Configuring Installation Values

Prerequisites
Overview
Copy the Configuration Values Template
Configure Installation Values
Configure Certificates
- Configure the Ingress Gateway Certificates
- (Optional) Configure Application Container Certificates
Next Steps

This topic describes how to configure installation resources before deploying Tanzu Application Service for Kubernetes (TAS for Kubernetes) to a Kubernetes cluster.

Prerequisites

Before proceeding, complete all sections in:

Overview

To configure installation values for TAS for Kubernetes, modify a copy of the configuration values template:

Copy the Configuration Values Template
Configure Installation Values
Configure Certificates

Copy the Configuration Values Template

The configuration values template gives you the flexibility to configure different parts of the system in a single file. Use a copy of the template as your baseline configuration.

To copy the configuration values template:

Open a command line.
Change directory to the parent directory that contains the tanzu-application-service directory.
Create a new directory named configuration-values. Use the new directory to store configuration values for this installation.
Duplicate the sample values file:
```
cp tanzu-application-service/sample-values.yml configuration-values/values.yml
```
Customize the new values.yml as your configuration values file.

Configure Installation Values

To configure TAS for Kubernetes installation values, modify your copy of the configuration values template:

Configure the System Domain
Configure the Load Balancer
(Optional) Configure Application Log Destinations

Configure the System Domain

To configure your system domain:

Open values.yml in a text editor.
Locate the system_domain section in the values.yml file.
Configure the system domain:
```
system_domain: "SYSTEM-DOMAIN"
app_domains:
#@overlay/append
- "APP-DOMAIN"
```
Where:
- SYSTEM-DOMAIN is the system domain you previously selected for your TAS for Kubernetes installation.
- APP-DOMAIN is a separate, unique domain for hosting apps.
Save the values.yml file.

Configure the Load Balancer

To configure your LoadBalancer service:

Open values.yml in a text editor.
Locate the load_balancer section in the values.yml file.

Configure the LoadBalancer service:

ingress:
  load_balancer:
    enable: ENABLED
    static_external_ip: "LOAD-BALANCER"
  external_traffic_policy: "POLICY"

Where:

ENABLED configures the provisioning of the Kubernetes ingress with a LoadBalancer Istio ingress service. To provision a LoadBalancer for the Istio ingress gateway required for TAS for Kubernetes, enable LoadBalancer as follows:

Deployment Environment	`enable` value
Tanzu Kubernetes Grid (TKG) on vSphere	`False`
TKG on AWS	`True`
Tanzu Kubernetes Grid Integrated Edition (TKGI) on vSphere with Flannel container networking	`False`
TKGI on vSphere with NSX-T container networking	`True`
TKGI on AWS	`True`
TKGI on Azure	`True`
TKGI on GCP	`True`

For more information, see Kubernetes Services in the Kubernetes documentation.

LOAD-BALANCER is the static external IP address for the LoadBalancer, if the load balancer is enabled.
POLICY is the endpoint this ingress routes external traffic to:
- For environments that support node-local endpoints, configure external_traffic_policy as Local.
- For TKG and other environments that do not support node-local endpoints, configure external_traffic_policy as Cluster.

Save the values.yml file.

(Optional) Configure Application Log Destinations

You can provide one or more destinations for application logs. These destinations receive all application logs in syslog RFC 5424 format. This allows integrations with external logging tools like Splunk or ELK.

For more information about the syslog format, see RFC 5424 - The Syslog Protocol in the Internet Engineering Task Force (IETF) documentation.

To configure optional application log destinations:

Open values.yml in a text editor.
Go to the end of the file.
Add the following text:
```
app_log_destinations:
```
Immediately following that text, add one or more log destinations:
```
#@overlay/append
- host: HOSTNAME
  port: PORT
  transport: TRANSPORT
  insecure_disable_tls_validation: DISABLE-TLS-VALIDATION
```
Where:
- HOSTNAME is the hostname of the log destination.
- PORT is the TCP port number of the log destination.
- TRANSPORT is one of the following:
  - tls for TLS-encrypted syslog over TCP. This is the default value.
  - tcp for plaintext syslog over TCP.
- DISABLE-TLS-VALIDATION is true or false. If set to true, the destination TLS certificate is not validated. The default value is false.
Save the values.yml file.

Configure Certificates

To configure TAS for Kubernetes certificate values, modify your copy of the configuration values template:

Configure the Ingress Gateway Certificates
(Optional) Configure Application Container Certificates

Configure the Ingress Gateway Certificates

TAS for Kubernetes requires a certificate to terminate TLS at the ingress gateway and generates a self-signed TLS certificate for the ingress gateway if you do not provide one before installing.

To configure ingress gateway certificates:

Open values.yml in a text editor.
Locate the system_certificate and workloads_certificate sections in the values.yml file.
Configure the ingress gateway certificates:
```
system_certificate:
  crt: "SYSTEM-CERT"
  key: "SYSTEM-KEY"
  ca: "SYSTEM-CA"
workloads_certificate:
  crt: "WORKLOAD-CERT"
  key: "WORKLOAD-KEY"
  ca: "WORKLOAD-CA"
```
Where:
- SYSTEM-CERT is the Base64-encoded certificate for the wildcard subdomain of the system domain. For example, *.SYSTEM-DOMAIN.
- SYSTEM-KEY is the Base64-encoded private key for the system certificate.
- SYSTEM-CA is the Base64-encoded CA certificate used to sign the system certificate.
- WORKLOAD-CERT is the Base64-encoded certificate for the wildcard subdomain of the app domain. For example, *.APP-DOMAIN.
- WORKLOAD-KEY is the Base64-encoded private key for the workload certificate.
- WORKLOAD-CA is the Base64-encoded CA certificate used to sign the workload certificate.
Save the values.yml file.

(Optional) Configure Application Container Certificates

You can provide one or more certificates for the TAS-deployed applications to trust. These certificates are injected into the application trust store to allow apps to communicate with each other securely.

To configure optional application container certificates:

Open values.yml in a text editor.
Locate the app_containers section in the values.yml file.
Configure the application container certificates:
```
 app_containers:
    #! PEM encoded Certificate Authority
    ca: |
      -----BEGIN CERTIFICATE-----
      FIRST-CA-CERTIFICATE-CONTENT
      -----END CERTIFICATE-----
      -----BEGIN CERTIFICATE-----
      SECOND-CA-CERTIFICATE-CONTENT
      -----END CERTIFICATE-----
```
Where:
- FIRST-CA-CERTIFICATE-CONTENT is a CA certificate or self-signed certificate of a service. or application that you want your TAS-deployed app to trust.
- SECOND-CA-CERTIFICATE-CONTENT is a CA certificate or self-signed certificate of a service or application that you want your TAS-deployed app to trust.
Ensure each line of the CA certificate value is indented four spaces, matching the indentation of the surrounding BEGIN CERTIFICATE and END CERTIFICATE lines.
Save the values.yml file.

Next Steps

After you complete this procedure, complete all of the following configuration procedures:

Create a pull request or raise an issue on the source for this page in GitHub