Securing LDAP with TLS certificates using ClusterIssuer in TKG v1.4

Over the last month or so, I have looked at various ways of securing Tanzu Kubernetes Grid (TKG) clusters. One recent post covered the integration of LDAP through Dex and Pinniped so you can control who can access the the non-admin context of your TKG cluster. I’ve also looked at how TKG clusters that do not have direct access to the internet can use a HTTP/HTTPS proxy. Similarly,  I looked at some tips when deploying TKG in an air-gapped environment, pulling all the necessary images from our external image registry and pushing them to a local Harbor registry. In another…

TKG v1.4 LDAP (Active Directory) integration with Pinniped and Dex

LDAP integration with Pinniped and Dex is a topic that I have written about before, particularly with TKG v1.3. However, recently I had reason to deploy TKG v1.4 and noticed some nice new enhancements around LDAP integration that I thought it worthwhile highlighting. One is the fact that you no longer need to have a web browser available in the environment where you are configuring LDAP credentials which was a requirement is the previous version. In this post, I will deploy a TKG v1.4 management cluster on vSphere. This environment uses the NSX ALB to provide IP addresses for both…

Network Policies in Tanzu Mission Control revisited

Earlier this month, I had my first look at network policies in Tanzu Mission Control (TMC). This earlier post looked at a very simple network policy where I used a web server app, and showed how we could control access to it from other pods by using labels. In this post, I wanted to do something that is a bit more detailed. For the purposes of this test, I will use a pod based NFS server, and then control access to it from other pods who wish to mount the NFS file share from the server pod. I have already…

Securing application Ingress access on TKG v1.4 with Cert Manager and Contour

In this article, I will walk through the steps involved in securing application Ingress access on TKG v1.4. To achieve this, I will use 2 packages that are available with TKG v1.4, Cert Manager and Contour. We will deploy a sample application kuard – Kubernetes Up and Running demo, and show how we can use these packages to automatically generated certificates to establish trust between our client (browser) and the application (kuard) which will be accessed via an Ingress. For the purposes of this article, I will create my own local Certificate Authority. If you have access to a valid…

Configuring Tanzu Kubernetes with a Proxy (Squid)

In this post, I am going to show how I set up my Tanzu Kubernetes Grid management cluster using a proxy configuration. I suspect this may be something many readers might want to try at some point, for various reasons. I will add a caveat to say that I have done the bare minimum to get this configuration to work, so you will probably want to spend far more time than I did on tweaking and tuning the proxy configuration. At the end of the day, the purpose of this exercise is to show how a TKG bootstrap virtual machine…

Getting started with Carvel and tanzu packages in TCE

Hopefully many readers will have seen yesterdays announcement around Tanzu Community Edition, or TCE for short. I mentioned the fact that there are numerous community packages available in this new, free, open sourced version of Tanzu Kubernetes. Package management in TCE is achieved through a suite of tools bundled under the Carvel brand. In this post, I am going to describe some of the nuances around the deployment of these packages in a TCE cluster. There are 3 package components that need to considered when dealing with packages in  TCE. There are (1) the repository, (2) the package install resources…

Announcing Tanzu Community Edition from VMware

As we head into VMworld 2021 this week, there will be many announcements about new and updated VMware products and features. However, there is one that I want to bring to your attention. It is something that I have been directly involved in, in some small way, and that something is Tanzu Community Edition.  Tanzu Community Edition (sometimes referred to as TCE), is a free, open source Tanzu Kubernetes (TKG) distribution which has all of the same open source software found in our commercial editions of Tanzu. Personally, I find this to be a really cool announcement for a number…