The Tanzu Packages in Tanzu Kubernetes Grid (TKG) include Contour, Grafana and Prometheus. Tanzu Packages automatically install and create TLS if ingress is enabled. This post, shows how to update the prometheus-data-values.yaml and grafana-data-values.yaml files to use TLS certificates with ingress using Contour.
This post can be used for TKG on vSphere and CSE with VCD. The examples below use TKG with CSE 4.0.3.
Install Contour
List available contour packages
tanzu package available list contour.tanzu.vmware.com -A
We shall install the latest version available for TKG 1.6.1 used by CSE 4.0.3, 1.20.2+vmware.2-tkg.1. First we need a contour-data-values.yaml file to use to install contour.
If you want to use a static IP address for the envoy load balancer service, for example to re-use the external public IP address currently used by the Kube API you can add a line under line 12:
LoadBalancerIP: <external-ip>
---
infrastructure_provider: vsphere
namespace: tanzu-system-ingress
contour:
configFileContents: {}
useProxyProtocol: false
replicas: 2
pspNames: "vmware-system-restricted"
logLevel: info
envoy:
service:
type: LoadBalancer
annotations: {}
labels: {}
nodePorts:
http: null
https: null
externalTrafficPolicy: Cluster
disableWait: false
hostPorts:
enable: true
http: 80
https: 443
hostNetwork: false
terminationGracePeriodSeconds: 300
logLevel: info
pspNames: null
certificates:
duration: 8760h
renewBefore: 360h
Then install with this command
kubectl create ns my-packages
tanzu package install contour \
--package contour.tanzu.vmware.com \
--version 1.20.2+vmware.2-tkg.1 \
--values-file /home/contour/contour-data-values.yaml \
--namespace my-packages
Install Prometheus
tanzu package available list prometheus.tanzu.vmware.com -A
The latest available version for TKG 1.6.1 used by CSE 4.0.3 is 2.36.2+vmware.1-tkg.1.
Update your prometheus-data-values.yaml file with the TLS certificate, private key, enable ingress and update the virtual_host_fqdn. Use pipe “|” to include all lines of your certificate.
ingress:
annotations:
service.beta.kubernetes.io/vcloud-avi-ssl-no-termination: "true"
alertmanager_prefix: /alertmanager/
alertmanagerServicePort: 80
enabled: true
prometheus_prefix: /
prometheusServicePort: 80
tlsCertificate:
tls.crt: |
-----BEGIN CERTIFICATE-----
MIIEZDCCA0ygAwIBAgISA1UHbwcEhpImsiCGFwSMTVQsMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
-- snipped --
-----END CERTIFICATE-----
tls.key: |
ca.crt:
virtual_host_fqdn: prometheus.tenant1.vmwire.com
Install Prometheus with this command
tanzu package install prometheus \
--package prometheus.tanzu.vmware.com \
--version 2.36.2+vmware.1-tkg.1 \
--values-file prometheus-data-values.yaml \
--namespace my-packages
Install Grafana
List available Grafana packages
tanzu package available list grafana.tanzu.vmware.com -A
The latest available version for TKG 1.6.1 used by CSE 4.0.3 is 7.5.7+vmware.2-tkg.1.
Update your grafana-data-values.yaml file with the TLS certificate, private key, enable ingress and update the virtual_host_fqdn. Use pipe “|” to include all lines of your certificate.
ingress:
annotations:
service.beta.kubernetes.io/vcloud-avi-ssl-no-termination: "true"
enabled: true
prefix: /
servicePort: 80
virtual_host_fqdn: grafana.tenant1.vmwire.com
tlsCertificate:
tls.crt: |
-----BEGIN CERTIFICATE-----
MIIEZDCCA0ygAwIBAgISA1UHbwcEhpImsiCGFwSMTVQsMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
--snipped--
-----END CERTIFICATE-----
tls.key: |
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
Install Grafana with this command
tanzu package install grafana \
--package grafana.tanzu.vmware.com \
--version 7.5.7+vmware.2-tkg.1 \
--values-file grafana-data-values.yaml \
--namespace my-packages
Update DNS records
Update DNS records for the FQDNs to point to the IP address of the envoy service. You can find the External IP address used by Envoy by typing
k get svc -n tanzu-system-ingress envoy
.