vSphere 7 with Tanzu Updates

At some point, you’ll be faced with an upgrade request. New Kubernetes features, new security patches, or just to maintain your support. A vSphere 7 with Tanzu deployment has several components that may need to be updated and most of which can be updated independently of one another. In this post we’ll walk through an update to vSphere, then update the Supervisor namespace, and then finally the Tanzu Kubernetes cluster.

vSphere Update

To begin we’ll start with a vSphere update. According to the vSphere update planner from the vCenter UI, I have some patches available for deployment.

When we go to the Update Planner screen within Center, we’ll select the update that we plan to deploy and click the generate report button for a pre-update check. This makes sure the update should be able to complete successfully before we actually run the update.

As you can see, the pre-update checks passed, so it should be safe to deploy the update. If you click the Open Appliance Management button, it will send you management UI for vCenter.

In the management UI, navigate to the Update tab. Here you should be able to check for updates, and or apply them. Here You can see that the 7.0.2 update is available and ready for deployment. I select the update and click the Stage and Install link.

The link walks us through a few extra steps in a wizard format. First, you must accept the user agreement.

Next, you must provide the SSO password.

Then you need to decide whether you want to join the VMware Customer Experience Improvement Program (CEIP). This is recommended because it can provide interoperability information to you in the vCenter console, as well as helping to improve the product in future versions.

Lastly, you have to verify that you’ve backed up your vCenter. You could always lie about your backup status, but I would recommend actually taking a good backup first before these upgrades.

When done you’ll see a status message about the progress.

Eventually it should complete.

Update Supervisor Namespaces

Once the vCenter has been updated, you can continue updating your supervisor namespaces. If you navigate to the Workload Management screen, you go to the updates tab. Here you’ll select your supervisor cluster where you’ll see the current version and will be able to select the supported available versions. In my case I’m selecting the most recent update. Click the Apply Updates link.

When you being the update process you’ll see some activity in the recent tasks window in vCenter. The update performs a rolling update to the Supervisor cluster VMs. The Supervisor cluster should remain online during these updates as one node at a time is upgraded and placed back into the cluster.

Tanzu Kubernetes Cluster Updates

After the Supervisor namespaces have been upgraded, you can shift your attention to the Tanzu Kubernetes clusters (TKC). NOTE: These are often referred to as child clusters, or workload clusters.

First we login to the Supervisor namespace that contains our workload clusters. This is done through the kubectl vsphere login process covered in other posts. Once logged in, you can run kubectl get tkc which will list your clusters, and their versions. In the example below my cluster is running version 1.18.15.

Before we can upgrade the cluster, we need to know what releases are available to us. We can do this by running kubectl get tkr. NOTE: that tkr stands for TanzuKubernetesReleases which can also be used in the command line instead of the short form of tkr.

Once you’ve found the version you plan to upgrade to, it’s time to edit your cluster config to use your new version. You should be aware that you can only update minor versions and that you must upgrade them sequentially. In our case we’ll upgrade from 1.18 to 1.19 before upgrading to 1.20.

To update my cluster config we’ll run kubectl edit tkc tkg-cluster-1 and we’ll update both the “fullVersion” and the “version” spec.

For the full version, we’ll replace it with null. For the version, we’ll specify the short form version of our update. You’ll notice that after the update, the fullVersion is fully populated again. Save the config.

Once you set the version and save the config you can check the cluster status with the kubectl get tkc again and you’ll notice that the phase is in an updating state. Just like the Supervisor cluster, the workload cluster will be updated in a rolling update fashion. If you have a “Production” cluster deployed with three control plane nodes, you should see no downtime as the nodes are replaced one by one.

After the deployment is fully complete, you can re-run the process to update to any other versions. You can see that after I did my first update, I have a new column letting me know there is another version i’m eligible to upgrade to if I chose.

Summary

Kubernetes clusters are not immune to upgrades but with a rolling update methodology, we can limit or prevent downtime to any applications running on them. vSphere with Tanzu allows you to upgrade Tanzu Kubernetes clusters independently from the Supervisor cluster, but you need to be within two minor versions to be supported. Upgrade your vCenters, then update your Supervisor Namespaces, and lastly you can update the Tanzu Kubernetes clusters.