After you’ve enabled Workload Management in vSphere it is a good time to make TKGs trust your own Container Registry if you have one. In my case it’s a Nexus Repository 3 listening on port 5000 on IP address 10.10.60.15. You’ll also need the SSL Certificate of your Container Registry.
In order to tell TKGs to trust our own Container Registry, we need to make TKGs Clusters trust our Container Registry’s Certificate. This can be achieved by creating a custom TkgServiceConfiguration object.
Let’s get started!
1. First we need the Base64 String of our Container Registry Certificate. This can be achieved by executing the following command:
base64 -i <your-container-registry-certificate>.pem
Copy the Base64 String and keep it somewhere handy.
2. Let’s create a new YAML file and enter the details of our TkgServiceConfiguration:
apiVersion: run.tanzu.vmware.com/v1alpha1 kind: TkgServiceConfiguration metadata: name: tkg-service-configuration spec: defaultCNI: antrea trust: additionalTrustedCAs: - name: <Cert-Name> data: <Your-Base64-String-Here>
3. Make sure you are connected to your Supervisor Cluster’s Context and apply the TkgServiceConfiguration:
kubectl apply -f <filename>.yaml
4. You should now see your deployed TkgServiceConfiguration in the Supervisor Cluster’s Context:
kubectl get TkgServiceConfiguration kubectl describe TkgServiceConfiguration tkg-service-configuration
Once you have configured the Tanzu Kubernetes Grid Service to trust your External Container Registry, any new cluster that is provisioned will support your External Container Registry. For existing clusters to support your External Container Registry, a rolling update is required to apply the TkgServiceConfiguration. This can be achieved by scaling your existing clusters for example.
The official VMware Documentation can be found here.
Hope it helped!