LDAP integration with Pinniped and Dex is a topic that I have written about before, particularly with TKG v1.3. However, recently I had reason to deploy TKG v1.4 and noticed some nice new enhancements around LDAP integration that I thought it worthwhile highlighting. One is the fact that you no longer need to have a web browser available in the environment where you are configuring LDAP credentials which was a requirement is the previous version. In this post, I will deploy a TKG v1.4 management cluster on vSphere. This environment uses the NSX ALB to provide IP addresses for both…
Recently I have been looking at deploying Tanzu Kubernetes Grid (TKG) in air-gapped or internet restricted environments. Interestingly, we offer different procedures for TKG v1.3 and TKG v1.4. In TKG v1.3, we pull the TKG images one at a time from the external VMware registry, and immediately push them up to an internal Harbor registry. In TKG v1.4, there is a different approach whereby all the images are first downloaded (in tar format) onto a workstation that has internet access. These images are then securely copied to the TKG jumpbox workstation, and from there, they are uploaded to the local…
Some time back, I wrote a blog post about how to use the network policies available with the Antrea CNI (Container Network Interface). In that post we looked at how to create a simple network policy to prevent communication between pods in a Tanzu Kubernetes cluster, based on pod selectors / labels. We stood up a simply web server and a standalone pod, and showed how the pod could access the web server when no network policies were in place. We then proceeded to create a network policy that only allowed pods to communicate to each other if the pod…
In this article, I will walk through the steps involved in securing application Ingress access on TKG v1.4. To achieve this, I will use 2 packages that are available with TKG v1.4, Cert Manager and Contour. We will deploy a sample application kuard – Kubernetes Up and Running demo, and show how we can use these packages to automatically generated certificates to establish trust between our client (browser) and the application (kuard) which will be accessed via an Ingress. For the purposes of this article, I will create my own local Certificate Authority. If you have access to a valid…
In this post, I am going to show how I set up my Tanzu Kubernetes Grid management cluster using a proxy configuration. I suspect this may be something many readers might want to try at some point, for various reasons. I will add a caveat to say that I have done the bare minimum to get this configuration to work, so you will probably want to spend far more time than I did on tweaking and tuning the proxy configuration. At the end of the day, the purpose of this exercise is to show how a TKG bootstrap virtual machine…
I was recently running through the exercise of deploying Cert Manager, Contour (+ Envoy Ingress), Prometheus and Grafana packages available with TKG v1.4, just to see what steps were involved in setting up a full monitoring stack for my TKG cluster. This was a TKG deployment to vSphere, using the NSX Advanced Load Balancer for Load Balancer functionality. You can read about the new enhancements around the NSX ALB and TKG v1.4 here. Honestly, it is pretty straight-forward, with some detailed documentation on the topic available here. Everything was plain sailing until I tried to deploy the Grafana package with,…
I’ve been using the NSX Advanced Load Balancer for many of my experiments in the lab. Sometimes I build configurations that do not work correctly, especially around TKG. From time to time, I find that my TKG management cluster does not stand up successfully, and so I have to manually clear it down and start over. From time to time, this has left my NSX ALB with some objects that also need to be manually cleaned up. While I can delete Virtual Services and Virtual IP Addresses with ease in the NSX ALB portal/UI, I am sometimes left in a…