Documentation
About Kubeapps
Tutorials
How-to guides
Step 2B: Deploy a VMware Tanzu™ Community Edition managed cluster ¶
In this step, the goal is to install a managed TCE cluster .
VMware Tanzu™ Community Edition supports the following infrastructure providers for managed clusters:
- AWS
- Azure
- Docker
- vSphere
TCE offers a UI for setting up all the different parameters needed.
Preparing the OpenID Connect (OIDC) authentication ¶
Before creating the cluster, it is necessary to set up a proper OIDC provider that Kubernetes use to authenticate requests.
This tutorial addresses the configuration of the Google Identity Platform OIDC provider, but there are more options of using an OAuth2/OIDC Provider with Kubeapps .
Setting up the Google credentials client ¶
You can use an OAuth 2.0 client. Create a new “Web Application” client following these steps .
At the end of this section, you should have:
- Issuer URL: The IP or DNS address of the OIDC server. In this case, it might be
https://accounts.google.com
. - Client ID: The client_id value that you obtain from your OIDC provider.
- Client Secret: The secret value that you obtain from your OIDC provider.
- Scopes: A comma-separated list of additional scopes to request in the token response.
- Username Claim: The name of your username claim. This is used to set a user’s username in the JSON Web Token (JWT) claim.
- Groups Claim: The name of your group’s claim. This is used to set a user’s group in the JWT claim.
This information is used to both set up the Kubernetes cluster, and in a further step, configure Kubeapps so that both use Google as an identity provider.
Deploying the cluster ¶
Initialise the Tanzu Community Edition installer UI to spin up a management cluster.
tanzu management-cluster create --ui
Choose your infrastructure provider and follow the wizard steps in the UI. For more information, visit the official TCE documentation on clusters deployment .
OIDC data obtained in the previous section needs to be set in the UI during this step.
Once the management cluster is created, validate that it started successfully.
tanzu management-cluster get
The output should be similar to the following:
NAME NAMESPACE STATUS CONTROLPLANE WORKERS KUBERNETES ROLES PLAN kubeapps-tce tkg-system running 1/1 1/1 v1.22.8+vmware.1 management dev Details: NAME READY SEVERITY REASON SINCE MESSAGE /kubeapps-tce True 3m37s ├─ClusterInfrastructure - AWSCluster/kubeapps-tce True 3m42s ├─ControlPlane - KubeadmControlPlane/kubeapps-tce-control-plane True 3m37s │ └─Machine/kubeapps-tce-control-plane-n9bbs True 3m42s └─Workers └─MachineDeployment/kubeapps-tce-md-0 True 3m54s └─Machine/kubeapps-tce-md-0-95787cb65-gfnkz True 3m42s Providers: NAMESPACE NAME TYPE PROVIDERNAME VERSION WATCHNAMESPACE capa-system infrastructure-aws InfrastructureProvider aws v1.2.0 capi-kubeadm-bootstrap-system bootstrap-kubeadm BootstrapProvider kubeadm v1.0.1 capi-kubeadm-control-plane-system control-plane-kubeadm ControlPlaneProvider kubeadm v1.0.1 capi-system cluster-api CoreProvider cluster-api v1.0.1
Capture the management cluster’s kubeconfig:
tanzu management-cluster kubeconfig get kubeapps-tce --admin
and select the cluster context to be used with
kubectl
:kubectl config use-context kubeapps-tce-admin@kubeapps-tce
Unlike unmanaged clusters, the TCE packages catalog is not added by default to managed clusters. In order to add it, run:
tanzu package repository add tce-repo --url projects.registry.vmware.com/tce/main:0.12.0 --namespace tanzu-package-repo-global
The outcome of the actions above is a managed TCE cluster running on your preferred infrastructure provider. From this management cluster, new workload clusters can be spun up and attached to it.
For the sake of simplicity, this tutorial only uses a single management cluster with no attached _workload: clusters, but note that it is not a recommended strategy for production setups.
For further information on how to create TCE workload clusters please check the official documentation .
Continue the tutorial by preparing the Kubeapps deployment .