Load Balancers, Private Registries, and More: What’s New in vSphere with Tanzu Update 2

March 9, 2021 Kendrick Coleman

VMware vSphere with Tanzu brings together an integrated Kubernetes experience for VI admins and developers. Using vSphere as the infrastructure platform, managing the Kubernetes lifecycle becomes easier than ever. New features in vSphere with Tanzu Update 2 add more capabilities that make Kubernetes operations even more seamless. Let’s check it out. 

Support for NSX Advanced Load Balancer

VMware NSX Advanced Load Balancer (formerly Avi Networks) provides a highly available and scalable load balancer and container ingress services. And now, it’s an integrated part of vSphere with Tanzu.

The inclusion of NSX Advanced Load Balancer creates an enterprise-ready and commercially supported solution that offers more features, better performance, and automated lifecycle management. With any Tanzu Edition license, you are entitled to use load balancing features for your Tanzu Kubernetes clusters and their workloads; with an upgraded Tanzu Standard license, you get the added benefit of an ingress controller. Read more on Kubernetes ingress services for Tanzu.

Get a deeper look at vSphere With Tanzu - NSX Advanced Load Balancer Essentials

Support for Kubernetes 1.19.1 

A core benefit of using vSphere with Tanzu is the ability to deliver the latest versions of Kubernetes with the confidence that they’re ready for production. Kubernetes 1.19.1 is now supported for both Supervisor Cluster and Tanzu Kubernetes clusters. Learn about all the exciting new features in Kubernetes 1.19 here.

Supervisor Cluster auto upgrade

The Kubernetes community maintains the three most recent minor releases

for support. With U2, an introspection process takes place that will check the current running version of the Supervisor Cluster and determine whether it adheres to the N-2 policy. If you’ve performed updates to vSphere in the past and haven’t taken the time to manually click the button to perform a Supervisor Cluster upgrade, that process will now happen automatically. This helps ensure clusters are never out of compliance and that the latest features are always being delivered.

Support for private registries

Previously, private registries with self-signed certificates would generate x509: certificate signed by unknown authority during an image pull. This meant the requester (Tanzu Kubernetes cluster worker nodes) did not have a valid certificate and was not trusted by the registry. With U2, private registry certificates can be delivered as part of the Tanzu Kubernetes cluster creation process. This adds flexibility to deploy varying types of container registries if needed.

There is a new trust section in the TkgServiceConfiguration where a base-64-encoded string of a PEM-encoded public cert is applied. TLS certificates will be applied to a new Tanzu Kubernetes cluster. 

apiVersion: run.tanzu.vmware.com/v1alpha1
kind: TkgServiceConfiguration
metadata:
  name: tkg-service-configuration
spec:
  defaultCNI: antrea
  proxy:
    httpProxy: http://<user>:<pwd>@<ip>:<port>
  trust:
    additionalTrustedCAs:
      - name: first-cert-name
        data: base64-encoded string of a PEM encoded public cert 1
      - name: second-cert-name
        data: base64-encoded string of a PEM encoded public cert 2

Extensions framework support

VMware provides extensions that complement running a production Kubernetes deployment. These extensions allow anyone to quickly get services up and running with detailed installation instructions that are tailored for Tanzu Kubernetes clusters. These extensions are verified, signed, and supported by VMware with an accompanying Tanzu Edition license. In this release, you will find support for FluentBit, Contour, Prometheus, and Grafana. Read more in the documentation

Load balancer with static IP addresses

By default, when a Kubernetes service of type LoadBalancer is created, the IP address is assigned automatically from a pool of IP addresses from the configured load balancer. Now it’s possible to specify the loadBalancerIP field as part of the service LoadBalancer specification.

This is supported on both NSX-T and NSX ALB but not for HA Proxy. The IP address must be carved from the floating IP pool (NSX-T) or the IPAM pool (NSX ALB), and the load balancer automatically marks it as allocated.

kind: Service
apiVersion: v1
metadata:
  name: srvclb-ngnx
spec:
  selector:
    app: hello
    tier: frontend
  ports:
  - protocol: "TCP"
    port: 80
    targetPort: 80
  type: LoadBalancer
  loadBalancerIP: 10.11.12.49

Native Kubernetes access control list support with NSX-T

Kubernetes application operators can now configure the externalTrafficPolicy for Services to propagate a client IP address to the end pods. This allows traffic to route only to the pods on the node, local or cluster-wide. In addition, users can define loadBalancerSourceRanges for Services to restrict which client IPs can access the load-balanced service.

apiVersion: v1
kind: Service
metadata:
  name: example-service
spec:
  selector:
    app: example
  ports:
    - port: 8765
      targetPort: 9376
  externalTrafficPolicy: Local
  type: LoadBalancer

 

apiVersion: v1
kind: Service
metadata:
    name: myapp
spec:
    ports:
    - port: 8765
        targetPort: 9376
    selector:
    app: example
    type: LoadBalancer
    loadBalancerSourceRanges:
    - 10.0.0.0/8

Kubernetes version management and indications

Upgrading Kubernetes can have unintended consequences. Kubernetes will not allow an upgrade to proceed if a minor version is trying to be skipped. As an example, upgrading from 1.17 to 1.19 would not be allowed. Users can now inspect the compatibility of TanzuKubernetesReleases with kubectl. In addition, Tanzu Kubernetes clusters now indicate whether there is a Kubernetes upgrade available and the recommended next TanzuKubernetesRelease(s) to be used. 

Per-Tanzu Kubernetes cluster HTTP proxy configuration

In a previous release, a proxy could be configured through the Supervisor Cluster that was applied to all Tanzu Kubernetes clusters globally. In this release, HTTP/HTTPS proxy configurations can now be defined on a per-Tanzu Kubernetes cluster basis. See docs for example.

This release of vSphere with Tanzu packs some much-awaited features and brings more functionality to automating Kubernetes cluster lifecycle management. Get started today using vSphere with Tanzu with as little as a Tanzu Basic license, or head on over to the ModernApps Ninja courses and VMware Hands-On Labs (HOL-2113-01-SDC) to learn more.

About the Author

Kendrick Coleman is a reformed sysadmin and virtualization junkie. His attention has shifted from hypervisors to cloud-native platforms focused on containers. In his role as an Open Source Technical Product Manager, he figures out new and interesting ways to run open source cloud native infrastructure tools with VMware products. He's involved with the Kubernetes SIG community and frequently blogs about all the things he's learning. He has been a speaker at DockerCon, OpenSource Summit, ContainerCon, CloudNativeCon, and many more. His free time is spent sharing bourbon industry knowledge hosting the Bourbon Pursuit Podcast.

More Content by Kendrick Coleman
Previous
Modern Application Development: A Step-by-Step Guide
Modern Application Development: A Step-by-Step Guide

Ready to modernize your organization’s software development process but aren’t sure where to begin? Here's ...

Next
Improving Workload Alerts with the Reliability Scanner for Kubernetes
Improving Workload Alerts with the Reliability Scanner for Kubernetes

How to use the VMware Customer Reliability Engineering (CRE) team’s Reliability Scanner to improve workload...