forked from pivotal-cf/docs-tas-kubernetes
-
Notifications
You must be signed in to change notification settings - Fork 0
/
installing-tas-for-kubernetes.html.md.erb
295 lines (220 loc) · 12.2 KB
/
installing-tas-for-kubernetes.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
---
title: Installing Tanzu Application Service for Kubernetes
owner: Tanzu Application Service Release Engineering
---
This topic describes how to install Tanzu Application Service for Kubernetes (TAS for Kubernetes)
from the VMware Tanzu Network and from a relocated image in a private container image registry.
## <a id='prerequisites'></a> Prerequisites
Before installing TAS for Kubernetes:
1. Ensure you have a [VMware Tanzu Network](https://network.pivotal.io/) account to use
to download container images from the VMware Tanzu Network Registry.
Ensure this account has a signed TAS for Kubernetes EULA.
1. Ensure that you have configured all of the required or recommended
installation resources by reviewing
[Configuring Installation Values](configuring-installation-values.html).
## <a id='install-tas-for-k8s'></a> Install TAS for Kubernetes
To install TAS for Kubernetes:
1. Follow the procedure appropriate for the configuration you created:
* [Install TAS for Kubernetes from the VMware Tanzu Network](#install-tas-for-k8s-from-network)
* [Install TAS for Kubernetes from a Private System Registry](#post-image-relocation)
<p class="note">
Installing TAS for Kubernetes takes approximately 15 minutes, depending on cluster resources and bandwidth.
</p>
1. [Configure DNS for Ingress Gateway](#post-installation-networking-configuration)
1. [Validate Your TAS for Kubernetes Installation](installing-tas-for-kubernetes.html#post-installation-configuration)
### <a id='install-tas-for-k8s-from-network'></a> Install TAS for Kubernetes from the VMware Tanzu Network
To install TAS for Kubernetes from the VMware Tanzu Network:
1. To validate your configuration, run the following:
```bash
kubectl cluster-info
```
Inspect the output. Ensure that your Kubernetes client configuration targets the intended cluster for installation.
1. Change directory into the `tanzu-application-service` directory.
1. To install TAS for Kubernetes, run the installation script:
```bash
./bin/install-tas.sh ../configuration-values
```
The command installs TAS for Kubernetes using the deployment values you generated previously.
### <a id='post-image-relocation'></a> Install TAS for Kubernetes from a Private System Registry
After uploading your TAS for Kubernetes images to the private registry,
you can install TAS for Kubernetes using a modified installation procedure.
To install TAS for Kubernetes:
1. Change directory to the `tanzu-applications-service` directory.
1. To deploy TAS for Kubernetes using the images in the private registry:
* If your client has the private registry CA certificates:
```
ytt -f config \
-f ../configuration-values | \
kbld -f- -f relocated_images.yml > /tmp/final_deployment.yml
kapp deploy -a cf -f /tmp/final_deployment.yml
```
* If your client does not have the private registry CA certificates:
```
ytt -f config \
-f ../configuration-values | \
kbld -f- -f relocated_images.yml > /tmp/final_deployment.yml \
--registry-verify-certs=false
kapp deploy -a cf -f /tmp/final_deployment.yml
```
## <a id='post-installation-networking-configuration'></a> Configure DNS for Ingress Gateway
To configure DNS entries for the TAS for Kubernetes ingress gateway:
* If you intend to use a Kubernetes `LoadBalancer` service for the ingress gateway:
<br>
By default, TAS for Kubernetes does not create a Kubernetes `LoadBalancer` service
for the ingress gateway. Complete the following:
1. [Use a LoadBalancer Service for the Ingress Gateway]
(configuring-installation-values.html#adjust-installation-resources-networking)
1. [Configure DNS With a Kubernetes Load Balancer for Ingress Gateway]
(#post-installation-dns-with-k8s-lb)
<br>
* If you do not intend to use a Kubernetes `LoadBalancer` service for the ingress gateway:
<br>
To configure DNS, complete one of the following:
* If you are using an external load balancer for the ingress gateway:
[Configure DNS With an External Load Balancer for Ingress Gateway](#post-installation-dns-with-lb)
* If you are not using an external load balancer for the ingress gateway:
[Configure DNS Without a Load Balancer for Ingress Gateway](#post-installation-dns-no-lb)
### <a id='post-installation-dns-no-lb'></a> Configure DNS Without a Load Balancer for Ingress Gateway
This section describes how to configure your DNS
if you do not have an external load balancer to use for ingress and
have deployed TAS for Kubernetes without a Kubernetes LoadBalancer service
for the ingress gateway.
To set up your DNS records to establish ingress connectivity directly to the worker nodes:
1. To retrieve the list of existing worker nodes with their external IP addresses:
```
kubectl get node --selector='!node-role.kubernetes.io/master' -o wide
```
For example:
<pre class="terminal">
$ kubectl get node --selector='!node-role.kubernetes.io/master' -o wide
NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP
5e329c31-f1d7-4548-936b-3a58d4b166d3 Ready \<none> 5h49m v1.15.5 10.85.87.133 10.85.87.133
a6ad3f07-787c-4d90-b8e1-032be34e9d7f Ready \<none> 5h43m v1.15.5 10.85.87.134 10.85.87.134
a8eb78a2-e3b4-4d8a-8c32-67bf0e13c0bf Ready \<none> 5h43m v1.15.5 10.85.87.135 10.85.87.135
af7dc8da-a7b0-4cf2-a940-c9248168e609 Ready \<none> 5h43m v1.15.5 10.85.87.136 10.85.87.136
cc6ef11f-e253-4553-9cb0-bebc7d958f64 Ready \<none> 5h42m v1.15.5 10.85.87.137 10.85.87.137
</pre>
1. Create a wildcard `A` record for the system domain in your DNS zone,
resolving to the set of external IP addresses for the worker nodes:
```
*.SYSTEM-DOMAIN
```
Where `SYSTEM-DOMAIN` is the system domain. Include the `*.` wildcard prefix so that all subdomains
of the system domain also resolve to the IP addresses.
### <a id='post-installation-dns-with-lb'></a> Configure DNS With an External Load Balancer for Ingress Gateway
This section describes how to configure DNS
if you have an external load balancer to use for ingress to the TAS for Kubernetes installation and
have deployed TAS for Kubernetes without a Kubernetes LoadBalancer service
for the ingress gateway.
To configure the external load balancer to forward HTTP and HTTPS traffic to the Kubernetes worker nodes:
1. To retrieve the list of existing worker nodes with their internal IP addresses:
```
kubectl get nodes --output='wide'
```
For example:
<pre class="terminal">
$ kubectl get nodes --output='wide'
NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP
5e329c31-f1d7-4548-936b-3a58d4b166d3 Ready \<none> 5h49m v1.15.5 10.85.87.133 10.85.87.133
a6ad3f07-787c-4d90-b8e1-032be34e9d7f Ready \<none> 5h43m v1.15.5 10.85.87.134 10.85.87.134
a8eb78a2-e3b4-4d8a-8c32-67bf0e13c0bf Ready \<none> 5h43m v1.15.5 10.85.87.135 10.85.87.135
af7dc8da-a7b0-4cf2-a940-c9248168e609 Ready \<none> 5h43m v1.15.5 10.85.87.136 10.85.87.136
cc6ef11f-e253-4553-9cb0-bebc7d958f64 Ready \<none> 5h42m v1.15.5 10.85.87.137 10.85.87.137
</pre>
1. Configure your external load balancer to forward traffic on TCP ports `80` and `443` to the set of
internal IP addresses for the Kubernetes worker nodes.
1. Configure DNS records in your DNS zone:
* If your load balancer has a static IP, create a wildcard `A` record for the system domain,
resolving to the external IP address of the load balancer:
```
*.SYSTEM-DOMAIN
```
Where `SYSTEM-DOMAIN` is the system domain.
<br>
* If your load balancer has a DNS name instead of static IP, such as an AWS load balancer,
create a wildcard `CNAME` record for the system domain,
resolving to the external IP address of the load balancer:
```
*.SYSTEM-DOMAIN
```
Where `SYSTEM-DOMAIN` is the system domain.
Ensure you include the `*.` wildcard prefix in the new record
so that all subdomains of the system domain also resolve to this IP address.
### <a id='post-installation-dns-with-k8s-lb'></a> Configure DNS With a Kubernetes Load Balancer for Ingress Gateway
This section describes how to configure DNS if you have configured TAS for Kubernetes to
use a Kubernetes LoadBalancer Service for the ingress gateway.
To configure DNS with your system domain resolving to the external IP address of the load balancer:
1. To retrieve the value of the external IP address or hostname assigned to the Istio ingress gateway service:
```
kubectl -n istio-system get service istio-ingressgateway -ojsonpath='{.status.loadBalancer.ingress[0].ip}'
kubectl -n istio-system get service istio-ingressgateway -ojsonpath='{.status.loadBalancer.ingress[0].hostname}'
```
For example:
<pre class="terminal">
$ kubectl -n istio-system get service istio-ingressgateway -ojsonpath='{.status.loadBalancer.ingress[0].ip}'
10.193.105.162
$ kubectl -n istio-system get service istio-ingressgateway -ojsonpath='{.status.loadBalancer.ingress[0].hostname}'
ae7b1093f9c3b44fd9982b828b32ccad-2445920965.us-west-2.elb.amazonaws.com
</pre>
1. In your DNS zone, create an entry for your system domain:
* If you have an external IP address, create a wildcard `A` record for the system domain,
resolving to the external IP address:
```
*.SYSTEM-DOMAIN
```
Where `SYSTEM-DOMAIN` is the system domain.
<br>
* If you have a hostname, create a wildcard CNAME record for the system domain,
resolving to the hostname:
```
*.SYSTEM-DOMAIN
```
Where `SYSTEM-DOMAIN` is the system domain.
Ensure you include the `*.` wildcard prefix in the new record so that all subdomains of the system domain also resolve to the load balancer.
For information about configuring TAS for Kubernetes to
use a Kubernetes LoadBalancer Service for the ingress gateway, see
[Use a LoadBalancer Service for the Ingress Gateway](configuring-installation-values.html#adjust-installation-resources-networking),
## <a id='post-installation-configuration'></a> Validate Your TAS for Kubernetes Installation
To validate your TAS for Kubernetes:
1. Use cf CLI to target the installation at the `api` subdomain of the system domain:
```
cf api api.SYSTEM-DOMAIN --skip-ssl-validation
```
Where `SYSTEM-DOMAIN` is your TAS for Kubernetes installation system domain.
1. Change directory into the directory containing the `tanzu-application-service` and `configuration-values`
directories.
1. To set the `CF_ADMIN_PASSWORD` environment variable to the CF administrative password
stored in the `cf_admin_password` key in the `configuration-values/deployment-values.yml` file:
```
CF_ADMIN_PASSWORD="$(bosh interpolate configuration-values/deployment-values.yml \
--path /cf_admin_password)"
```
1. Log into the installation as the admin user:
```
cf auth admin "$CF_ADMIN_PASSWORD"
```
1. Create and target an organization and space for the verification application.
For example:
<pre class="terminal">$ cf create-org test-org
$ cf create-space -o test-org test-space
$ cf target -o test-org -s test-space
</pre>
1. To clone the Cloud Foundry test application from GitHub to your workstation:
```
git clone https://github.com/cloudfoundry-samples/test-app.git
```
For more information see [Cloud Foundry test application](https://github.com/cloudfoundry-samples/test-app)
on GitHub.
1. Change directory into the resulting `test-app` directory.
1. To push the test app to your TAS for Kubernetes installation:
```
cf push test-app --hostname test-app
```
1. To validate the test app is running, make a request to the app after the `cf push` command succeeds:
```
curl test-app.apps.SYSTEM-DOMAIN
```
Where `SYSTEM-DOMAIN` is your TAS for Kubernetes installation system domain.
<p class="note">
<strong>Note:</strong> The route for the test application defaults to a subdomain of the system domain.
</p>