VKS & Supervisor Services

This guide walks from logging into the VCF Supervisor through installing Contour, the CA Cluster Issuer, and Harbor with CA-issued TLS. Each section lists the exact commands and vCenter steps. (Screenshots to be added later.)

warning

Prerequisite: Supervisor must be deployed firstBefore proceeding with this guide, ensure Supervisor deployment is complete. This is a mandatory Day 2 action covered in 4 - Post-Deployment → Supervisor Deployment.

Required materials

Gather these before starting.

Category	Item	Notes
Software	VCF CLI	For `vcf context` and Supervisor API access.
Software	kubectl	Used with the Supervisor context.
Access	vCenter (e.g. `vc.pgnet.io`)	Workload Management → Services, Namespaces.
Access	Supervisor API endpoint	e.g. `api.pgnet.io` (VKS Mgmt / VLAN 208).
Access	Administrator credentials	e.g. `administrator@vsphere.local` for context create.
Service definitions	Local Consumption Interface YAML	From Broadcom download page – register in vCenter; add to Supervisor per vCenter wizard.
Service definitions	Contour YAML	e.g. `contour-service-v1.32.0.yml` – register in vCenter.
Service definitions	CA Cluster Issuer YAML	e.g. `ca-clusterissuer.yml` – register in vCenter.
Service definitions	Harbor	Harbor is a built-in or registered Supervisor Service in vCenter.
Service definitions	Argo CD operator YAML	From Broadcom download page – register in vCenter; requires no data values.
Downloads	vSphere Supervisor Services	Download service definition YAMLs from Broadcom Support – vSphere Supervisor Services.
Data values / config	`pg-k8` repo (or equivalent)	Contains `contour/contour-data-values.yml`, `ca-clusterissuer/generate-data-values.sh`, `ca-clusterissuer-data-values.yml`, `harbor/harbor-data-values.yml`, `harbor/harbor-tls-certificate.yml`.
Certificates	CA certificate and private key (PEM)	e.g. `/Volumes/pgdata/certs/pgnet.local-machine/intermediate-ca/ca.crt` and `ca.key` for the CA Cluster Issuer and optional namespace copy.
DNS	Authority for your domain	Ability to create A (and optionally PTR) records (e.g. `harbor.pgnet.io` → Contour Envoy IP). DNS server in this lab: `10.200.1.240`.
Network	Reachability to Supervisor API	Typically VLAN 208 (VKS Mgmt); same network as `api.pgnet.io`.

Download Supervisor Services: Local Consumption Interface, Contour, CA Cluster Issuer, Harbor, Argo CD operator, and other vSphere Supervisor Service definition packages are available from the Broadcom Support Portal – vSphere Supervisor Services download page. Download the YAML for each service you need, then register and install them via vCenter (Workload Management → Services).

Deployment summary (what this guide deploys)

The following describes the Supervisor-based deployment this guide produces.

Supervisor and API access

A Supervisor (e.g. pgvcfsup1) is deployed on the management cluster (e.g. pgmgmt-cl01) with a floating API endpoint (e.g. api.pgnet.io). Supervisor deployment is covered in VCF Guide 04: Post-Deployment. This guide (Part 9) assumes the Supervisor is already in place; it uses the VCF CLI to create a context and then installs Supervisor Services and supporting resources on that Supervisor.

Supervisor Services installed (in order)

Local Consumption Interface – Enables local consumption of the Supervisor (e.g. for developers or tenants to use the cluster). Downloaded from the same Broadcom vSphere Supervisor Services page; add and configure via vCenter (Workload Management → Supervisor → add Local Consumption Interface per the wizard).
Contour – Ingress controller and Envoy proxy. Provides the external LoadBalancer IP that receives HTTPS for services like Harbor. Deployed into a namespace such as svc-contour-domain-c10. Data values are set so the Envoy service is type LoadBalancer and gets an IP from the NSX VPC (e.g. 10.210.0.x).
CA Cluster Issuer – Installs a cert-manager ClusterIssuer (e.g. ca-clusterissuer) that signs certificates using your CA. The CA cert and key are supplied as base64 in the service data values and stored in a secret in vmware-system-cert-manager. No CA material is hardcoded in workload data values (e.g. Harbor).
Harbor – Container image registry with UI and vulnerability scanning. Deployed into a namespace such as svc-harbor-domain-c10. Harbor is configured to use a cert-manager Certificate that requests a TLS cert for harbor.pgnet.io from the CA Cluster Issuer. The resulting secret (harbor-tls-pgnet) is referenced by Harbor via tlsCertificateSecretName, so Harbor serves CA-signed TLS without embedding the CA.
Argo CD operator – GitOps operator for continuous deployment from Git. Deployed as a Supervisor Service; the YAML from the Broadcom download page requires no data values. Can be installed after or before Harbor (no dependency on Contour or CA Cluster Issuer).

Namespaces

svc-contour-domain-c10 – Contour and Envoy (Supervisor-managed).
svc-harbor-domain-c10 – Harbor and the Harbor TLS Certificate/secret (Supervisor-managed).
pgnet-secret (optional) – Created in vCenter for storing a copy of the CA secret and, optionally, a namespace-scoped Issuer.

DNS and TLS flow

You create an A record (e.g. harbor.pgnet.io) pointing to the Contour Envoy LoadBalancer IP. Clients hit that IP on 443; Envoy terminates TLS using the certificate in the Harbor HTTPProxy (the same cert as in harbor-tls-pgnet). That certificate is issued by the CA Cluster Issuer from your CA, so clients that trust your CA (e.g. Microsoft CA) trust Harbor.

End state

You can log in with the VCF context, manage resources with kubectl, and access Harbor at https://harbor.pgnet.io with a browser or docker login, using a CA-trusted TLS certificate.

1. Log in to VCF and create the Supervisor context

All CLI steps assume you use the VCF context to talk to the Supervisor. Do this first.

Prerequisites: VCF CLI installed; network access to the Supervisor API (e.g. VLAN 208).

1.1 Create the context (once)

vcf context create pgvcfsup1 --endpoint=api.pgnet.io --username=administrator@vsphere.local --auth-type basic

1.2 Use the context and verify

vcf context use pgvcfsup1
kubectl get nodes

1.3 Commands you will use repeatedly

Task	Command
Switch to Supervisor	`vcf context use pgvcfsup1`
List contexts	`vcf context list`
List namespaces	`kubectl get ns`
List services (all namespaces)	`kubectl get svc -A`
List storage classes	`kubectl get storageclass`

2. Add Local Consumption Interface

The Local Consumption Interface enables local consumption of the Supervisor (e.g. for developers or tenants to use the cluster). It is a Supervisor Service; the definition is downloaded from the same Broadcom page as the other services.

2.1 Download and add in vCenter

Download the Local Consumption Interface service definition from Broadcom Support – vSphere Supervisor Services.
In vCenter: Workload Management → Supervisor → add Local Consumption Interface (or Services → register the YAML, then configure the interface per the vCenter wizard for your Supervisor).

Follow the vCenter workflow to add the Local Consumption Interface to Supervisor pgvcfsup1; the wizard will prompt for any required settings. (Screenshots to be added later.)

3. Install Contour (ingress for Harbor and other services)

Contour provides the Envoy proxy that receives HTTPS for Supervisor Services. Install Contour before Harbor.

3.1 Register Contour in vCenter (once)

In vCenter: Workload Management → Services → Add New Service
Upload the Contour service definition YAML (e.g. contour-service-v1.32.0.yml)

3.2 Install Contour on the Supervisor

Workload Management → Services → Contour → Install on Supervisors
Select Supervisor pgvcfsup1
Paste the data values from data-values.yaml (must include envoy.service.type: LoadBalancer so Envoy gets an external IP)
Complete the wizard and wait for reconciliation

3.3 Get the Contour (Envoy) IP address

vcf context use pgvcfsup1
kubectl get svc envoy -n svc-contour-domain-c10 -o jsonpath='{.status.loadBalancer.ingress[0].ip}'

If there is no external IP, the Envoy service is still NodePort; edit the Contour service in vCenter and re-paste the data values (ensure envoy.service.type: LoadBalancer is present).

3.4 DNS

Create an A record for each host that will use Contour (e.g. harbor.pgnet.io) pointing to the IP from step 3.3 (e.g. on BIND at 10.200.1.240).

4. CA Cluster Issuer (trusted certificates)

The CA Cluster Issuer creates a cert-manager ClusterIssuer so services like Harbor can use TLS certificates signed by your CA (e.g. Microsoft CA), without hardcoding the CA in each service.

4.1 Create the namespace (vCenter)

Workload Management → Namespaces → Create Namespace
Create a namespace on Supervisor pgvcfsup1 (e.g. pgnet-secret)

4.2 Generate data values (idempotent script)

From the pg-k8 repo (use your CA cert and key path):

cd /path/to/pg-k8
CA_CERT_DIR=/Volumes/pgdata/certs/pgnet.local-machine/intermediate-ca ./ca-clusterissuer/generate-data-values.sh

Or with explicit files:

CA_CRT=/path/to/ca.crt CA_KEY=/path/to/ca.key ./ca-clusterissuer/generate-data-values.sh

Output: ca-clusterissuer/ca-clusterissuer-data-values.yml (base64 tls_crt and tls_key). Do not use PEM block scalars in vCenter or the bundle will fail with “illegal base64 data”.

4.3 Install and configure in vCenter

Register the service: Workload Management → Services → Add New Service → upload ca-clusterissuer.yml
Workload Management → Services → CA Cluster Issuer → Install on Supervisors
Select Supervisor pgvcfsup1
Paste the entire contents of ca-clusterissuer-data-values.yml
Complete the wizard; wait for “Reconcile succeeded”

4.4 Verify ClusterIssuer

vcf context use pgvcfsup1
kubectl get clusterissuer

Note the ClusterIssuer name (e.g. ca-clusterissuer); you will use it for the Harbor Certificate.

4.5 (Optional) Store a copy of the CA in your namespace

vcf context use pgvcfsup1
kubectl create secret tls pgnet-ca-key-pair \
  --cert="/Volumes/pgdata/certs/pgnet.local-machine/intermediate-ca/ca.crt" \
  --key="/Volumes/pgdata/certs/pgnet.local-machine/intermediate-ca/ca.key" \
  -n pgnet-secret

Optional namespace-scoped Issuer:

kubectl apply -f - <<EOF
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: pgnet-ca-issuer
  namespace: pgnet-secret
spec:
  ca:
    secretName: pgnet-ca-key-pair
EOF

5. Install Harbor with CA-issued TLS

Harbor uses a TLS certificate issued by the CA Cluster Issuer. The CA is not in Harbor data values; a cert-manager Certificate creates the secret, and Harbor references that secret by name.

5.1 Confirm ClusterIssuer name

vcf context use pgvcfsup1
kubectl get clusterissuer

Use the name (e.g. ca-clusterissuer) in the Harbor Certificate. In pg-k8/harbor/harbor-tls-certificate.yml, spec.issuerRef.name must match (e.g. ca-clusterissuer).

5.2 Install Harbor in vCenter (first time)

Workload Management → Services → Harbor → Install on Supervisors
Select Supervisor pgvcfsup1
Paste the data values from harbor-data-values.yml (must include tlsCertificateSecretName: harbor-tls-pgnet)
Complete the wizard; wait for the Harbor namespace to exist (e.g. svc-harbor-domain-c10)

5.3 Create the Certificate (creates the TLS secret)

The secret harbor-tls-pgnet is created by a Certificate, not by Harbor. Apply the Certificate in the Harbor namespace:

vcf context use pgvcfsup1
kubectl apply -f harbor/harbor-tls-certificate.yml -n svc-harbor-domain-c10

Wait for the Certificate and secret to be ready:

kubectl get certificate -n svc-harbor-domain-c10
kubectl get secret harbor-tls-pgnet -n svc-harbor-domain-c10

If the Certificate was created after Harbor was installed, Harbor will pick up the secret and the core pod may roll; ensure the Certificate is Ready and the secret exists.

5.4 Verify Harbor and TLS

vcf context use pgvcfsup1
kubectl get pods -n svc-harbor-domain-c10
kubectl get httpproxy -n svc-harbor-domain-c10
kubectl get secret harbor-tls-pgnet -n svc-harbor-domain-c10 -o jsonpath='{.data.tls\.crt}' | base64 -d | openssl x509 -noout -subject -issuer -dates

HTTPProxy should show valid and TLS secret harbor-tls-pgnet. The certificate issuer should be your CA (e.g. CN=pgnet-WINSRV1-CA). Access Harbor at https://harbor.pgnet.io (DNS must point to the Contour Envoy IP from step 3.3).

6. Install Argo CD operator

Argo CD provides GitOps-based continuous deployment from Git repositories. The Argo CD operator is available as a vSphere Supervisor Service from the Broadcom download page. It requires no data values; install with the default configuration.

6.1 Download and register in vCenter

Download the Argo CD operator service definition YAML from Broadcom Support – vSphere Supervisor Services.
In vCenter: Workload Management → Services → Add New Service → upload the Argo CD operator YAML.

6.2 Install on the Supervisor

Workload Management → Services → Argo CD operator (or the name shown after registration) → Install on Supervisors
Select Supervisor pgvcfsup1
Leave the data values field empty (no data values required)
Complete the wizard and wait for reconciliation

6.3 Verify (optional)

vcf context use pgvcfsup1
kubectl get packageinstall -A | grep -i argo
kubectl get pods -A | grep -i argo

7. Order of operations summary

Step	Action	Where
1	Create VCF context and use it	CLI: `vcf context create` / `vcf context use pgvcfsup1`
2	Download Local Consumption Interface from Broadcom; add to Supervisor	vCenter → Workload Management → Supervisor (or Services)
3	Register and install Contour with LoadBalancer data values	vCenter → Services
3	Get Envoy IP, add DNS A record for harbor.pgnet.io	CLI + DNS
4	Create namespace (e.g. pgnet-secret)	vCenter → Namespaces
4	Generate CA Cluster Issuer data values (script)	CLI from pg-k8 repo
4	Install CA Cluster Issuer with those data values	vCenter → Services
4	Verify ClusterIssuer (note name, e.g. ca-clusterissuer)	CLI: `kubectl get clusterissuer`
5	Install Harbor with data values (tlsCertificateSecretName: harbor-tls-pgnet)	vCenter → Services
5	Apply Harbor Certificate in Harbor namespace	CLI: `kubectl apply -f harbor/harbor-tls-certificate.yml -n svc-harbor-domain-c10`
5	Verify Certificate ready, secret exists, HTTPProxy valid	CLI
6	Download Argo CD operator YAML from Broadcom; register in vCenter	vCenter → Services → Add New Service
6	Install Argo CD operator on Supervisor (no data values)	vCenter → Services