Deploy TAS and TKGI with Concourse

This page explains how to deploy TAS, TKGI and some related products on vSphere with NSX-T networking in an automated way using the Platform Automation Toolkit (Concourse).

We will use Concourse Pipelines from my repo which is a fork of a public repo provided by Broadcom that is used in the official docs providing full pipeline and reference configurations.

Info

All steps below assume you have forked my Concourse Pipelines Repo to your own account.

Prerequisites

• Platform Automation Toolkit running: You can use this guide to install Concourse for Platform Automation on vSphere
• a vSphere + NSX-T environment. NSX-T must be preconfigured to meet the requirements to deploy TAS for VMs with NSX-T Networking and to deploy TKGI on vSphere with NSX. You can follow this guide to achieve this
• Concourse CLI (fly), Credhub CLI, OM CLI, BOSH CLI: best to install them with asdf
• the S3 buckets in MinIO have Versioning enabled: Buckets can be created using the automation in Installing Concourse for Platform Automation.

Download Products

The first Concourse pipeline will download all required products from Broadcom Support Portal and store it on the local MinIO S3 instance. The purpose is that you can then deploy all products without requiring internet access.

1. Login to Minio (http://<MINIO-IP>:9092) and create Access Keys - you'll need them later

2. Retrieve the Tanzu API Token (aka Pivnet API Token) from Broadcom Support:

   1. Login to Broadcom Support Portal
   2. On the right navigation bar, click on Tanzu API Token, which will navigate you to the tanzu-token page

3. If you haven't yet configured to git clone/pull/push from your Github via SSH, add a new SSH Key to your Github account

4. update the IP addresses in login_to_concourse script

5. login to Concourse (which will also log you in to Credhub)

   source ./login_to_concourse
   

   If the command tells you to sync fly, simply execute the provided command.

6. Create all required entries in Credhub

   credhub set -n /concourse/main/s3_secret_access_key -t password -w <minio-secret-access-key>
   credhub set -n /concourse/main/s3_access_key_id -t password -w  <minio-access-key>
   credhub set -n /concourse/main/s3_endpoint -t value -v http://<MINIO-IP>:9091 # port 9091 is the API port, which is different from the UI port 9092
   credhub set -n /concourse/main/s3_pivnet_products_bucket -t value -v products
   credhub set -n /concourse/main/pivnet_token -t password -w <pivnet-api-token-from>
   credhub set -n /concourse/main/pipeline-git-repo-key -t ssh -p ~/.ssh/id_rsa # path to your private SSH key that you use to interact with Github
   credhub set -n /concourse/main/pipeline-git-repo-uri -t value -v git@github.com:<your Github Handle>/concourse-pipelines.git
   

7. Set the Concourse Pipeline

   ./scripts/update-download-products-pipeline.sh
   

8. Unpause the pipeline

   fly -t ci unpause-pipeline -p download-products
   

9. Navigate to the Concourse UI (https://) and follow the download-products pipeline.

   1. The fetch-platform-automation job starts automatically after a few seconds if the platform-automation-pivnet input resource has been checked successfully.
   2. all other jobs will not be triggered automatically: I have done this on purpose, because I don't want to stress my network and rather have control when the pipeline downloads and uploads lots of data. Hence, you need to trigger them manually. You can do this either on the UI or using the CLI.

Deploy Foundation

The next Concourse pipeline deploy-foundation will be used to deploy TAS & TKGI and other related products. This pipeline can ultimately be used for different environments by providing different variables files. We will deploy the sandbox environment. Adding other environments is self-explanatory.

Adapt Variables Files

Most of the required information can be retrieved from Deploy vSphere + NSX-T to be used for TAS and TKGI and Install Concourse for Platform Automation.

All Variables files can be found here.

Some notes to some variables that might be unclear:

• nsx_ca_certificate in director.yml: can be retrieved with

  openssl s_client -connect <nsx_address>:443 -showcerts </dev/null
  

• pks_ssl_certificate & pks_ssl_private_key: Assuming your TKGI API will be api.tkgi.example.com, self-signed SSL certificates can be generated with:

  openssl req -x509 -nodes -days 730 -newkey rsa:2048 \
    -keyout api.tkgi.example.com.key \
    -out api.tkgi.example.com.crt \
    -subj "/C=US/ST=California/L=CA/O=TKGi/CN=api.tkgi.example.com" \
    -extensions SAN \
    -config <(cat /etc/ssl/openssl.cnf \
      <(printf "\n[SAN]\nsubjectAltName=DNS:api.tkgi.example.com"))
  

Set Pipeline

1. Create required entries in Credhub

   credhub set -n /concourse/main/s3_installation_bucket -t value -v installation
   credhub set -n /concourse/main/s3_foundation_state_bucket -t value -v foundation-state
   credhub set -n /concourse/main/nsx_credentials -t user -z admin -w 'VMware1!VMware1!'
   credhub set -n /concourse/main/opsman_decryption_passphrase -t password -w 'VMware1!VMware1!'
   credhub set -n /concourse/main/opsman_user -t user -z admin -w 'VMware1!'
   credhub set -n /concourse/main/vcenter_credentials -t user -z administrator@vsphere.local -w 'VMware1!'
   

2. Set the Concourse Pipeline

   ./scripts/update-sandbox-foundation-pipeline.sh
   

3. Unpause the pipeline

   fly -t ci unpause-pipeline -p deploy-sandbox-foundation
   

4. Install Opsman and configure BOSH

   fly -t ci trigger-job -j deploy-sandbox-foundation/install-opsman
   

5. Trigger all other pipelines to deploy all products either on the UI or using the CLI

Use TAS and TKGI

• see this Getting Started with Cloud Foundry to get started with TAS.
• See Managing TKGI and Creating and Managing Kubernetes Clusters and Workloads to get started with TKGI.
• See Using Cloud Foundry