Tanzu Cloud Native Runtimes Air-Gapped Installation

Introduction

I know, I know… I haven’t blogged in a long time, but it has been an “interesting” year to say the least. I recently made a move from the VMware Technical Account Manager (TAM) role to the Modern Application Platform Business Unit (MAPBU) as a Customer Experience Architect. The new title is a mouthful for sure, but it is exciting for two main reasons: 1.) I get to focus heavily on our Tanzu product portfolio which is WAY out of my comfort zone and 2.) I get to work with some large, strategic customers as they implement and test some of our latest Tanzu products with the intent of gathering critical feedback to help shape our product vision and roadmaps. But enough about me… let’s get to the interesting stuff.

If you have not heard, VMware formally announced a Public Beta program for its upcoming Cloud Native Runtimes (CNR) Tanzu product on March 31, 2021. The announcement blog can be found here. Cloud Native Runtimes brings powerful serverless capabilities to the Tanzu platform based on the open source Knative project. The Serving and Eventing functionalities greatly enhance the Tanzu Developer Experience by abstracting even more of the Kubernetes infrastructure to streamline their processes. As part of my new role, I am engaging with a large organization to help install, configure, and test CNR while working closely with the Product Management and Engineering teams. This organization has a security policy which restricts the ability to run container images to only images pulled from their private internal registry. Below is the process we leveraged to relocate the CNR images from VMware’s public registry to their internal registry so the installation would succeed.

Prerequisites

The installation process for CNR requires a workstation that has a handful of command line tools installed (see below), access to VMware’s public registry (projects.registry.vmware.com), access to the desired private registry, and access to the target Kubernetes cluster where CNR will be installed. The full CNR documentation can be found here.

Required Command Line Tools

• kubectl (1.18 or newer)
• The following Carvel tools (https://carvel.dev):
  • kapp (0.34.0 or newer)
  • ytt (0.30.0 or newer)
  • kbld (0.28.0 or newer)
  • imgpkg – required for image relocation
• kn – Knative CLI

The following steps outline the process to install these command line tools on MacOS via Homebrew:

1. Install kubectl (https://kubernetes.io/docs/tasks/tools/install-kubectl-macos/)
   • Install
     • brew install kubectl
   • Verify
     • kubectl version
2. Install Carvel tools (kapp, ytt, kbld, imgpkg) (https://carvel.dev/#whole-suite)
   • Install
     • brew tap vmware-tanzu/carvel
     • brew install ytt kbld kapp imgpkg
   • Verify
     • ytt version
     • kbld version
     • kapp version
     • imgpkg version
3. Install Knative CLI (kn) (https://github.com/knative/client/blob/main/docs/README.md)
   • Install
     • brew tap knative/client
     • brew install kn
   • Verify
     • kn version

Lab Environment Review

I will be deploying CNR in a TKG cluster running on top of my home lab which is running vSphere 7 with Tanzu.

I also have a private Harbor registry: harbor.tilkens.com.

Login and connect to the TKG cluster:
kubectl config use-context tkg01-admin@tkg01

Cloud Native Runtimes Image Relocation and Installation

Login to Tanzu Network and download the release.lock file.

Push the bundle to your private registry:
imgpkg copy --lock release.lock --to-repo harbor.tilkens.com/tilkens-harbor-lab/cnr --lock-output airgapped_release.lock --registry-username <registry_user> --registry-password <registry_password>

You can also leverage the --registry-verify-certs=false flag if you are leveraging self-signed certificates with your registry.

Create a ‘serverless’ directory:
mkdir serverless

Pull the image bundle:
imgpkg pull --lock airgapped_release.lock -o ./serverless --registry-username <registry_user> --registry-password <registry_password>

Again, you can leverage the --registry-verify-certs=false flag if needed.

Move into the serverless directory and fix the permissions on the install-serverless.sh script:
cd serverless
chmod +x ./bin/install-serverless.sh

Run the install script:
./bin/install-serverless.sh

You can see the install process succeeded and there are several new namespaces that were created as part of the install process.

Conclusion

As you can see, the installation process is fairly straightforward. You can also run through the validation tests provided in the documentation (serving & eventing); however, you will also need to pull & push the test container images from public registries to your private registry. You are now free to start leveraging the Knative documentation (here) to take advantage of your new serverless capabilities!