# Tanzu

# Workload Management

Management

management vlan 99  
management subnet /24 (255.255.255.0)  
management tanzu starting address 10.0.99.48  
management proxy 10.0.99.10 (api plane)  
management gateway 10.0.99.1  
supervisor node range 10.0.99.64/29

Workload  
workload vlan 101  
loadbalance range (aka VIP range) 10.0.101.16/28  
workload range (cluster node range) 10.0.101.128/25 10.0.101.128-10.0.101.254  
workload gateway 10.0.101.1  
workload subnet /24 (255.255.255.0)

Haproxy

hostname: haproxy  
management ip: 10.0.99.10/24  
management gateway: 10.0.99.1

workload ip (haproxy vip): 10.0.101.15/24

# Commands and Bindings

<p id="bkmrk-tanzu-loginkubectl-v"><strong>Tanzu Login</strong><br>kubectl-vsphere login --server=https://10.105.0.1 --insecure-skip-tls-verify --tanzu-kubernetes-cluster-namespace production --vsphere-username administrator@vsphere.snowlab.tech --tanzu-kubernetes-cluster-name tkgs-cl01</p>
<p id="bkmrk-privledged-rolebindi"><br><strong>Privledged Rolebinding</strong><br>kubectl create clusterrolebinding default-tkg-admin-privileged-binding --clusterrole=psp:vmware-system-privileged --group=system:authenticated</p>
<p id="bkmrk-kind%3A-rolebindingapi">kind: RoleBinding<br>apiVersion: rbac.authorization.k8s.io/v1<br>metadata:<br>name: rolebinding-cluster-user-administrator<br>namespace: default<br>roleRef:<br>kind: ClusterRole<br>name: psp:vmware-system-privileged #Default ClusterRole<br>apiGroup: rbac.authorization.k8s.io<br>subjects:<br>- kind: User<br>name: sso:administrator@vsphere.snowlab.tech #sso&lt;username&gt;@&lt;domain&gt;<br>apiGroup: rbac.authorization.k8s.io</p>
<p id="bkmrk-harbor-deployhelm-in"><br><strong>Harbor Deploy</strong><br>helm install harbor bitnami/harbor \<br>--set harborAdminPassword='CHANGEME' \<br>--set global.storageClass=tanzu-default \<br>--set service.type=LoadBalancer \<br>--set externalURL=harbor.corp.snowlab.tech \<br>--set service.tls.commonName=harbor.corp.snowlab.tech \<br>-n harbor</p>
<p id="bkmrk-supervisor-cluster-a"><br><strong>Supervisor Cluster Admin</strong><br>kubectl get secret TKGS-CLUSTER-NAME-kubeconfig -o jsonpath='{.data.value}' | base64 -d &gt; tkgs-cluster-kubeconfig-admin</p>
<p id="bkmrk-storage-policiesvsan"><br><strong>Storage Policies</strong><br>vsan-default-storage-policy (dont use)<br>tanzu-default (default)</p>
<p id="bkmrk-password-varexport-k"><br><strong>Password Var</strong><br>export KUBECTL_VSPHERE_PASSWORD=CHANGEME</p>
<p id="bkmrk-permissions-manager-"><br><strong>Permissions Manager</strong><br>---<br>apiVersion: v1<br>kind: Secret<br>metadata:<br>name: permission-manager<br>namespace: permission-manager<br>type: Opaque<br>stringData:<br>PORT: "4000" # port where server is exposed<br>CLUSTER_NAME: "tkgs-cl01" # name of the cluster to use in the generated kubeconfig file<br>CONTROL_PLANE_ADDRESS: "https://10.0.101.16:6443" # full address of the control plane to use in the generated kubeconfig file<br>BASIC_AUTH_PASSWORD: "CHANGEME" # password used by basic auth (username is `admin`)</p>
<p id="bkmrk-%C2%A0"> </p>