Tanzu Platform 10.0

PDF
self.managed.10.1 10.0 saas

Setting up Tanzu Platform Self-Managed for your organization

Last Updated March 03, 2025

After you have successfully deployed Tanzu Platform Self-Managed to your cluster, you need to perform some post-install tasks before your organization can log in and start using Tanzu Platform Self-Managed.

Initial login and role assignment

You have connected your IDP to Tanzu Platform for authentication, but before the users in your organization can access the functionality of Tanzu Platform, you must create role bindings that grant permissions for them. To facilitate this, Tanzu Platform Self-Managed provides a seeded admin user that you can use for the initial setup.

Administrator

  • username: tanzu_platform_admin
  • password: identified in the config.yaml

The password for the seeded administrator identity can be defined in the config.yaml prior to deploying Tanzu Platform Self-Managed. If you do not define a password, one is generated during the installation and written back to the config.yaml file. The generated password is base64 encoded. To decode the password just remove the encoded: prefix and decode the remaining string. For more information, see Edit the configuration file.

Log in as the administrator

The URL for your deployment of Tanzu Platform Self-Managed is logged during the deployment. Using this URL and the username/password of the seeded administrator, you can log in to the Tanzu Platform UI.

  1. Open the log file created during installation, and locate the URL for your Tanzu Platform Self-Managed deployment.

    The install command from the air-gapped installation above creates a file named logs_installer.log on your bootstrap machine. Near the end of the output in this file, you should see something like this:

    2024-08-08T11:17:11+05:30 [i] Host URL:"https://192.0.2.0.mycompany.com"
2024-08-08T11:17:13+05:30 [ok] URL 'https://localdeploy12.mycompany.com/hub' is accessible.
2024-08-08T11:17:13+05:30 [ok] Post-verify UI health checks ok!

    The URL you use to launch the UI in a browser is identified in the URL line. For example:

    2024-08-08T11:17:13+05:30 [ok] URL 'https://localdeploy12.mycompany.com/hub' is accessible.
  2. Open the URL in a browser.
  3. Log in using credentials for the seeded administrator identity.

Create an administrator role binding and log back in

After you have successfully logged in as the seeded administrator identity, you need to provide access to users authenticated through your IDP.

Initially, add yourself as an administrator, which will allow you to log in through your IDP authentication. You can subsequently create role bindings to authorize access to the features and resources of Tanzu Platform Self-Managed to the users and groups that are authenticated through your IDP.

This procedure allows you to initially set up Tanzu Platform Self-Managed. After this initial setup you should, as a best practice, create user groups in your IDP and apply the role bindings to groups rather than individuals. For more information about creating role bindings to control access in Tanzu Platform Self-Managed, see About role-based access control in Tanzu Platform.

Before you begin, make sure you have logged in to Tanzu Platform Self-Managed through the UI as described above.

  1. In the Tanzu Platform UI, click to expand Setup & Configuration in the left navigation pane, and then click Access Control.
  2. Click Add role binding.
  3. Select User, and then enter your email (as identified in your IDP).
  4. Select Global as the scope.
  5. Select Administrator as the role.
  6. Click Add to create the role binding. This creates a role binding that provides administrator permissions to you when you log in using your IDP credentials.
  7. Log out and then log back in using your IDP credentials.

Set up Tanzu Platform Self-Managed for your organization

Before your team can start logging in and using Tanzu Platform, you must perform the following task: - Establish access control for your users. For information about creating role bindings to control access in Tanzu Platform Self-Managed, see About role-based access control in Tanzu Platform.

For an air-gapped installation you must also:

  • Make collectors and extensions available.
  • Make the tanzu CLI available.

These procedures are described below.

Push the extensions and collectors to your local image registry for use in an air-gapped deployment

Pre-requisites

  • The registry path specified in the config.yaml at imageRegistry.repo need to pre-exist in the registry

  • Push the extension/collector images to your local image registry.

    export REGISTRY_USERNAME=<REGISTRY_USERNAME>
export REGISTRY_PASSWORD=<REGISTRY_PASSWORD>
export REGISTRY_ENDPOINT=<REGISTRY_URL>
export REPO_PATH=<imageRegistry.repo in config.yaml>
tanzu-sm-installer push tmc-extensions -a "${REGISTRY_USERNAME}:{$REGISTRY_PASSWORD}" -r "${REGISTRY_ENDPOINT}/${REPO_PATH}" -f agent-images.tar
tanzu-sm-installer push collectors -a "${REGISTRY_USERNAME}:{$REGISTRY_PASSWORD}" -r "${REGISTRY_ENDPOINT}" -f tanzusm-collector.tar -s
imgpkg copy -b extensions.aws-usw2.tmc-dev.cloud.vmware.com/packages/standard/repo:v2024.8.2 --to-repo ${REGISTRY_ENDPOINT}/${REPO_PATH}/tpsm/498533941640.dkr.ecr.us-west-2.amazonaws.com/packages/standard/repo

Make the tanzu CLI available for use in an air-gapped deployment

If your organization is using Tanzu Platform Self-Managed in an air-gapped environment, you need to make the CLI binaries and plugins available so that users can install them.

In an internet-connected environment, the users in your organization can follow the instructions in Installing and Using VMware Tanzu CLI to set up and log in using the tanzu CLI.

To use the tanzu CLI, each user in your organization must have access to the binary which they will install on their local machine. You can find the CLI binaries bundle in extracted contents of the Tanzu Platform installer bundle.

  1. Extract the CLI binaries bundle. 
    tar -xf tanzu-bundle/tanzu-binaries.tar

    The extracted folder contains a binary for each of the supported platforms, as a compressed file.

    tanzu-cli-binaries-checksums.txt       tanzu-cli-linux-amd64.tar.gz
tanzu-cli-binaries-checksums.txt.asc   tanzu-cli-linux-arm64-unstable.tar.gz
tanzu-cli-darwin-amd64.tar.gz          tanzu-cli-windows-amd64.zip
tanzu-cli-darwin-arm64.tar.gz          tanzu-cli-windows-arm64-windows11.zip
  2. Create a location within your network that is available to your users.
  3. Copy the binaries to your network location.
  4. Document the location for your users, so they know where to obtain the tanzu CLI binary. After copying the appropriate binary to a local folder, each user can extract the binary to a location in their path.

Push the plugins package to your local image registry

You can find the tanzu CLI plugin bundle in the extracted contents of the installer bundle.

Upload the plugin binaries to registry:

tanzu-sm-installer push tanzu-plugins -u "${REGISTRY_USERNAME}:{$REGISTRY_PASSWORD}" -r "${REGISTRY_ENDPOINT}/${REPO_PATH}" -i tanzu-bundle/tpsm-plugin-bundle.tar.gz

Using the CLI in an air-gapped environment

The tanzu CLI has some core functionality built in to the binary, and some extended functionality included in plugins that are grouped based on functional roles. To use the CLI, you need to setup the core binary and then install the plugins that you need.

Download and install the appropriate CLI binary

  1. Get the location of the CLI binaries from your Tanzu Platform Self-Managed administrator.
  2. Download the binary that is appropriate for your operating system.
  3. Extract the runnable binary from the compressed file.
  4. Move the runnable binary to location in your path.
  5. Change the name of the runnable binary to tanzu.
  6. Make sure the binary has the appropriate permissions to make it runnable.
  7. Verify your setup by running a tanzu command. For example: 
    tanzu version

Install platform engineer plugins

To install plugins for the CLI, the CLI needs to know the location from which to retrieve the plugins. In an internet-connected environment, the CLI can pull plugins directly from their publicly available source. However, in an air-gapped environment, you need to specify where the plugins are stored.

  1. Set the plugin source to the registry: 
    tanzu plugin source update default -u "${REGISTRY_ENDPOINT}/${REPO_PATH}"/plugin-inventory-sm:latest
  2. Install platform engineer plugins: 
    tanzu plugin install --group  vmware-tanzu/platform-engineer:v1.0.0
  3. Verify: 
    tanzu plugin list

Log in to Tanzu Platform Self-Managed using the CLI

After installing Tanzu CLI and Plugins, you can use the tanzu login command to interactively log in to your organization using the tanzu CLI.

When you log in with the tanzu CLI using the --endpoint flag to specify your Tanzu Platform endpoint, as shown below, the CLI discovers the name and ID of your organization and sets them appropriately.

In rare situations where these values need to be updated, TANZU_CLI_SM_ORGANIZATION_ID and TANZU_CLI_SM_ORGANIZATION_NAME can be used to override the organization ID and name, respectively.

  1. Locate the URL to use for the endpoint. This is the same URL you retrieved from the installation log file to log in through the UI, as shown above.
  2. Use the following command to log in. 
    tanzu login --endpoint https://localdeploy12.mycompany.com

If your Tanzu Platform Self-Managed deployment uses self-signed certificates, you might need to use one of the following flags to log in.

  • Use the --insecure-skip-tls-verify flag to explicitly skip certificate verification during login. For example: 
    tanzu login --endpoint https://localdeploy12.mycompany.com --insecure-skip-tls-verify
  • Use the --endpoint-ca-certificate flag to specify a certificate that you have saved locally. For example, if you have a certificate saved at /tmp/sm_ca.crt, then you use the following command: 
    tanzu login --endpoint https://localdeploy12.mycompany.com --endpoint-ca-certificate /tmp/sm_ca.crt

Create an API token for Tanzu Platform Self-Managed for non-interactive login (optional)

After you have interactively logged in to Tanzu Platform Self-Managed using the CLI, as shown above, you can create an API token that you can use for subsequent CLI logins.

  1. Log in to Tanzu Platform Self-Managed using the CLI, as shown above.
  2. Use the api-token command to create a new API token. 
    tanzu api-token create

    The output from this command shows your API token string.

  3. Create an environment variable called TANZU_API_TOKEN to store the token.

    export TANZU_API_TOKEN=<MY-TOKEN-STRING>

  4. (Optional) You can persist the environment variable in your CLI configuration file using the following command.

    tanzu config set env.TANZU_API_TOKEN <MY-TOKEN-STRING>

    When you do this, the token is used to authenticate for subsequent CLI commands.

Using Tanzu Platform: create a project and test some functionality

After you install and configure the Tanzu Platform Self-Managed stack on a cluster, you can use it to manage your fleet of Kubernetes clusters. The workflows that you use to perform day-to-day operations in the self-managed version are mostly the same as those you use in the SaaS offering. However, there are some differences between the features that are available in the SaaS version, and those in the self-managed version of Tanzu Platform.

For information on how to use the features Tanzu Platform Self-Managed, see About VMware Tanzu Platform.

Create a Project

Tanzu Platform resources are created in a project. The project acts as a logical grouping within Tanzu Platform for resources. Therefore, before you create any resources, you must create a project.

A project allows you to manage packages, configurations, and role-based access controls for all clusters in a cluster group, rather than managing each cluster on an individual basis. Creating a project in your organization requires either Organization Admin or Organization Owner roles.

Do the following in the Tanzu Platform UI to create a project:

  1. On the upper left hand corner, click the dropdown menu, and then select All Projects.
  2. In the left navigation pane, expand Setup & Configuration, and then click Projects.
  3. On the Projects page, click + New Project.
  4. Enter a name for the project.
  5. (Optional) Enter a description for the project.
  6. Click Create Project And Continue.
  7. Click Close to finish creating the project.
  8. Refresh your browser, and then select your newly created project from the project context drop-down list.

You will also need to assign users before using the project. For more information, see Add Projects and assign users in Tanzu Platform.