERNAME} \
--accept

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Related Entries and Links

No Related Resource entered.