Creating, Securing, and Synchronizing Content Libraries for TKG Releases
TKG
ReleasesVMware Tanzu distributes Kubernetes software versions as
TKG
releases. To obtain and use these releases on your TKG
clusters, you create subscribed or local content libraries.A
TKG
release provides the VMware Kubernetes distribution which can be used with TKG
clusters. Each TKG
release is distributed as an OVA package. The TKG
uses the OVA package to deploy the virtual machine nodes for TKG
clusters.A
TKG
release is supported on Photon OS. The virtual machine nodes that are built from the OVA package have a 16 GB disk size. You specify the CPU and RAM resource reservations when you use a virtual machine class to size the TKG
cluster.Depending on your need for synchronization frequency and on the access to the published content libraries storing the
TKG
releases, you can use two approaches for storing TKG
releases.Starting with vSphere 7.0 Update 3, you can protect your content library by a security policy. In such case, make sure that all library items are compliant. If a protected library includes a mix of compliant and non-compliant library items, DevOps engineers are not able to retrieve the list of VM images provided with the library.
Automated Synchronization of TKG Releases
TKG
ReleasesVMware publishes a content library that contains the
latest VMware distributions of Kubernetes as an OVA package. If you want to
provision
TKG
clusters,
you can create a subscribed content library on the vCenter Server
instance where vSphere Supervisor
is enabled. When configuring the content library
subscription, use the following subscription URL of the publisher : https://wp-content.vmware.com/v2/latest/lib.json. For more
information about how to create a subscribed content library, see Subscribing to a Content Library.When you create the subscription, you configure the synchronization mechanism for downloading the content of the published library. You can select between on demand and automatic download of the virtual machine image for the
TKG
cluster nodes. If you choose to synchronize the subscribed library on demand, only the metadata for the library content is updated and as a result storage space is saved. This approach is an important consideration as more images containing different Kubernetes versions are published. However, the first time you decide to use a new virtual machine image version, you have to wait for it to download.Starting with vSphere 7.0 Update3, you can secure a
subscribed content library. The Content Library service verifies the library signing
certificate during the synchronization process. If the certificate verification
fails, only the library metadata is synchronized and the library content is not
downloaded. For more information how to apply a security policy when you update a
subscribed content library, see Editing the Settings of a Content Library.
You associate the subscribed content library with
the
Supervisor
on which you
want to create a TKG
cluster, when you first enable vSphere Supervisor
on a cluster. See EnablevSphere Supervisor on a Cluster withNSX as the Networking Stack.The size of the content library can grow over time as new Kubernetes versions and images are published. If the underlying storage runs out of space, you will need to move to a new subscribed content library. After you create a new subscribed content library that has sufficient capacity for the target cluster, update the library association of the
Supervisor
. See Reconfiguring a Supervisor.Manual Synchronization of TKG Releases
TKG
ReleasesIn an air-gapped network environment, you can use
the storing functionality provided by a local content library for the needed
TKG
releases. You
must first create a local content library, then download the OVA package for each
TKG
release that you
want to import to the library. See Creating a Local Content Library.Starting with vSphere 7.0 Update3, you can secure a
local content library. The Content Library service verifies the library signing
certificate during the synchronization process. If the certificate verification
fails, only the library metadata is synchronized and the library content is not
downloaded. For more information how to apply a security policy when you update a
local content library, see Editing the Settings of a Content Library.
You can find the latest versions of the Kubernetes distribution by navigating to the https://wp-content.vmware.com/v2/latest URL. You must download the
photon-ova.ovf
and photon-ova-disk1.vmdk
for each distribution you want and then upload these files from your local file system to your local content library. See Upload an OVF or OVA Package from a Local File System to a Library Item.Make sure that you use as a name for each library item the Photon image version and the Kubernetes version from the directory where you downloaded the files. For example:
photon-3-k8s-v1.20.2---vmware.1-tkg.1.1d4f79a
.